4

I'm trying to covert a string into a NTLM hash. From what I understand you just have to covert the characters in the string to unicode, format it to little endian and then hash it with the MD4 algorithm. I tried both little and big endian but haven't had any luck. This is what I've got so far:

hello
0068 0065 006C 006C 006F
006F 006C 006C 0065 0068
0x0068 0x0065 0x006C 0x006C 0x006F
0x006F 0x006C 0x006C 0x0065 0x0068

Of course I tried them without the white spaces. I got the info from here and here, the character from the table here and used this encrypter, but without good results.

What I want is someone to give me a good example of the string "hello" in unicode format and the right convertion to little endian in other words prep that string to be encrypted to MD4 so I can get the right NTLM hash.

Anders
  • 64,406
  • 24
  • 178
  • 215
Manuel Hernandez
  • 141
  • 1
  • 2
  • I found this but still not working https://books.google.com.sv/books?id=unIx0fWdMUgC&pg=PA17&lpg=PA17&dq=MD4+of+the+little+endian+UTF-16+Unicode&source=bl&ots=KUnciTHSsd&sig=lYRxWSt2ngkEuX7czY4P7REGhx0&hl=en&sa=X&ved=0ahUKEwiSsM3Qyc7NAhXLKB4KHWzLAycQ6AEIJDAD#v=onepage&q=MD4%20of%20the%20little%20endian%20UTF-16%20Unicode&f=false – Manuel Hernandez Jun 30 '16 at 01:41
  • If you're comfortable with Javascript, you may want to simply modify the scripts used by [this website](https://www.tobtu.com/lmntlm.php) and print console messages after each step. This is the [JS file](https://www.tobtu.com/js/hashgen.js?2) – Jedi Jul 01 '16 at 02:55

2 Answers2

1

another option is this super simple python snippet i use all the time:

import hashlib
print hashlib.new('MD4', 'password'.encode('utf-16le')).hexdigest()

notice the NT hash is a simple MD4 hash on a Little Endian encoded [UTF16][3] password, this script encapsulates this logic well.

Jonathan Allon
  • 721
  • 3
  • 14
0

From https://myotherpcisacloud.com/post/getmd4hash

Function Get-MD4Hash
{
<#
.SYNOPSIS
    This cmdlet returns the MD4 hash of the data that is input.
    WARNING: MD4 is not secure, so it should NEVER be used to 
    protect sensitive data. This cmdlet is for research purposes only!

.DESCRIPTION
    This cmdlet returns the MD4 hash of the data that is input.
    WARNING: MD4 is not secure, so it should NEVER be used to 
    protect sensitive data. This cmdlet is for research purposes only!
    This cmdlet uses Microsoft's implementation of MD4, exported 
    from bcrypt.dll. The implementation is fully compliant with
    RFC 1320. This cmdlet takes a byte array as input, not a string.
    So if you wanted to hash a string (such as a password,) you 
    need to convert it to a byte array first.

.EXAMPLE
    Get-MD4Hash -DataToHash $([Text.Encoding]::Unicode.GetBytes("YourPassword1!"))

.PARAMETER DataToHash
    A byte array that represents the data that you want to hash.

.INPUTS
    A byte array containing the data you wish to hash.

.OUTPUTS
    A 128-bit hexadecimal string - the MD4 hash of your data.

.NOTES
    Author: Ryan Ries, 2014, ryan@myotherpcisacloud.com

.LINK
    https://myotherpcisacloud.com
#>
    [CmdletBinding()]
    Param ([Parameter(Mandatory=$True, ValueFromPipeline=$False)]           
           [Byte[]]$DataToHash)
    END
    {        
        Set-StrictMode -Version Latest
        Add-Type -TypeDefinition @'
        using System;
        using System.Text;
        using System.Runtime.InteropServices;
        public class BCrypt
        {
            [DllImport("bcrypt.dll", CharSet = CharSet.Auto)]
            public static extern NTStatus BCryptOpenAlgorithmProvider(
                [Out] out IntPtr phAlgorithm,
                [In] string pszAlgId,
                [In, Optional] string pszImplementation,
                [In] UInt32 dwFlags);

            [DllImport("bcrypt.dll")]
            public static extern NTStatus BCryptCloseAlgorithmProvider(
                [In, Out] IntPtr hAlgorithm,
                [In] UInt32 dwFlags);

            [DllImport("bcrypt.dll", CharSet = CharSet.Auto)]
            public static extern NTStatus BCryptCreateHash(
                [In, Out] IntPtr hAlgorithm,
                [Out] out IntPtr phHash,
                [Out] IntPtr pbHashObject,
                [In, Optional] UInt32 cbHashObject,
                [In, Optional] IntPtr pbSecret,
                [In] UInt32 cbSecret,
                [In] UInt32 dwFlags);

            [DllImport("bcrypt.dll")]
            public static extern NTStatus BCryptDestroyHash(
                [In, Out] IntPtr hHash);

            [DllImport("bcrypt.dll")]
            public static extern NTStatus BCryptHashData(
                [In, Out] IntPtr hHash,
                [In, MarshalAs(UnmanagedType.LPArray)] byte[] pbInput,
                [In] int cbInput,
                [In] UInt32 dwFlags);

            [DllImport("bcrypt.dll")]
            public static extern NTStatus BCryptFinishHash(
                [In, Out] IntPtr hHash,
                [Out, MarshalAs(UnmanagedType.LPArray)] byte[] pbInput,
                [In] int cbInput,
                [In] UInt32 dwFlags);

            [Flags]
            public enum AlgOpsFlags : uint
            {            
                BCRYPT_PROV_DISPATCH = 0x00000001,
                BCRYPT_ALG_HANDLE_HMAC_FLAG = 0x00000008,
                BCRYPT_HASH_REUSABLE_FLAG = 0x00000020
            }

            // This is a gigantic enum and I don't want to copy all of it into this Powershell script.
            // Basically anything other than zero means something went wrong.
            public enum NTStatus : uint
            {
                STATUS_SUCCESS = 0x00000000
            }
        }
'@

        [Byte[]]$HashBytes   = New-Object Byte[] 16
        [IntPtr]$PHAlgorithm = [IntPtr]::Zero
        [IntPtr]$PHHash      = [IntPtr]::Zero
        $NTStatus = [BCrypt]::BCryptOpenAlgorithmProvider([Ref] $PHAlgorithm, 'MD4', $Null, 0)
        If ($NTStatus -NE 0)
        {
            Write-Error "BCryptOpenAlgorithmProvider failed with NTSTATUS $NTStatus"
            If ($PHAlgorithm -NE [IntPtr]::Zero)
            {
                $NTStatus = [BCrypt]::BCryptCloseAlgorithmProvider($PHAlgorithm, 0)
            }
            Return
        }
        $NTStatus = [BCrypt]::BCryptCreateHash($PHAlgorithm, [Ref] $PHHash, [IntPtr]::Zero, 0, [IntPtr]::Zero, 0, 0)
        If ($NTStatus -NE 0)
        {
            Write-Error "BCryptCreateHash failed with NTSTATUS $NTStatus"
            If ($PHHash -NE [IntPtr]::Zero)
            {
                $NTStatus = [BCrypt]::BCryptDestroyHash($PHHash)                
            }
            If ($PHAlgorithm -NE [IntPtr]::Zero)
            {
                $NTStatus = [BCrypt]::BCryptCloseAlgorithmProvider($PHAlgorithm, 0)
            }
            Return
        }

        $NTStatus = [BCrypt]::BCryptHashData($PHHash, $DataToHash, $DataToHash.Length, 0)
        $NTStatus = [BCrypt]::BCryptFinishHash($PHHash, $HashBytes, $HashBytes.Length, 0)

        If ($PHHash -NE [IntPtr]::Zero)
        {
            $NTStatus = [BCrypt]::BCryptDestroyHash($PHHash)
        }
        If ($PHAlgorithm -NE [IntPtr]::Zero)
        {
            $NTStatus = [BCrypt]::BCryptCloseAlgorithmProvider($PHAlgorithm, 0)
        }

        $HashString = New-Object System.Text.StringBuilder
        Foreach ($Byte In $HashBytes)
        {
            [Void]$HashString.Append($Byte.ToString("X2"))
        }
        Return $HashString.ToString()
    }
}

Example hashing the word 'hello':

md4 hash

Ryan Ries
  • 949
  • 1
  • 10
  • 14