3

I'm trying to setup a system for pen-testing. I'm using the FreeRadius-WPE patch to collect Challenges/Requests from people who connect to my spoofed AP instead of the actual network. Here is the format that FreeRadius-WPE is returning me the credentials:

username: Domain\User
    challenge: 57:82:23:55:cd:68:10:ed
    response: 6d:dc:ac:a6:1e:cb:ea:b7:7f:dc:b4:08:89:30:b6:82:6e:37:15:a4:1e:92:1f:b6
    john NETNTLM: **Domain\User:$NETNTLM$57822355cd6810ed$6ddcaca61ecbeab77fdcb4088930b6826e3715a41e921fb6**

(Most importantly is the line between **'s which is what I send to John/Asleap to crack it)

They're all NTLM v2, so I was hoping to run them through HashCat, but everything I see with HashCat involves some "lc" format that looks like this:

admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030

Where "hashcat" is the password. I found this information here.

So again, how can I convert from my strange format to this lc one so that I can use it in HashCat?

Royce Williams
  • 9,128
  • 1
  • 31
  • 55
Freesnöw
  • 256
  • 1
  • 11

1 Answers1

1

This hashcat thread claims that simply rearranging the fields should be sufficient - but hashcat only recognizes the resulting hash as NetNTLMv1, not v2.

$ cat john.hash 
Domain\User:$NETNTLM$57822355cd6810ed$6ddcaca61ecbeab77fdcb4088930b6826e3715a41e921fb6

$ cat john.hash | perl -ne '/(.*?):\$.*?\$(.*?)\$(.*)/; print "$1::::$3:$2\n";'
Domain\User::::6ddcaca61ecbeab77fdcb4088930b6826e3715a41e921fb6:57822355cd6810ed

... but it's not recognized as NetNTLMv2:

$ hashcat -m 5600 --quiet -O -a 3 hashcat.hash hash?l?l?l
Hashfile 'hashcat.hash' on line 1 (Domain...e3715a41e921fb6:57822355cd6810ed): Salt-length exception
No hashes loaded.

... and I can't crack it as "hashcat" and NetNTLMv1:

$ hashcat -m 5500 --quiet -O -a 3 hashcat.hash hash?l?l?l
$ 
[no output]
Royce Williams
  • 9,128
  • 1
  • 31
  • 55