-
September 13th, 2010, 04:48 AM
#1
Member
question about cracking NTLM hashes
I just got the NTLM hashes from a Win 7 VM. I got them using "auxiliary/server/capture/smb" from metasploit, so I could import them into Cain for cracking; however, Win 7 has LM off by default, so I was only able to get NTLM, and I was able to import into Cain, but I can't launch a dict-attack.... don't know why. I launch it but it will try to run and stop. the hashes are not in the usual pwdump format. Here's the format.
user1:vista-vbox:1122334455667788:0000000000000000000000000000 00000000000000000000:fc73f3f5f74fc8518c9b6b045e79f ec401010000000000002904a4d3244fcb01740f29bcff07e28 300000000020000000000000000000000
This is what Metasploit shows as the exploit runs:
vista-vbox\user1 LMHASH:0000000000000000000000000000000000000000000 00000 NTHASH:2f16e1adfae1b88a0d683105511e5d9301010000000 00000705351442651cb014e497b5310c7d4790000000002000 0000000000000000000
could anyone tell me if the reason why the dic-attack is not running is b/c the NTLM hash is not in the right format, or do I need to run something different like rainbow-tables....just by looking at the NTLM hash I think is too long
any help appreciated
thanks
-
September 13th, 2010, 05:36 AM
#2
Have you tried running the dictionary attack against hashes pulled from XP? Might be worth a shot to make sure it isn't a problem with the config.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
September 13th, 2010, 07:15 AM
#3
-
September 13th, 2010, 07:24 AM
#4
Member
Originally Posted by westin
Have you tried running the dictionary attack against hashes pulled from XP? Might be worth a shot to make sure it isn't a problem with the config.
yes, I used "hashdump" on an xp box and import them into cain. Then, I ran the dic-attack no problem!... but in this case I got also LM hashes and NTLM, so I was wondering if I needed both to perform the crack in Cain
thanks
-
September 13th, 2010, 07:26 AM
#5
Member
Originally Posted by HYBR|D
I'll read it!
thanks
-
September 13th, 2010, 02:44 PM
#6
I quickly got it to run in L0phtCrack 6 to test for you because I could not get it to go in Cain or Ophcrack either. It completed the Dictionary attack and the Brute Force started running fine (didn't let it finish, would've taken 3 days). Anyway, I just pasted all the hash info in a text file and imported.....
user1:vista-vbox:1122334455667788:0000000000000000000000000000 00000000000000000000:fc73f3f5f74fc8518c9b6b045e79f ec401010000000000002904a4d3244fcb01740f29bcff07e28 300000000020000000000000000000000
Here is a good link that should help you do it all from Metasploit:
http://carnal0wnage.blogspot.com/200...er-module.html
Last edited by Wazz; September 13th, 2010 at 02:54 PM.
"It is a shame that stupidity is not painful" - Anton LaVey
-
September 15th, 2010, 12:05 AM
#7
Member
Originally Posted by Wazz
I quickly got it to run in L0phtCrack 6 to test for you because I could not get it to go in Cain or Ophcrack either. It completed the Dictionary attack and the Brute Force started running fine (didn't let it finish, would've taken 3 days). Anyway, I just pasted all the hash info in a text file and imported.....
user1:vista-vbox:1122334455667788:0000000000000000000000000000 00000000000000000000:fc73f3f5f74fc8518c9b6b045e79f ec401010000000000002904a4d3244fcb01740f29bcff07e28 300000000020000000000000000000000
Here is a good link that should help you do it all from Metasploit:
http://carnal0wnage.blogspot.com/200...er-module.html
thanks for the link though, but after reading it, I got a few questions. Your attack was against a winxp box? because mine is against a win7 which has LM hashes turned off. Another when I import them into cain, it show a "challenge" what's that? And would I be able to crack mine NTLM hash using your method?
thanks for the help
-
September 16th, 2010, 08:00 AM
#8
The challenge is just an authentication protocol that NTLM implements (challenge\response). A unique challenge is sent to the client, then the hash and challenge are combined and sent back to see if the value is equal\correct to authenticate. Unfortunately I haven't had time to try any of the techniques from the link I sent you, it's actually a site I go to all the time and remembered the post. However, as I said I did get it to load in L0phtcrack and begin bruting.....I'm not sure what the goal is here (if you actually need the password or not), but if you can get a Meterpreter session....the sky's the limit.
"It is a shame that stupidity is not painful" - Anton LaVey
-
September 16th, 2010, 05:12 PM
#9
Member
Originally Posted by Wazz
but if you can get a Meterpreter session....the sky's the limit.
Actually, that was my next step, to try and get a meterpreter session going, but results are somewhat different in a win7 box, as you can't do a "hashdump"... "lack of privileges." I started a thread about it here
-
September 17th, 2010, 11:11 AM
#10
Yeah, there aren't a lot of fruitful Windows 7 modules yet in Metasploit that I'm aware of. I would maybe poke around for some exploits and other dump proggies in the wild and compile and run those, maybe try to pass the hash too . I'm actually going to set up 7 in a VM and see if I can get through when I have time, I didn't realize it was locked down this tight till this thread really.....did they actually get it right??? Let me know how you make out, good luck!
"It is a shame that stupidity is not painful" - Anton LaVey
Similar Threads
-
By 3rr0r in forum The Security Tutorials Forum
Replies: 22
Last Post: May 28th, 2004, 02:19 AM
-
By jm459 in forum Tech Humor
Replies: 1
Last Post: April 14th, 2004, 01:41 PM
-
By AlkAzAA in forum Miscellaneous Security Discussions
Replies: 5
Last Post: March 10th, 2004, 11:56 AM
-
By Fasheezy in forum Hardware
Replies: 5
Last Post: February 5th, 2004, 04:25 PM
-
By Alcatraz in forum Newbie Security Questions
Replies: 13
Last Post: July 9th, 2003, 07:34 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|