Results 1 to 10 of 10

Thread: question about cracking NTLM hashes

  1. #1
    Member
    Join Date
    Oct 2006
    Posts
    63

    question about cracking NTLM hashes

    I just got the NTLM hashes from a Win 7 VM. I got them using "auxiliary/server/capture/smb" from metasploit, so I could import them into Cain for cracking; however, Win 7 has LM off by default, so I was only able to get NTLM, and I was able to import into Cain, but I can't launch a dict-attack.... don't know why. I launch it but it will try to run and stop. the hashes are not in the usual pwdump format. Here's the format.

    user1:vista-vbox:1122334455667788:0000000000000000000000000000 00000000000000000000:fc73f3f5f74fc8518c9b6b045e79f ec401010000000000002904a4d3244fcb01740f29bcff07e28 300000000020000000000000000000000

    This is what Metasploit shows as the exploit runs:

    vista-vbox\user1 LMHASH:0000000000000000000000000000000000000000000 00000 NTHASH:2f16e1adfae1b88a0d683105511e5d9301010000000 00000705351442651cb014e497b5310c7d4790000000002000 0000000000000000000

    could anyone tell me if the reason why the dic-attack is not running is b/c the NTLM hash is not in the right format, or do I need to run something different like rainbow-tables....just by looking at the NTLM hash I think is too long

    any help appreciated

    thanks

  2. #2
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Have you tried running the dictionary attack against hashes pulled from XP? Might be worth a shot to make sure it isn't a problem with the config.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  3. #3

  4. #4
    Member
    Join Date
    Oct 2006
    Posts
    63
    Quote Originally Posted by westin View Post
    Have you tried running the dictionary attack against hashes pulled from XP? Might be worth a shot to make sure it isn't a problem with the config.
    yes, I used "hashdump" on an xp box and import them into cain. Then, I ran the dic-attack no problem!... but in this case I got also LM hashes and NTLM, so I was wondering if I needed both to perform the crack in Cain

    thanks

  5. #5
    Member
    Join Date
    Oct 2006
    Posts
    63
    I'll read it!

    thanks

  6. #6
    Senior Member Wazz's Avatar
    Join Date
    Apr 2003
    Posts
    288
    I quickly got it to run in L0phtCrack 6 to test for you because I could not get it to go in Cain or Ophcrack either. It completed the Dictionary attack and the Brute Force started running fine (didn't let it finish, would've taken 3 days). Anyway, I just pasted all the hash info in a text file and imported.....

    user1:vista-vbox:1122334455667788:0000000000000000000000000000 00000000000000000000:fc73f3f5f74fc8518c9b6b045e79f ec401010000000000002904a4d3244fcb01740f29bcff07e28 300000000020000000000000000000000


    Here is a good link that should help you do it all from Metasploit:

    http://carnal0wnage.blogspot.com/200...er-module.html
    Last edited by Wazz; September 13th, 2010 at 02:54 PM.
    "It is a shame that stupidity is not painful" - Anton LaVey

  7. #7
    Member
    Join Date
    Oct 2006
    Posts
    63
    Quote Originally Posted by Wazz View Post
    I quickly got it to run in L0phtCrack 6 to test for you because I could not get it to go in Cain or Ophcrack either. It completed the Dictionary attack and the Brute Force started running fine (didn't let it finish, would've taken 3 days). Anyway, I just pasted all the hash info in a text file and imported.....

    user1:vista-vbox:1122334455667788:0000000000000000000000000000 00000000000000000000:fc73f3f5f74fc8518c9b6b045e79f ec401010000000000002904a4d3244fcb01740f29bcff07e28 300000000020000000000000000000000


    Here is a good link that should help you do it all from Metasploit:

    http://carnal0wnage.blogspot.com/200...er-module.html

    thanks for the link though, but after reading it, I got a few questions. Your attack was against a winxp box? because mine is against a win7 which has LM hashes turned off. Another when I import them into cain, it show a "challenge" what's that? And would I be able to crack mine NTLM hash using your method?

    thanks for the help

  8. #8
    Senior Member Wazz's Avatar
    Join Date
    Apr 2003
    Posts
    288
    The challenge is just an authentication protocol that NTLM implements (challenge\response). A unique challenge is sent to the client, then the hash and challenge are combined and sent back to see if the value is equal\correct to authenticate. Unfortunately I haven't had time to try any of the techniques from the link I sent you, it's actually a site I go to all the time and remembered the post. However, as I said I did get it to load in L0phtcrack and begin bruting.....I'm not sure what the goal is here (if you actually need the password or not), but if you can get a Meterpreter session....the sky's the limit.
    "It is a shame that stupidity is not painful" - Anton LaVey

  9. #9
    Member
    Join Date
    Oct 2006
    Posts
    63
    Quote Originally Posted by Wazz View Post
    but if you can get a Meterpreter session....the sky's the limit.
    Actually, that was my next step, to try and get a meterpreter session going, but results are somewhat different in a win7 box, as you can't do a "hashdump"... "lack of privileges." I started a thread about it here

  10. #10
    Senior Member Wazz's Avatar
    Join Date
    Apr 2003
    Posts
    288
    Yeah, there aren't a lot of fruitful Windows 7 modules yet in Metasploit that I'm aware of. I would maybe poke around for some exploits and other dump proggies in the wild and compile and run those, maybe try to pass the hash too . I'm actually going to set up 7 in a VM and see if I can get through when I have time, I didn't realize it was locked down this tight till this thread really.....did they actually get it right??? Let me know how you make out, good luck!
    "It is a shame that stupidity is not painful" - Anton LaVey

Similar Threads

  1. Password Cracking with Rainbow Tables
    By 3rr0r in forum The Security Tutorials Forum
    Replies: 22
    Last Post: May 28th, 2004, 02:19 AM
  2. Question Time
    By jm459 in forum Tech Humor
    Replies: 1
    Last Post: April 14th, 2004, 01:41 PM
  3. Question regarding times for cracking passwords
    By AlkAzAA in forum Miscellaneous Security Discussions
    Replies: 5
    Last Post: March 10th, 2004, 11:56 AM
  4. Maximum performance question
    By Fasheezy in forum Hardware
    Replies: 5
    Last Post: February 5th, 2004, 04:25 PM
  5. Newbie FAQ. Check these to make sure your question hasn't been asked.
    By Alcatraz in forum Newbie Security Questions
    Replies: 13
    Last Post: July 9th, 2003, 07:34 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •