hashcat Forum

Hi,

During a pentest I captured out a NTLMSSP "hash" Does oclhascat crack NTLMSSP ?

https://msdn.microsoft.com/en-us/library/...85%29.aspx
https://en.wikipedia.org/wiki/NTLMSSP

Quote:GET https://www.xxxx.xxx/ HTTP/1.0
Cache-Control: no-cache
Pragma: no-cache
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Cookie: xxxxxx
Accept-Encoding: gzip
Host: www.xx.xx

Proxy-Authorization: NTLM TlRMTVNTUAADAAAA/some base64 encoded stuff here/

Thank you.

hashcat isn't able to crack it, no. and i'm not 100% positive, but i don't think you have enough here to crack anyway. ntlm c/r is a four-way handshake, you only have one of the pieces. i also believe that you need to be the one to initiate the challenge, using a specially crafted challenge that you control. i think most people use metasploit, ettercap, c&a, or something along those lines to automate the process. i think there are also scripts out there that will parse out the necessary bits from a pcap file.

Ok.
And what if I retrieved the complete four-way exchange ? How could I crack it ?

maybe try https://github.com/psychomario/ntlmsspparse and see if that doesn't put it into a format that jtr can recognize. i think jtr jumbo supports ntlm c/r.

I do not really understand why is it so hard to crack such hashes.

Does Cain&Abel use some secret and very complicated algorythm, that cannot be recreated?