12-23-2013, 08:08 PM
It took me a while to find/figure this out recently so I thought I'd post it here in case it helped anyone else. If nothing else I'll probably forget the details in a couple weeks and I can just use it to remind myself.
NetNTLMv2 hash format (-m 5600) appears to have been introduced in a hashcat-0.43 beta and was originally aligned with JtR as follows:
$NETNTLMv2$USERDOMAIN$1122334455667788$d2d10fab083e422123c693587315814a$0101000000000000e3a17e6c2600ce0191f59c598f8c6f4d00000000020000000000000000000000
By the time 0.43 was officially released this had been changed to its current format, which is aligned with l0phtcrack:
test::LAB:1122334455667788:3b482ca7d786401abd40c4bce7f1c283:0101000000000000ebfbd8bf8d24ce01a31384a499a4935800000000020000000000000000000000
The format of this layout is:
Username:omain:Challenge:NTLMv2hash(aka HMAC-MD5):blob(entire NTLMv2 response except the HMAC that was in the preceding field)
If you're using Cain to capture/process these negotiations, there is no export functionality so you'll need to take them directly from the NTLMv2.LST file which is located here:
%PROGRAMFILES%\Cain\NTLMv2.LST
To put them in the lc/hashcat format, you can use:
awk -v OFS=":" -F "\t" '{print($1,"",$2,$5,$4,$6)}' NTLMv2.LST > ntlmv2.hashes
Hope someone finds this useful.
NetNTLMv2 hash format (-m 5600) appears to have been introduced in a hashcat-0.43 beta and was originally aligned with JtR as follows:
$NETNTLMv2$USERDOMAIN$1122334455667788$d2d10fab083e422123c693587315814a$0101000000000000e3a17e6c2600ce0191f59c598f8c6f4d00000000020000000000000000000000
By the time 0.43 was officially released this had been changed to its current format, which is aligned with l0phtcrack:
test::LAB:1122334455667788:3b482ca7d786401abd40c4bce7f1c283:0101000000000000ebfbd8bf8d24ce01a31384a499a4935800000000020000000000000000000000
The format of this layout is:
Username:omain:Challenge:NTLMv2hash(aka HMAC-MD5):blob(entire NTLMv2 response except the HMAC that was in the preceding field)
If you're using Cain to capture/process these negotiations, there is no export functionality so you'll need to take them directly from the NTLMv2.LST file which is located here:
%PROGRAMFILES%\Cain\NTLMv2.LST
To put them in the lc/hashcat format, you can use:
awk -v OFS=":" -F "\t" '{print($1,"",$2,$5,$4,$6)}' NTLMv2.LST > ntlmv2.hashes
Hope someone finds this useful.