Please note, this is a STATIC archive of website hashcat.net from 08 Oct 2020, cach3.com does not collect or store any user information, there is no "phishing" involved.

hashcat Forum

Full Version: NetNTLMv1 Help!
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Ok, I've been bouncing my head off my desk for several days now on this.  First, an assumption I am working off of is that netntlmv1 and MSCHAPv2 are same/same?

What I've tried.

EBE2F20936540E6500000000000000000000000000000000:FBF97203E1B703515A1BF44FF5EA5C621623DAC7065DA58F:1122334455667788

Code:
***@*** ~/D/h/src> chapcrack radius -C 1122334455667788 -R FBF97203E1B703515A1BF44FF5EA5C621623DAC7065DA58F
Cracking K3................
                     C1 = fbf97203e1b70351
                     C2 = 5a1bf44ff5ea5c62
                     C3 = 1623dac7065da58f
                      P = 1122334455667788

Oh, so I assume it must be ESS.  Sooo

Code:
***@*** ~/D/h/src> ./ct3_to_ntlm.bin fd5717880e4b5e13 7ab2b26a22061831 e81d062fe3f8fb9f00000000000000000000000000000000
08a8

Ok, great, but I want to double check this, so...

Code:
***@*** ~/D/h/src> perl -e 'print pack ("H*", "112233445566778803FE97E316101F32")' | md5sum

b66a63d54cfe005c88b054d53f5e3dc0  -

and then 

Code:
***@*** ~/D/h/src> hashcat64.bin -m14000 --potfile-disable --quiet -a 3 -1 charsets/DES_full.charset --hex-charset 99223BFDCF216B9B:b66a63d54cfe005c ?1?1000000000000

And... Nothing.

So, I guess I have 3 questions,

1. Am I right in my assumptions that the process for MSCHAPv2 should work for NETNTLMv1?

2. If so, what am I doing wrong in my manual check of the ESS?

3. Once I have the C1,C2, and K3, where do I go from there to get the ntlm?

Thanks!

I've been using the following threads as guidelines.
https://hashcat.net/forum/thread-5948.html
https://hashcat.net/forum/thread-5912.html
I think you only have one error here:

Quote:hashcat64.bin -m14000 --potfile-disable --quiet -a 3 -1 charsets/DES_full.charset --hex-charset 99223BFDCF216B9B:b66a63d54cfe005c ?1?1000000000000

should actually be:

Quote:???

I tried to fix it for you but then found out you mixed two different test sets here. For example I can't find fd5717880e4b5e13 nowhere else in your describtion but at once place. So the entire report doesn't make any sense. Sorry!
Oops, I copied the lines directly from the two links I put at the bottom.  So once more, with the proper hash all the way through...


Quote:chapcrack radius -C 1122334455667788 -R FBF97203E1B703515A1BF44FF5EA5C621623DAC7065DA58F
Cracking K3................
                    C1 = fbf97203e1b70351
                    C2 = 5a1bf44ff5ea5c62
                    C3 = 1623dac7065da58f
                     P = 1122334455667788

Quote:perl -e 'print pack ("H*", "1122334455667788EBE2F20936540E65")' | md5sum

cf181f2ce105d7f75750b497d694b334  -

Quote:./hashcat64.bin -m 14000 --potfile-disable --quiet -a 3 -1 charsets/DES_full.charset --hex-charset 1623dac7065da58f:cf181f2ce105d7f7 ?1?1000000000000

... And I got all the way down here, and figured out part of my issue... hashcat does not like Fish Shell

When I drop into bash, the example works, but my still fails.
I will be redoing my post with up to date python and bash to automate all the components, if you can wait until monday it should be up by then. Sorry for any of the confusion, the final crack part was due to an error on my side. So I apologize for any confusion I have caused.
Perhaps these procedures should be added to the wiki as well?
(04-24-2017, 09:43 PM)magnum Wrote: [ -> ]Perhaps these procedures should be added to the wiki as well?

Agreed, I got delayed with my day job but a half written python prototype is up to automate this.  I'll make its own wiki entry for it.  I'm going to try to get it added to hashcat-utils and have it walk people through it step by step.