Please note, this is a STATIC archive of website hashcat.net from 08 Oct 2020, cach3.com does not collect or store any user information, there is no "phishing" involved.

hashcat Forum

Full Version: Posting a hash from malware?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
So I know that in general it is verboten to post hashes for cracking, which I completely get.

That said, while looking over a threat report detailing recent "Chimera APT" activity, they mentioned that the attackers had inserted skeleton key logic on the domain controllers which would allow a single password to be considered valid for all accounts. The code used to do this was largely taken from mimikatz, but the hash was changed from the normally hardcoded "mimikatz" hash.

The values that make up that new hash value are visible on page 18 of that report (marked 17 in the text), although they need to be put together and ordered with endianness in mind, etc. Given that the hash is clearly public at this point from this report (and twitter for that matter), and that is associated with nefarious activities, would it be acceptable to post the hash here to see if "team hashcat" can crack it? Smile

If not I get it, I realize this is not the intent of this forum, but I figured it could be interesting to some folks and could create a very simple test for organizations to test for the presence of this malware (e.g. just try to log in with whatever the password ends up being, obviously only works until they change it though).
This : https://twitter.com/TalBeerySec/status/1...5254190080 ?

vs the password "mimikatz" -m 1000 NTLM hash : https://github.com/gentilkiwi/mimikatz/b...#L602-L606
( original "mimikatz" 60xx4fcaxxxx6c7a03xxxx8194xxxxf6 )
(08-20-2020, 11:03 PM)philsmd Wrote: [ -> ]This : https://twitter.com/TalBeerySec/status/1...5254190080 ?

vs the password "mimikatz" -m 1000 NTLM hash : https://github.com/gentilkiwi/mimikatz/b...#L602-L606
( original "mimikatz" 60xx4fcaxxxx6c7a03xxxx8194xxxxf6 )

Yes, that would be it.