NTLM and other hash cracking techniques

Md. Mahim Bin Firoj
7 min readOct 14, 2023

--

This is helpful during pentest. Do not use this illegally. I will not be held responsible for that. This is for learning purpose.

If you get NTLM related hash from anywhere say while playing CTF or dumping sam or ntds.dit file, now what you do?

From the above pages you could search for hash pattern in order to match the hash length. Also there are hash identifier tools available.

Also the following link will help you to find the hash id:

TIP’s:

If you want to crack your own linux system’s password hash but hashcat wiki database unable to detect the hash then do the following:

cat /etc/pam.d/common-password

Now you can crack it. Details are at the last.

LM:

You will get this hash after compromising sam or ntds.dit file if the current AD policy still store this hashes. In modern AD deployment you will not see this often.

  • a 3 = indicates a "brute-force attack" mode. When no wordlist or dictionary is used then this mode is used. And when dictionary or wordlist is given then -a 0 is used. In dictionary attack, hashcat will take the word (as password) from the wordlist or dictionary, then hash it with the provided algorithm, then match it with the provided file where hash is kept.
  • — force (dash dash force) is optional. If required then use.
Sample hash: 299BD128C1101FD6 or it could be 32 bit character hash

john --format=lm hash.txt

hashcat -m 3000 -a 3 hash.txt
or
hashcat -m 3000 -a 0 hash.txt /usr/share/wordlists/rockyou.txt --force

The above site will also help you to crack LM hash.

NTLM:

Microsoft call it as NTHash. You will get it by dumping the SAM database or ntds.dit file in AD. Using the famous tool mimikatz will help you to dump this hashes. You can crack the hashes offline or you can perform pass-the-hash attack.

Sample hash: B4B9B02E6F09A9BD760F388B67351E2B

john --format=nt hash.txt

hashcat -m 1000 -a 3 hash.txt
or
hashcat -m 1000 -a 0 hash.txt /usr/share/wordlists/rockyou.txt --force

NTLMv1: aka Net-NTLMv1

This is used for authentication purpose between client and server. You will not get this hash in sam or ntds.dit file. Using responder tool you can capture this hash. Then copy the whole hash and paste it in a file called hash.txt

credit: crack.sh ->ntlmv1 hash
Syntax:
username::hostname:response:response:challenge
Example: u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c

john --format=netntlm hash.txt

hashcat -m 5500 -a 3 hash.txt
or
hashcat -m 5500 -a 3 hash.txt --force
or
hashcat -m 5500 -a 0 hash.txt /usr/share/wordlists/rockyou.txt --force

Once the hash is cracked then you will see the result something like the above image.

NTLMv2: aka Net-NTLMv2

This is also used for authentication purpose between client and server.

hash sample

Copy this whole part, and paste it to hash.txt file. Then follow below command.

Example: admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030

john --format=netntlmv2 hash.txt

hashcat -m 5600 -a 3 hash.txt
or
hashcat -m 5600 -a 3 hash.txt --force
or
hashcat -m 5600 -a 0 hash.txt /usr/share/wordlists/rockyou.txt --force

The above link will also help you to crack NTLMv1 aka, Net-NTLMv1 hash. But I see the above link that point to a tool to crack ntlmv1 hash is down for so long. Despite I am giving you this link because I think the link could be up some day.

You can read the above wiki article to learn more about how the algorithm works.

Crack NTLMv1 with SSP and without SSP using evilmog tool:

See, you can also crack this type of hash using hashcat. But here i am telling you the alternative options.

https://github.com/evilmog/ntlmv1-multi

There is another tool by evilmog that will help you to crack ntlmv1 hash (with or without ESS/SSP).

Crack NTLMv1 without SSP:

To capture ntlmv1 hash without SSP, use responder tool with the (dash dash lm) — lm flag, without — lm you will activate ESS/SSP which will take longer to crack, also a new flag is out — disable-ess which will try to disable ESS and force the downgrade. Try — disable-ess first and if that fails please try — lm. If using — disable-ess or — lm ensure your client challenge is 1122334455667788 to use the FPGA, however this may trigger some network IDS/IPS protections if they see that traffic.

The capture will look like this.

[SMB] NTLMv1 Client   : 184.64.60.62
[SMB] NTLMv1 Username : DUSTIN-5AA37877\hashcat
[SMB] NTLMv1 Hash : hashcat::DUSTIN-5AA37877:76365E2D142B5612980C67D057EB9EFEEE5EF6EB6FF6E04D:727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595:1122334455667788
[*] Skipping previously captured hash for DUSTIN-5AA37877\hashcat

Here hashcat is the username and DUSTIN-5AA37877 is the computer name.

We need only the value of NTLMv1 Hash portion. Then using the tool use below command.

python3 ntlmv1.py --ntlmv1 hashcat::DUSTIN-5AA37877:76365E2D142B5612980C67D057EB9EFEEE5EF6EB6FF6E04D:727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595:1122334455667788

The tool will output below result, but you need to slightly edit the hashcat command, otherwise it will not work:

['hashcat', '', 'DUSTIN-5AA37877', '76365E2D142B5612980C67D057EB9EFEEE5EF6EB6FF6E04D', '727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595', '1122334455667788']

Hostname: DUSTIN-5AA37877
Username: hashcat
Challenge: 1122334455667788
LM Response: 76365E2D142B5612980C67D057EB9EFEEE5EF6EB6FF6E04D
NT Response: 727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595
CT1: 727B4E35F947129E
CT2: A52B9CDEDAE86934
CT3: BB23EF89F50FC595

To Calculate final 4 characters of NTLM hash use:
./ct3_to_ntlm.bin BB23EF89F50FC595 1122334455667788

To crack with hashcat create a file with the following contents:
727B4E35F947129E:1122334455667788
A52B9CDEDAE86934:1122334455667788

To crack with hashcat:
./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset hashes.txt ?1?1?1?1?1?1?1?1

To Crack with crack.sh use the following token
NTHASH:727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595

Now please read carefully. If you use the above hashcat command then it will not work. Also use kali machine/vm to crack this type of hash. Here is what you need to do step by step.

727B4E35F947129E:1122334455667788
A52B9CDEDAE86934:1122334455667788
  • Now create a file named hashes.txt and copy the above hashes on that file inside the hashcat directory.
  • Now run this command:
hashcat -m 14000 -a 3 -1 charsets/DES_full.hcchr --hex-charset hashes.txt ?1?1?1?1?1?1?1?1 --force

But this way of cracking hash takes longer time. I test it for 3 hours but still found not cracked yet. Thats why stopped.

Crack NTLMv1 with SSP:

The process is same as above.

SHA512 Crypt hash crack:

Example: $6$JmRD0Oll4PfbxI1u$wvJyhDemVzvXyIcWZpIqe13kCTFh.RdzeHEqpVn45EWqNSlDJ4bxjd5331qAM1Ar4ZurnYoxAD3163zV4ExBm.

hashcat -m 1800 -a 0 -o hashcrack.txt sha512-crypt.txt /usr/share/wordlists/rockyou.txt
  • -m is hashcat mode for this hash.
  • -o for output file. After hash is cracked, result will be saved here.
  • sha512-crypt.txt is the file where the above hash is present.
  • -a = 0 is straight mode. As stated earlier, here wordlist is provided so we used mode a = 0
  • — force = If required then use otherwise optional.

MD5:

Example: 05fb917b1661c17a77aa3df24da2b1d9

hashcat -m 0 -a 0 -o md5result.txt md5.txt /usr/share/wordlists/rockyou.txt

john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt md5.txt
Command
Cracked

HMAC-SHA1 with salt:

If you are provided a salt and hash name is hmac-sha1 then follow below steps to crack this.

Yescrypt hash cracking:

Hash sample: $y$j9T$R2yPUGrYOoXuivlj7v31y1$qpVXNNKjoE.bLxSbBVPPgJjLsTReyjbZQ0EL7Rk1xr3
Place the hash in yescrypt_hash file. Then start cracking.

john yescrypt_hash --format=crypt --wordlist=/usr/share/wordlists/rockyou.txt
Cracked

Now question is if it is your vm and you forgot the login password then how can you get the hash? Use autopsy forensics tool. Add the .vhd as image source (not physical).

Then go to the /etc/shadow file and open it to copy the corresponding hash.

Thanks. I hope this blog will help you to crack hashes when you need this. Please subscribe below.

LinkedIn:

https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/

YouTube:

https://www.youtube.com/@mahimfiroj1802/videos

--

--