Zero Day Archives
  • What is Zero Day Archives?
  • Contributors
  • Wireless Security
    • Intro to WiFi Pentesting
      • WEP Networks
      • WPS
      • WPA-PSK Networks
      • WPA & WPA2 PSK
      • WPA2 & WPA3 Enterprise Networks
      • WPA2 & WPA3-APLess
  • Reverse Engineering
    • Reverse Engineering
      • Introduction to Software Reverse Engineering
        • Introduction to Capture the Flag (CTF) Competitions
        • What are PE & Elf Binaries
        • Assembly Language for Beginner Reverse Engineers
        • Memory Registers for x86-64 (64-bit) and x86 (32-bit)
        • Reversing Tools: Command-Line Utilities for Binary Analysis
        • Reversing ELF Binaries: Techniques and Tools
      • Disassembly & Debugging
        • GDB for Reverse Engineering
        • RADARE2 for Reverse Engineering
        • GHIDRA for Reverse Engineering
        • IDA Pro for Reverse Engineering
      • Binary Exploitation
        • Buffer Overflows
          • What are Buffer Overflows and Stack Protections?
          • Commonly Exploited C Functions and Their Secure Alternatives
          • Basic Buffer Overflow in x86-64 Using GDB
        • Cryptography
          • Understanding Ciphers and Identifying Common Patterns
          • Teaching XOR Operations in Binary Exploitation
        • Return Oriented Programming (ROP)
          • Practical Guide to Exploring and Identifying Return-Oriented Programming (ROP)
        • Cracking and Patching Binaries
          • Tactics, Tools, and Procedures for Cracking and Patching Binaries
        • Ret2Win Challenges
  • Malware Analysis
    • Malware Analysis
      • Static Analysis
  • Transporting Files to/from Victims
    • Transferring Files to/from High Value Targets
      • Linux
      • Windows
      • CrackMapExec (NetExec)
  • Penetration Testing against GIT Remote Repositories
    • Targeting GIT Repositories
      • Attacking GIT
  • Network Pivoting, Port Forwarding, and Tunneling
    • Pivoting
      • Ligolo-ng
        • Basic Pivoting
        • Setup Reverse Shells through Pivot
        • Transferring Files through Pivot
      • Pivoting: Using Remote Desktop
      • ProxyChains
      • Metasploit
    • SSH Tunneling
      • SSH Local Port Forwarding
      • SSH Dynamic Port Forwarding
      • Sshuttle over SSH
    • Port Fowarding
      • Chisel Port Forwarding
      • NetSH for Port Forwarding
      • Plink for Port Forwarding
      • SoCat
      • Metasploit: Port Forwarding
  • Anti-Virus Evasion
    • Anti-Virus Evasion
      • Evasion with Metasploit
      • Evasion wtih Shellter
      • Evasion with Virus Total
  • Public Exploit Research
    • Online Exploit Research & Methods
  • Password Attacks
    • Password Attacks
      • Identifying Hashes
        • Hash Identifier Tools
      • John The Ripper
        • Cracking Passwords with John
        • Convert to Hashes with John
        • NTLM vs NTLMv2 Hashes + CrackMapExec
      • Hashcat
        • Cracking Passwords with Hashcat
      • Hydra
        • Hydra for Network Services
        • Hydra for Web Services
      • Mutating Wordlists for John & Hashcat
        • Mutating Wordlists
  • Digital Forensics & Incident Response (DFIR)
    • Digital Forensics
  • Data Science
    • Data Science/AI
  • Software Defined Radio (SDR)
    • Software Defined Radio
  • Embedded Systems Programming
    • Field Programmable Gate Arrays (FPGAs)
  • Other Resources
    • Resources for Hackers
Powered by GitBook
On this page
  • Cracking NTLM and NTLMv2 Hashes with John the Ripper & Testing with CrackMapExec
  • Introduction
  • Cracking NTLM and NTLMv2 Hashes with John the Ripper
  • Step 6: Crack NTLMv2 with Additional Options
  • Testing Cracked Hashes with CrackMapExec
  • Identifying the Difference Between NTLM and NTLMv2 Hashes
  • Conclusion
  1. Password Attacks
  2. Password Attacks
  3. John The Ripper

NTLM vs NTLMv2 Hashes + CrackMapExec

Cracking NTLM and NTLMv2 Hashes with John the Ripper & Testing with CrackMapExec

Introduction

In this guide, we will cover the process of cracking NTLM and NTLMv2 hashes using John the Ripper (John), passing these hashes to CrackMapExec (CME) for testing, and how to differentiate between NTLM and NTLMv2 hashes.

What is NTLM and NTLMv2?

  • NTLM (NT LAN Manager): This is an older authentication protocol used by Windows systems for network authentication. NTLM hashes are typically used in the Windows authentication process.

  • NTLMv2: This is an enhanced version of NTLM, designed to provide stronger security against brute-force and rainbow table attacks. NTLMv2 hashes are more resistant to certain types of attacks compared to the older NTLM hashes.

The main difference between NTLM and NTLMv2 is the authentication process. NTLMv2 provides stronger encryption, and the hash format used is different, making it more secure.

Cracking NTLM and NTLMv2 Hashes with John the Ripper

Step 1: Obtain NTLM/NTLMv2 Hashes

First, you need to obtain the NTLM or NTLMv2 hashes. These hashes can often be extracted from various sources, such as:

  • Windows SAM files (from /etc/passwd or /etc/shadow)

  • SMB shares and network authentication logs

  • Captured hashes from network traffic, particularly through tools like Responder, CrackMapExec, or SMBv1 enumeration tools.

Step 2: Prepare the Hash File

John the Ripper requires a specific format to crack NTLM or NTLMv2 hashes. If you already have hashes, they need to be formatted properly. NTLM hashes typically look like this:

username::domain:HASH

For example:
administrator::MYDOMAIN:3c2a48f4ab5db6e2f3a02c10be38c7ab

NTLMv2 hashes, on the other hand, are slightly different and have an extra layer of security. The format for NTLMv2 hashes looks like:

username::domain:HASH

yamlCopyEdit
For example:
administrator::MYDOMAIN:0101000000000000807C1E4D98A1D51A55B40F9EAE97C8598DB4F6FDF4C7E9BB9E9E10F2FC03000000000000000100000000000000000000000000000000000000000000000000

Step 3: Use John to Crack NTLM and NTLMv2 Hashes:

This is what you use to crack NTLM hashes:

john --format=NT hashfile.txt

For cracking NTLMv2, use:

john --format=NTLMv2 hashfile.txt

John will attempt to crack the hash using its built-in dictionary and other cracking algorithms (e.g., brute force, mask attack).

Step 4: Monitor Cracking Process

Once the process is initiated, John will begin to attempt to crack the hash. You can monitor its progress by checking the status with:

john --status

If you want to stop cracking and resume later, you can use:

john --restore

Step 5: Crack Hashes with a Wordlist

If the default attack doesn't yield a result, you can use a custom wordlist to increase the likelihood of success:

john --wordlist=/path/to/wordlist.txt --format=NT hashfile.txt

Step 6: Crack NTLMv2 with Additional Options

If you're dealing with NTLMv2 hashes, cracking them may require additional rules or mask-based attacks to account for the stronger encryption. Here's an example using a mask attack:

john --mask='?l?l?l?l?d?d' --format=NTLMv2 hashfile.txt

This would try lowercase letters followed by two digits as the password pattern.

Testing Cracked Hashes with CrackMapExec

Once you have successfully cracked the NTLM or NTLMv2 hash, you can use CrackMapExec (CME) to test whether the hash works for authentication on a target system.

Step 1: Install CrackMapExec

If you don’t have CrackMapExec installed, you can install it using the following:

pip install crackmapexec

Step 2: Pass the Cracked Hash to CrackMapExec

Once you have the cracked hash, you can pass it to CME by specifying the target IP, username, and the cracked password or hash. For example, to test an NTLM hash on a target SMB service, use the following CME command:

crackmapexec smb <target-ip> -u <username> -H <ntlm-hash>

For example:

crackmapexec smb 192.168.1.10 -u administrator -H 3c2a48f4ab5db6e2f3a02c10be38c7ab

If you’re working with NTLMv2, the process is the same:

crackmapexec smb 192.168.1.10 -u administrator -H 0101000000000000807C1E4D98A1D51A55B40F9EAE97C8598DB4F6FDF4C7E9BB9E9E10F2FC03000000000000000100000000000000000000000000000000000000000000000000

If the hash is valid, CrackMapExec will show a successful authentication message.

Step 3: Using Other Services

You can also test NTLM/NTLMv2 hashes on other services such as RDP or SMB using CME. The command structure remains the same:

For RDP:

crackmapexec rdp <target-ip> -u <username> -H <ntlm-hash>

For SMB:

crackmapexec smb <target-ip> -u <username> -H <ntlm-hash>

Identifying the Difference Between NTLM and NTLMv2 Hashes

To differentiate between NTLM and NTLMv2 hashes:

  1. NTLM Hash Format: Typically shorter and less complex, usually 32 characters (hexadecimal).

    • Example:

      3c2a48f4ab5db6e2f3a02c10be38c7ab

  2. NTLMv2 Hash Format: Longer and more complex, with 128 characters (hexadecimal).

    • Example:

      0101000000000000807C1E4D98A1D51A55B40F9EAE97C8598DB4F6FDF4C7E9BB9E9E10F2FC03000000000000000100000000000000000000000000000000000000000000000000

  3. CrackMapExec Testing: When using CrackMapExec, if the authentication succeeds with an NTLMv2 hash, the output will confirm the authentication method as NTLMv2. If you use an NTLM hash, the output will show the older NTLM authentication method.

Conclusion

By following the steps outlined in this guide, you can effectively crack NTLM and NTLMv2 hashes using John the Ripper, pass them to CrackMapExec for testing, and identify the differences between NTLM and NTLMv2 hashes. This process is valuable for penetration testing and security assessments, as cracking these hashes can provide unauthorized access to network services such as SMB, RDP, and more.

PreviousConvert to Hashes with JohnNextHashcat

Last updated 15 days ago