This is a small update for re-search.py to properly handle binary files.
re-search_V0_0_2.zip (https)
MD5: FC921EAF48774B6E113FAE76867B69E1
SHA256: B07BF53FE476E6FC4D5B568BA2B0B70DD3BC037478A2CBF3A08A1AA6CCDD402C
Sunday 31 July 2016
Update: re-search Version 0.0.2
Saturday 30 July 2016
Video: ntds.dit: Extract Hashes With secretsdump.py
In this video I show an alternative to my blogpost on extracting hashes from the Active Directory database file ntds.dit.
I use secretsdump.py from Core Security’s impacket Python modules. The advantage is that this is a pure Python solution, and that it was able to automatically select the correct object ID. Dependencies are pycrypto and pyasn1.
Bugfix: pdf-parser Version 0.6.5
This is a bugfix for pdf-parser. Streams were not properly extracted when they started with whitespace after the normal whitespace following the stream keyword.
pdf-parser_V0_6_5.zip (https)
MD5: 7F0880EB8A954979CA0ADAB2087E1C55
SHA256: E7D2CCA12CC43D626C53873CFF0BC0CE2875330FD5DBC8FB23B07396382DCC85
Friday 29 July 2016
Releasing rtfdump.py
Today I’m releasing my rtfdump.py tool to analyze RTF documents. I started working on it about a year ago, but I didn’t like the direction it took me in, and stopped working on it. About a week ago I started again with new samples, and I’m more satisfied now with the result.
I will post more information later. But if you want to get an idea how to use my tool, take a look at this analysis in SANS ISC Diary.
rtfdump_V0_0_2.zip (https)
MD5: 368CCACC556E283D5E1759ED5E164BFF
SHA256: DA9B0AB231B1ADBC1083FC0F915A789EF19A5F7540C317CFA80BF3DE038C7952
Monday 25 July 2016
Practice ntds.dit File Overview
I published a sample Active Directory database file (ntds.dit) to practise hash extraction and password cracking. And I published several how-to blog posts.
Here is an overview:
Practice ntds.dit File Part 2: Extracting Hashes
Practice ntds.dit File Part 3: Password Cracking With hashcat – Wordlist
Practice ntds.dit File Part 4: Password Cracking With hashcat – Brute-force
Practice ntds.dit File Part 5: Password Cracking With hashcat – LM NTLM
Practice ntds.dit File Part 6: Password Cracking With John the Ripper – Wordlist
Practice ntds.dit File Part 7: Password Cracking With John the Ripper – Brute-force
Practice ntds.dit File Part 8: Password Cracking With John the Ripper – LM NTLM
Video: ntds.dit: Extract Hashes With secretsdump.py
Practice ntds.dit File Part 9: Extracting Password History Hashes
Thursday 21 July 2016
Practice ntds.dit File Part 8: Password Cracking With John the Ripper – LM NTLM
Using passwords recovered from LM hashes to crack NTLM hashes is easier with John the Ripper, because it comes with a rule (NT) to toggle all letter combinations:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --wordlist=lm-passwords.txt --rules=NT --pot=john-lm-ntlm.pot nt.john.out Warning: detected hash type "NT", but the string is also recognized as "nt2" Use the "--format=nt2" option to force loading these as that type instead Loaded 43 password hashes with no different salts (NT [MD4 128/128 SSE2 + 32/32] ) Warning: no OpenMP support for this hash type Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (user01) FEPARAGON (user20) V (user21) Y6G (user23) aS (user22) *qFT (user24) lm1181992 (user16) 976b0 (user26) *Vqc( (user25) Root1$ (Administrator) Lzac08@ (user19) kurt!!! (user05) XjW*wL (user27) yeliz6 (user14) tadob (user15) zordic7 (user04) maisie2007 (user12) 8N)IMRgQ57_ (user31) girlish2020 (user06) thurlow1 (user09) cuningo (user17) A9LT5J$r (user28) Crx3#W+f (user29) beaufort1 (user10) 43PDlBR8tS#V (user32) 453758487l (user08) F-62RqTo@m (user30) WBJ_Pvtz6i42AV (user34) rachelleanne (user03) amorosaoveja (user07) b#f1HvU@Qz7nk (user33) 31g 0:00:00:00 DONE (2016-07-18 22:19) 382.7g/s 426851p/s 426851c/s 6317KC/s wbj_pvtz6I42av..wbj_pvtz6i42av Use the "--show" option to display all of the cracked passwords reliably Session completed
Using –show:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-lm-ntlm.pot ad-database\kali\dump\nt.john.out Administrator:Root1$:S-1-5-21-3188177830-2933342842-421106997-500:: user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106:: user03:rachelleanne:S-1-5-21-3188177830-2933342842-421106997-1108:: user04:zordic7:S-1-5-21-3188177830-2933342842-421106997-1109:: user05:kurt!!!:S-1-5-21-3188177830-2933342842-421106997-1110:: user06:girlish2020:S-1-5-21-3188177830-2933342842-421106997-1111:: user07:amorosaoveja:S-1-5-21-3188177830-2933342842-421106997-1112:: user08:453758487l:S-1-5-21-3188177830-2933342842-421106997-1113:: user09:thurlow1:S-1-5-21-3188177830-2933342842-421106997-1114:: user10:beaufort1:S-1-5-21-3188177830-2933342842-421106997-1115:: user12:maisie2007:S-1-5-21-3188177830-2933342842-421106997-1117:: user14:yeliz6:S-1-5-21-3188177830-2933342842-421106997-1119:: user15:tadob:S-1-5-21-3188177830-2933342842-421106997-1120:: user16:lm1181992:S-1-5-21-3188177830-2933342842-421106997-1121:: user17:cuningo:S-1-5-21-3188177830-2933342842-421106997-1122:: user19:Lzac08@:S-1-5-21-3188177830-2933342842-421106997-1124:: user20:FEPARAGON:S-1-5-21-3188177830-2933342842-421106997-1125:: user21:V:S-1-5-21-3188177830-2933342842-421106997-1126:: user22:aS:S-1-5-21-3188177830-2933342842-421106997-1127:: user23:Y6G:S-1-5-21-3188177830-2933342842-421106997-1128:: user24:*qFT:S-1-5-21-3188177830-2933342842-421106997-1129:: user25:*Vqc(:S-1-5-21-3188177830-2933342842-421106997-1130:: user26:976b0:S-1-5-21-3188177830-2933342842-421106997-1131:: user27:XjW*wL:S-1-5-21-3188177830-2933342842-421106997-1132:: user28:A9LT5J$r:S-1-5-21-3188177830-2933342842-421106997-1133:: user29:Crx3#W+f:S-1-5-21-3188177830-2933342842-421106997-1134:: user30:F-62RqTo@m:S-1-5-21-3188177830-2933342842-421106997-1135:: user31:8N)IMRgQ57_:S-1-5-21-3188177830-2933342842-421106997-1136:: user32:43PDlBR8tS#V:S-1-5-21-3188177830-2933342842-421106997-1137:: user33:b#f1HvU@Qz7nk:S-1-5-21-3188177830-2933342842-421106997-1138:: user34:WBJ_Pvtz6i42AV:S-1-5-21-3188177830-2933342842-421106997-1139:: 31 password hashes cracked, 12 left
Wednesday 20 July 2016
Practice ntds.dit File Part 7: Password Cracking With John the Ripper – Brute-force
Brute-force cracking with John the Ripper is done with incremental mode. Incremental mode is not just trying out the full key space, it follows an order based on trigraph frequencies to recover passwords asap.
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --incremental --pot=john-bruteforce-lm.pot lm.john.out
Working through the complete LM hash key space will take many days:
Warning: detected hash type "LM", but the string is also recognized as "HAVAL-128-4" Use the "--format=HAVAL-128-4" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "lotus5" Use the "--format=lotus5" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "MD2" Use the "--format=MD2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "mdc2" Use the "--format=mdc2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "mscash" Use the "--format=mscash" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "mscash2" Use the "--format=mscash2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "NT" Use the "--format=NT" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "nt2" Use the "--format=nt2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Raw-MD4" Use the "--format=Raw-MD4" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5" Use the "--format=Raw-MD5" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5u" Use the "--format=Raw-MD5u" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "ripemd-128" Use the "--format=ripemd-128" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Snefru-128" Use the "--format=Snefru-128" option to force loading these as that type instead Loaded 47 password hashes with no different salts (LM [DES 128/128 SSE2]) Warning: poor OpenMP scalability for this hash type Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (user01) 1 (user09:2) 2020 (user06:2) AS (user22) F (user29:2) R (user28:2) LM11819 (user16:1) V (user21) EANNE (user03:2) T1 (user10:2) CUNINGO (user17) AMOROSA (user07:1) 12g 0:00:00:14 0.00% (ETA: 2016-08-17 08:26) 0.8329g/s 2887Kp/s 2887Kc/s 104518KC/s HSV29S..HS3A18 Warning: passwords printed above might be partial Use the "--show" option to display all of the cracked passwords reliably Session aborted
You use option –show to display recovered passwords:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-bruteforce-lm.pot lm.john.out user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106:: user03:???????EANNE:S-1-5-21-3188177830-2933342842-421106997-1108:: user06:???????2020:S-1-5-21-3188177830-2933342842-421106997-1111:: user07:AMOROSA???????:S-1-5-21-3188177830-2933342842-421106997-1112:: user09:???????1:S-1-5-21-3188177830-2933342842-421106997-1114:: user10:???????T1:S-1-5-21-3188177830-2933342842-421106997-1115:: user16:LM11819???????:S-1-5-21-3188177830-2933342842-421106997-1121:: user17:CUNINGO:S-1-5-21-3188177830-2933342842-421106997-1122:: user21:V:S-1-5-21-3188177830-2933342842-421106997-1126:: user22:AS:S-1-5-21-3188177830-2933342842-421106997-1127:: user28:???????R:S-1-5-21-3188177830-2933342842-421106997-1133:: user29:???????F:S-1-5-21-3188177830-2933342842-421106997-1134::
The command for NT hashes is almost the same:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --incremental --pot=john-bruteforce-nt.pot nt.john.out
This will never end (unless all passwords are recovered), because the password length is not limited like for LM hashes:
Warning: detected hash type "NT", but the string is also recognized as "nt2" Use the "--format=nt2" option to force loading these as that type instead Loaded 43 password hashes with no different salts (NT [MD4 128/128 SSE2 + 32/32]) Warning: no OpenMP support for this hash type Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (user01) 1g 0:00:00:11 0.08373g/s 13795p/s 13795c/s 579415C/s melace1..meremia V (user21) cuningo (user17) aS (user22) 4g 0:00:01:17 0.05132g/s 3317Kp/s 3317Kc/s 132700KC/s ihxhl..ihxfg Use the "--show" option to display all of the cracked passwords reliably Session aborted
Tuesday 19 July 2016
Practice ntds.dit File Part 6: Password Cracking With John the Ripper – Wordlist
After password cracking examples with hashcat, I want to show you how to crack passwords with John the Ripper (remember we also produced hashes for John the Ripper: lm.john.out and nt.john.out).
First we use the rockyou wordlist to crack the LM hashes:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --wordlist=rockyou.txt --pot=john-rockyou-lm.pot lm.john.out
Option –wordlist specifies the wordlist to use, and option –pot specifies the pot file I want to create/use.
Output:
Warning: detected hash type "LM", but the string is also recognized as "HAVAL-128-4" Use the "--format=HAVAL-128-4" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "lotus5" Use the "--format=lotus5" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "MD2" Use the "--format=MD2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "mdc2" Use the "--format=mdc2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "mscash" Use the "--format=mscash" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "mscash2" Use the "--format=mscash2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "NT" Use the "--format=NT" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "nt2" Use the "--format=nt2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Raw-MD4" Use the "--format=Raw-MD4" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5" Use the "--format=Raw-MD5" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5u" Use the "--format=Raw-MD5u" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "ripemd-128" Use the "--format=ripemd-128" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Snefru-128" Use the "--format=Snefru-128" option to force loading these as that type instead Loaded 47 password hashes with no different salts (LM [DES 128/128 SSE2]) Warning: poor OpenMP scalability for this hash type Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (user01) RACHELL (user03:1) AMOROSA (user07:1) BEAUFOR (user10:1) GIRLISH (user06:1) 2020 (user06:2) 1 (user09:2) 007 (user12:2) THURLOW (user09:1) OVEJA (user07:2) EANNE (user03:2) AS (user22) MAISIE2 (user12:1) F (user29:2) ZORDIC7 (user04) YELIZ6 (user14) TADOB (user15) R (user28:2) LM11819 (user16:1) KURT!!! (user05) CUNINGO (user17) LZAC08@ (user19) FEPARAG (user20:1) 4537584 (user08:1) 24g 0:00:00:00 DONE (2016-07-15 23:57) 27.39g/s 16374Kp/s 16374Kc/s 461233KC/s "WHENIC..♦*♥7▒VA Warning: passwords printed above might be partial Use the "--show" option to display all of the cracked passwords reliably Session completed
And then we use option –show to display the (partially) recovered passwords:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-rockyou-lm.pot lm.john.out
Output:
user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106:: user03:RACHELLEANNE:S-1-5-21-3188177830-2933342842-421106997-1108:: user04:ZORDIC7:S-1-5-21-3188177830-2933342842-421106997-1109:: user05:KURT!!!:S-1-5-21-3188177830-2933342842-421106997-1110:: user06:GIRLISH2020:S-1-5-21-3188177830-2933342842-421106997-1111:: user07:AMOROSAOVEJA:S-1-5-21-3188177830-2933342842-421106997-1112:: user08:4537584???????:S-1-5-21-3188177830-2933342842-421106997-1113:: user09:THURLOW1:S-1-5-21-3188177830-2933342842-421106997-1114:: user10:BEAUFOR???????:S-1-5-21-3188177830-2933342842-421106997-1115:: user12:MAISIE2007:S-1-5-21-3188177830-2933342842-421106997-1117:: user14:YELIZ6:S-1-5-21-3188177830-2933342842-421106997-1119:: user15:TADOB:S-1-5-21-3188177830-2933342842-421106997-1120:: user16:LM11819???????:S-1-5-21-3188177830-2933342842-421106997-1121:: user17:CUNINGO:S-1-5-21-3188177830-2933342842-421106997-1122:: user19:LZAC08@:S-1-5-21-3188177830-2933342842-421106997-1124:: user20:FEPARAG???????:S-1-5-21-3188177830-2933342842-421106997-1125:: user22:AS:S-1-5-21-3188177830-2933342842-421106997-1127:: user28:???????R:S-1-5-21-3188177830-2933342842-421106997-1133:: user29:???????F:S-1-5-21-3188177830-2933342842-421106997-1134:: 24 password hashes cracked, 23 left
Cracking NTLM hashes is done with a similar command, it’s just the name of the files that changes:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --wordlist=rockyou.txt --pot=john-rockyou-nt.pot nt.john.out
Output:
Warning: detected hash type "NT", but the string is also recognized as "nt2" Use the "--format=nt2" option to force loading these as that type instead Loaded 43 password hashes with no different salts (NT [MD4 128/128 SSE2 + 32/32]) Warning: no OpenMP support for this hash type Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (user01) mychemicalromance (user02) beautifulprincess (user11) beaufort1 (user10) thurlow1 (user09) rachelleanne (user03) maisie2007 (user12) maiseythorne2007 (user13) zordic7 (user04) yeliz6 (user14) tadob (user15) lm1181992 (user16) kurt!!! (user05) girlish2020 (user06) cuningo (user17) amorosaoveja (user07) Lzac08@ (user19) Horselover1493@hotmail.com (user18) FEPARAGON (user20) 453758487l (user08) 20g 0:00:00:01 DONE (2016-07-16 00:06) 19.15g/s 13739Kp/s 13739Kc/s 411618KC/s 000..♦*♥7▒Vamos!♥ Use the "--show" option to display all of the cracked passwords reliably Session completed
And then we use option –show to display the recovered passwords:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-rockyou-nt.pot nt.john.out
Output:
user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106:: user02:mychemicalromance:S-1-5-21-3188177830-2933342842-421106997-1107:: user03:rachelleanne:S-1-5-21-3188177830-2933342842-421106997-1108:: user04:zordic7:S-1-5-21-3188177830-2933342842-421106997-1109:: user05:kurt!!!:S-1-5-21-3188177830-2933342842-421106997-1110:: user06:girlish2020:S-1-5-21-3188177830-2933342842-421106997-1111:: user07:amorosaoveja:S-1-5-21-3188177830-2933342842-421106997-1112:: user08:453758487l:S-1-5-21-3188177830-2933342842-421106997-1113:: user09:thurlow1:S-1-5-21-3188177830-2933342842-421106997-1114:: user10:beaufort1:S-1-5-21-3188177830-2933342842-421106997-1115:: user11:beautifulprincess:S-1-5-21-3188177830-2933342842-421106997-1116:: user12:maisie2007:S-1-5-21-3188177830-2933342842-421106997-1117:: user13:maiseythorne2007:S-1-5-21-3188177830-2933342842-421106997-1118:: user14:yeliz6:S-1-5-21-3188177830-2933342842-421106997-1119:: user15:tadob:S-1-5-21-3188177830-2933342842-421106997-1120:: user16:lm1181992:S-1-5-21-3188177830-2933342842-421106997-1121:: user17:cuningo:S-1-5-21-3188177830-2933342842-421106997-1122:: user18:Horselover1493@hotmail.com:S-1-5-21-3188177830-2933342842-421106997-1123:: user19:Lzac08@:S-1-5-21-3188177830-2933342842-421106997-1124:: user20:FEPARAGON:S-1-5-21-3188177830-2933342842-421106997-1125:: 20 password hashes cracked, 23 left
Monday 18 July 2016
Practice ntds.dit File Part 5: Password Cracking With hashcat – LM NTLM
When you have LM and NTLM hashes, you can first crack the LM hashes and then use the recovered passwords to crack the NTLM hashes.
File hashcat-mask-lm.pot contains the passwords we recovered from brute-forcing the LM hashes.
This command creates file lm-results.txt:
hashcat-3.00\hashcat64.exe -m 3000 --username --show --potfile-path hashcat-mask-lm.pot --outfile-format 2 --outfile lm-results.txt lm.ocl.out
Content of lm-results.txt:
Administrator:ROOT1$ user01:123456 user03:RACHELLEANNE user04:ZORDIC7 user05:KURT!!! user06:GIRLISH2020 user07:AMOROSAOVEJA user08:453758487L user09:THURLOW1 user10:BEAUFORT1 user12:MAISIE2007 user14:YELIZ6 user15:TADOB user16:LM1181992 user17:CUNINGO user19:LZAC08@ user20:FEPARAGON user21:V user22:AS user23:Y6G user24:*QFT user25:*VQC( user26:976B0 user27:XJW*WL user28:A9LT5J$R user29:CRX3#W+F user30:F-62RQTO@M user31:8N)IMRGQ57_ user32:43PDLBR8TS#V user33:B#F1HVU@QZ7NK user34:WBJ_PVTZ6I42AV
The passwords are uppercase since they are recovered from LM hashes.
Now let’s extract the passwords:
gawk.exe -F : "{print $2}" < lm-results.txt > lm-passwords.txt
Result:
ROOT1$ 123456 RACHELLEANNE ZORDIC7 KURT!!! GIRLISH2020 AMOROSAOVEJA 453758487L THURLOW1 BEAUFORT1 MAISIE2007 YELIZ6 TADOB LM1181992 CUNINGO LZAC08@ FEPARAGON V AS Y6G *QFT *VQC( 976B0 XJW*WL A9LT5J$R CRX3#W+F F-62RQTO@M 8N)IMRGQ57_ 43PDLBR8TS#V B#F1HVU@QZ7NK WBJ_PVTZ6I42AV
And now we can use this list of passwords for a dictionary attack on the NTLM hashes. But passwords recovered from NTLM hashes can contain lowercase and uppercase letters. So we need to generate all possible combinations of lowercase and uppercase letters for our password list. This can be done with the toggle rule file toggles-lm-ntlm.rule I created with this new tool.
hashcat-3.00\hashcat64.exe -a 0 -m 1000 --potfile-path hashcat-lm-passwords-nt.pot --username --rules toggles-lm-ntlm.rule nt.ocl.out lm-passwords.txt
Output:
hashcat (v3.00-1-g67a8d97) starting... OpenCL Platform #1: Intel(R) Corporation ======================================== - Device #1: Intel(R) HD Graphics 5000, 356/1425 MB allocatable, 40MCU - Device #2: Intel(R) Core(TM) i7-4650U CPU @ 1.70GHz, skipped Hashes: 43 hashes; 43 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 16384 Applicable Optimizers: * Zero-Byte * Precompute-Init * Precompute-Merkle-Demgard * Meet-In-The-Middle * Early-Skip * Not-Salted * Not-Iterated * Single-Salt * Raw-Hash Watchdog: Temperature abort trigger disabled Watchdog: Temperature retain trigger disabled Cache-hit dictionary stats lm-passwords.txt: 274 bytes, 31 words, 507904 keyspace ATTENTION! The wordlist or mask you are using is too small. Therefore, hashcat is unable to utilize the full parallelization power of your device(s). The cracking speed will drop. Workaround: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_to_create_more_work_for_full_speed INFO: approaching final keyspace, workload adjusted 32ed87bdb5fdc5e9cba88547376818d4:123456 9180c11efd4cb6149557f59b0cf80573:FEPARAGON adc5df4b1f4a1b2501bbeef236f5be92:V b6c0168748dcdba30141914c959d9f8c:Y6G 2a3d0e353eadfb8c7b5d7d503efad47d:aS e14af367857363b0f16418bcce9f96b9:*qFT a474953d36f287fefc73f8917ca27290:8N)IMRgQ57_ 024b7f87b902332ac1369f2fd1a1d4e9:976b0 458d16d08f6ba7c5c61cd3850b704015:A9LT5J$r 81ed9d39c208fb710f16fd01df2c5ea3:453758487l f85bbc519f1d4b9453d0d316d2f43efd:lm1181992 23f8c70f8c51c5535e4ef372ffe9500a:XjW*wL c57128805cc3e445a338126080ce52bb:*Vqc( 80fadb7eb493333387c36c3a30a86a9c:43PDlBR8tS#V c09c4e921a0f7763e22aa5f38d73016a:Lzac08@ eb37f9cd74303274cb923442a7348ef4:Root1$ 85ec40bb1fadfcd4f1cdd8f5c745338a:Crx3#W+f 584c3288cdb9249191d01028fc3c1d06:F-62RqTo@m 336413710df33e5d6ef4ba82ba762543:kurt!!! 2fce06c6e6303f0850416dfe57f809ac:WBJ_Pvtz6i42AV 7f5ab070d31e61251ab4ef78b6601941:yeliz6 0794f987708fd36dc158c3435d1e9d65:tadob 3081116936973f2a1019178a085e77cd:maisie2007 2a54f9c00701830e44923a19eea7df62:zordic7 236ff73b5ec46c68c37d27d51bd4fa8f:b#f1HvU@Qz7nk 0d870c8d2ed66211a6cd19b6c8c6939a:thurlow1 5bd6fddd235507a2baf82843b6174b4e:cuningo 8810b6cff094d7bbfa9254a47e460e8c:girlish2020 c1d5ff9561074a64e8164745f7e057a3:beaufort1 9aeae4ad385c29a8d3e25a2032df95ec:rachelleanne d10107259670c218d8389bb05a6ca9a5:amorosaoveja Session.Name...: hashcat Status.........: Exhausted Rules.Type.....: File (toggles-lm-ntlm.rule) Input.Mode.....: File (lm-passwords.txt) Hash.Target....: File (nt.ocl.out) Hash.Type......: NTLM Time.Started...: Fri Jul 15 23:02:55 2016 (1 sec) Speed.Dev.#1...: 468.3 kH/s (0.24ms) Recovered......: 31/43 (72.09%) Digests, 0/1 (0.00%) Salts Progress.......: 507904/507904 (100.00%) Rejected.......: 0/507904 (0.00%) Started: Fri Jul 15 23:02:55 2016 Stopped: Fri Jul 15 23:02:59 2016
And finally, we can display the result:
hashcat-3.00\hashcat64.exe -m 1000 --potfile-path hashcat-lm-passwords-nt.pot --username --show nt.ocl.out
Output:
hashcat (v3.00-1-g67a8d97) starting... Administrator:eb37f9cd74303274cb923442a7348ef4:Root1$ user01:32ed87bdb5fdc5e9cba88547376818d4:123456 user03:9aeae4ad385c29a8d3e25a2032df95ec:rachelleanne user04:2a54f9c00701830e44923a19eea7df62:zordic7 user05:336413710df33e5d6ef4ba82ba762543:kurt!!! user06:8810b6cff094d7bbfa9254a47e460e8c:girlish2020 user07:d10107259670c218d8389bb05a6ca9a5:amorosaoveja user08:81ed9d39c208fb710f16fd01df2c5ea3:453758487l user09:0d870c8d2ed66211a6cd19b6c8c6939a:thurlow1 user10:c1d5ff9561074a64e8164745f7e057a3:beaufort1 user12:3081116936973f2a1019178a085e77cd:maisie2007 user14:7f5ab070d31e61251ab4ef78b6601941:yeliz6 user15:0794f987708fd36dc158c3435d1e9d65:tadob user16:f85bbc519f1d4b9453d0d316d2f43efd:lm1181992 user17:5bd6fddd235507a2baf82843b6174b4e:cuningo user19:c09c4e921a0f7763e22aa5f38d73016a:Lzac08@ user20:9180c11efd4cb6149557f59b0cf80573:FEPARAGON user21:adc5df4b1f4a1b2501bbeef236f5be92:V user22:2a3d0e353eadfb8c7b5d7d503efad47d:aS user23:b6c0168748dcdba30141914c959d9f8c:Y6G user24:e14af367857363b0f16418bcce9f96b9:*qFT user25:c57128805cc3e445a338126080ce52bb:*Vqc( user26:024b7f87b902332ac1369f2fd1a1d4e9:976b0 user27:23f8c70f8c51c5535e4ef372ffe9500a:XjW*wL user28:458d16d08f6ba7c5c61cd3850b704015:A9LT5J$r user29:85ec40bb1fadfcd4f1cdd8f5c745338a:Crx3#W+f user30:584c3288cdb9249191d01028fc3c1d06:F-62RqTo@m user31:a474953d36f287fefc73f8917ca27290:8N)IMRgQ57_ user32:80fadb7eb493333387c36c3a30a86a9c:43PDlBR8tS#V user33:236ff73b5ec46c68c37d27d51bd4fa8f:b#f1HvU@Qz7nk user34:2fce06c6e6303f0850416dfe57f809ac:WBJ_Pvtz6i42AV
As you can see, we recovered all passwords shorter than 15 characters.
Sunday 17 July 2016
Overview of Content Published In June
Here is an overview of content I published in June:
Blog posts:
Didier Stevens 