Didier Stevens

After cracking LM hashes we extracted from our Active Directory database file with a wordlist, we will perform a brute-force attack on the LM hashes.

This is the command:

hashcat-3.00\hashcat64.exe -a 3 -m 3000 --potfile-path hashcat-mask-lm.pot --username -1 ?u?d?s --increment lm.ocl.out ?1?1?1?1?1?1?1

Some of the options and arguments are the same as for the wordlist attack, I will explain what is different:

Option -a 3 instructs hashcat to perform a brute-force attack (a mask attack). A mask attack is a brute-force attack where you have to specify a mask for the candidate passwords. The characters used in candidate passwords for LM hashes can be anything, except lowercase letters (the LM hash algorithm uses uppercase letters). So the mask we specify needs to instruct hashcat to try uppercase letters, digits and special characters.

We do this by specifying a user-defined character set:

-1 ?u?d?s

This specifies that user-defined character set 1 is composed of uppercase letters (?u), digits (?d) and special characters (?s).

A LM hash is composed of 2 individual parts, one part represents a password up to 7 characters long. This is what hashcat will crack. So our mask is ?1?1?1?1?1?1?1. This instructs hashcat to use user-defined character set 1 for the first character in the candidate password (?1), the second character (?1), … until the seventh character (?1).

This mask will only generate candidate passwords of 7 characters. But we also need to test passwords of 1 character, 2 characters, … and 6 characters. Therefor we use option –increment.

Cracking LM hash is very fast because it is based on DES and because we only need to test passwords up to 7 characters. On a dedicated machine with GPUs, it can take less than an hour. Even on an old desktop with just an Intel HD Graphics 4500 it will take a bit less than 3 days.

Here is the output:

hashcat (v3.00-1-g67a8d97) starting...

OpenCL Platform #1: NVIDIA Corporation
======================================
- Device #1: GeForce GTX 650, 256/1024 MB allocatable, 2MCU
- Device #1: WARNING! Kernel exec timeout is not disabled, it might cause you errors of code 702
See the wiki on how to disable it: https://hashcat.net/wiki/doku.php?id=timeout_patch

Hashes: 62 hashes; 48 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Precompute-Final-Permutation
* Not-Iterated
* Single-Salt
* Brute-Force
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 75c

ATTENTION!
The wordlist or mask you are using is too small.
Therefore, hashcat is unable to utilize the full parallelization power of your device(s).
The cracking speed will drop.
Workaround: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_to_create_more_work_for_full_speed

INFO: approaching final keyspace, workload adjusted

c2265b23734e0dac:1
aad3b435b51404ee:
944e2df489a880e4:R
1104594f8c2ef12b:F
fdcfc2afb2d1be34:V

Session.Name...: hashcat
Status.........: Exhausted
Input.Mode.....: Mask (?1) [1]
Hash.Target....: 88d84c068ac05e0a, c8e4acdacab3b812
Hash.Type......: LM
Time.Started...: 0 secs
Speed.Dev.#1...:        0 H/s (0.48ms)
Recovered......: 5/48 (10.42%) Digests, 0/1 (0.00%) Salts
Progress.......: 69/69 (100.00%)
Rejected.......: 0/69 (0.00%)

ATTENTION!
The wordlist or mask you are using is too small.
Therefore, hashcat is unable to utilize the full parallelization power of your device(s).
The cracking speed will drop.
Workaround: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_to_create_more_work_for_full_speed

INFO: approaching final keyspace, workload adjusted

9fdfa4280126e140:AS
27bcbf149915a329:T1
158759f68c114883:92
8358f3d2c80c1dc5:ON

Session.Name...: hashcat
Status.........: Exhausted
Input.Mode.....: Mask (?1?1) [2]
Hash.Target....: 88d84c068ac05e0a, c8e4acdacab3b812
Hash.Type......: LM
Time.Started...: 0 secs
Speed.Dev.#1...:    23935 H/s (0.75ms)
Recovered......: 9/48 (18.75%) Digests, 0/1 (0.00%) Salts
Progress.......: 4761/4761 (100.00%)
Rejected.......: 0/4761 (0.00%)

7a01665eb2eb6c14:007
036d85e885962cfa:O@M
c3f5ba53c6ea977d:87L
b273d8f0d4cb5bbc:Y6G
INFO: approaching final keyspace, workload adjusted


Session.Name...: hashcat
Status.........: Exhausted
Input.Mode.....: Mask (?1?1?1) [3]
Hash.Target....: 88d84c068ac05e0a, c8e4acdacab3b812
Hash.Type......: LM
Time.Started...: 0 secs
Speed.Dev.#1...:  1321.8 kH/s (9.05ms)
Recovered......: 13/48 (27.08%) Digests, 0/1 (0.00%) Salts
Progress.......: 328509/328509 (100.00%)
Rejected.......: 0/328509 (0.00%)

19d76dfe3931be22:2020
6d91129363e71245:*QFT
[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =>

After hashcat finishes running, you can display the recovered passwords with this command:

hashcat-3.00\hashcat64.exe -m 3000 --show --username --potfile-path hashcat-mask-lm.pot lm.ocl.out

Here is the output:

hashcat (v3.00-1-g67a8d97) starting...

Administrator:111f37ed915c5716aad3b435b51404ee:ROOT1$
user01:44efce164ab921caaad3b435b51404ee:123456
user03:56c94ea187dbb8d6d4b8a9676de6053e:RACHELLEANNE
user04:58ee1ecfcb1952c1aad3b435b51404ee:ZORDIC7
user05:22d8afdd59cc02d1aad3b435b51404ee:KURT!!!
user06:843201b3eec511e619d76dfe3931be22:GIRLISH2020
user07:d0d0b0a89785fea7dacc48edf1058ae1:AMOROSAOVEJA
user08:eb9fdbf6dde9d8a3c3f5ba53c6ea977d:453758487L
user09:ee3c975e9312263ac2265b23734e0dac:THURLOW1
user10:e69e57fcbfc3742627bcbf149915a329:BEAUFORT1
user12:3c152122664981d07a01665eb2eb6c14:MAISIE2007
user14:6595863b3f65214eaad3b435b51404ee:YELIZ6
user15:8dfa87789573aa6caad3b435b51404ee:TADOB
user16:bfa8b0f05b2ce944158759f68c114883:LM1181992
user17:63aa06ca844a0123aad3b435b51404ee:CUNINGO
user19:078198d4eefc6c55aad3b435b51404ee:LZAC08@
user20:44f388db34bb96628358f3d2c80c1dc5:FEPARAGON
user21:fdcfc2afb2d1be34aad3b435b51404ee:V
user22:9fdfa4280126e140aad3b435b51404ee:AS
user23:b273d8f0d4cb5bbcaad3b435b51404ee:Y6G
user24:6d91129363e71245aad3b435b51404ee:*QFT
user25:9ad12257392cdacaaad3b435b51404ee:*VQC(
user26:12bd073e0404ed39aad3b435b51404ee:976B0
user27:d12e81eacd737b89aad3b435b51404ee:XJW*WL
user28:adfc3aa0a57f3d1e944e2df489a880e4:A9LT5J$R
user29:5971713f415d2ff41104594f8c2ef12b:CRX3#W+F
user30:9ede745407ca42b2036d85e885962cfa:F-62RQTO@M
user31:3ceb8cc097f4b3bc274d6a66ff41a32b:8N)IMRGQ57_
user32:863a6a296d3d379888d84c068ac05e0a:43PDLBR8TS#V
user33:e7c148e3c455aa1f8138c5e16c20cfc5:B#F1HVU@QZ7NK
user34:c8e4acdacab3b81243b673bc86137536:WBJ_PVTZ6I42AV

As you can see we cracked all LM hashes.

Remark: if your output is slightly different (e.g. some of the passwords have an extra character appended), then that’s because of a bug in hashcat 3.00.

Cracking NTLM hashes with a mask-attack is almost the same as cracking LM hashes. Here is the command:

hashcat-3.00\hashcat64.exe -a 3 -m 1000 --potfile-path hashcat-mask-nt.pot --username -1 ?u?l?d?s --increment nt.ocl.out ?1?1?1?1?1?1?1?1

The differences are the hash type (-m 1000), the character set includes lowercase letters (?l) and we use a mask for 8 characters (?1?1?1?1?1?1?1?1). I’m not using candidate passwords longer than 8 characters, because it would take too long to test the complete keyspace.

Character set ?u?l?d?s is also defined as ?a. So we can omit the use of a user-defined character set, like this:

hashcat-3.00\hashcat64.exe -a 3 -m 1000 --potfile-path hashcat-mask-nt.pot --increment nt.ocl.out ?a?a?a?a?a?a?a?a