Didier Stevens

This blog post aims to provide a bit more information about what Benjamin Delpy wrote in this tweet:

For this demo I run mimikatz as a least privilege, local user on a Windows workstation that is a member of my demo domain. The first step is to generate and use a golden ticket to obtain domain admin rights. The second step is to use dcsync to retrieve hashes from the domain controller.

As a freshly logged-on local user, I have no tickets:

Then I create a golden ticket for the domain admin:

And I use it:

Now my least privilege, local user is impersonating the domain administrator:

Then I retrieve the hashes for user user01 from the domain control via the DRSR protocol:

Compare the LM and NTLM hashes with the hashes in this blogpost: they are the same.

All the arguments (krbtgt, domain, domain admin username, domain SID) needed for the kerberos::golden command can be extracted from the ntds.dit file we obtained. More info on alternative methods to obtain the arguments can be found here.

@gentilkiwi told me that the domain admin username and RID can also be faked, as long that it is part of the domain admins group. It will work for about 20 minutes without checks.

If we don’t have the necessary rights (for example domain admin) to query a DC with DRSR, we get an error 5 (access denied):

You also get this error when the krbtgt NTLM hash has changed. Command ptt will seem to succeed however:

Remember that unless the password for user krbtgt is changed (which is not a standard practice), the krbtgt NTLM hash never changes. So even very old copies of ntds.dit can be used to recover hashes as described in this method.

The ticket is stored on file using asn1:

Benjamin has a YARA rule (mimikatz_kirbi_ticket) to detect such tickets:

Unfortunately, the mimikatz I use (version 2.1) uses another asn1 encoder and the rule no longer works.

Until Benjamin makes a more generic rule, you can use this updated rule:

rule mimikatz_kirbi_ticket
{
	meta:
		description		= "KiRBi ticket for mimikatz"
		author			= "Benjamin DELPY (gentilkiwi); Didier Stevens"

	strings:
		$asn1			= { 76 82 ?? ?? 30 82 ?? ?? a0 03 02 01 05 a1 03 02 01 16 }
		$asn1_84		= { 76 84 ?? ?? ?? ?? 30 84 ?? ?? ?? ?? a0 84 00 00 00 03 02 01 05 a1 84 00 00 00 03 02 01 16 }

	condition:
		$asn1 at 0 or $asn1_84 at 0
}

This ticket file is created on disk because I use kerberos::golden’s option /ticket:, but if I use option /ptt, the ticket is immediately passed, and not written to disk.

@gentilkiwi also told me that if you impersonate a domain controller account for kerberos::dcsync, then no events are logged.

In this video I show an alternative to my blogpost on extracting hashes from the Active Directory database file ntds.dit.

I use secretsdump.py from Core Security’s impacket Python modules. The advantage is that this is a pure Python solution, and that it was able to automatically select the correct object ID. Dependencies are pycrypto and pyasn1.

I published a sample Active Directory database file (ntds.dit) to practise hash extraction and password cracking. And I published several how-to blog posts.

Here is an overview:

Practice ntds.dit File Part 1

Practice ntds.dit File Part 2: Extracting Hashes

Practice ntds.dit File Part 3: Password Cracking With hashcat – Wordlist

Practice ntds.dit File Part 4: Password Cracking With hashcat – Brute-force

Practice ntds.dit File Part 5: Password Cracking With hashcat – LM NTLM

Practice ntds.dit File Part 6: Password Cracking With John the Ripper – Wordlist

Practice ntds.dit File Part 7: Password Cracking With John the Ripper – Brute-force

Practice ntds.dit File Part 8: Password Cracking With John the Ripper – LM NTLM

Video: ntds.dit: Extract Hashes With secretsdump.py

Practice ntds.dit File Part 9: Extracting Password History Hashes

Using passwords recovered from LM hashes to crack NTLM hashes is easier with John the Ripper, because it comes with a rule (NT) to toggle all letter combinations:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --wordlist=lm-passwords.txt --rules=NT --pot=john-lm-ntlm.pot nt.john.out

Warning: detected hash type "NT", but the string is also recognized as "nt2"
Use the "--format=nt2" option to force loading these as that type instead
Loaded 43 password hashes with no different salts (NT [MD4 128/128 SSE2 + 32/32]
)
Warning: no OpenMP support for this hash type
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (user01)
FEPARAGON        (user20)
V                (user21)
Y6G              (user23)
aS               (user22)
*qFT             (user24)
lm1181992        (user16)
976b0            (user26)
*Vqc(            (user25)
Root1$           (Administrator)
Lzac08@          (user19)
kurt!!!          (user05)
XjW*wL           (user27)
yeliz6           (user14)
tadob            (user15)
zordic7          (user04)
maisie2007       (user12)
8N)IMRgQ57_      (user31)
girlish2020      (user06)
thurlow1         (user09)
cuningo          (user17)
A9LT5J$r         (user28)
Crx3#W+f         (user29)
beaufort1        (user10)
43PDlBR8tS#V     (user32)
453758487l       (user08)
F-62RqTo@m       (user30)
WBJ_Pvtz6i42AV   (user34)
rachelleanne     (user03)
amorosaoveja     (user07)
b#f1HvU@Qz7nk    (user33)
31g 0:00:00:00 DONE (2016-07-18 22:19) 382.7g/s 426851p/s 426851c/s 6317KC/s wbj_pvtz6I42av..wbj_pvtz6i42av
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Using –show:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-lm-ntlm.pot ad-database\kali\dump\nt.john.out

Administrator:Root1$:S-1-5-21-3188177830-2933342842-421106997-500::
user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106::
user03:rachelleanne:S-1-5-21-3188177830-2933342842-421106997-1108::
user04:zordic7:S-1-5-21-3188177830-2933342842-421106997-1109::
user05:kurt!!!:S-1-5-21-3188177830-2933342842-421106997-1110::
user06:girlish2020:S-1-5-21-3188177830-2933342842-421106997-1111::
user07:amorosaoveja:S-1-5-21-3188177830-2933342842-421106997-1112::
user08:453758487l:S-1-5-21-3188177830-2933342842-421106997-1113::
user09:thurlow1:S-1-5-21-3188177830-2933342842-421106997-1114::
user10:beaufort1:S-1-5-21-3188177830-2933342842-421106997-1115::
user12:maisie2007:S-1-5-21-3188177830-2933342842-421106997-1117::
user14:yeliz6:S-1-5-21-3188177830-2933342842-421106997-1119::
user15:tadob:S-1-5-21-3188177830-2933342842-421106997-1120::
user16:lm1181992:S-1-5-21-3188177830-2933342842-421106997-1121::
user17:cuningo:S-1-5-21-3188177830-2933342842-421106997-1122::
user19:Lzac08@:S-1-5-21-3188177830-2933342842-421106997-1124::
user20:FEPARAGON:S-1-5-21-3188177830-2933342842-421106997-1125::
user21:V:S-1-5-21-3188177830-2933342842-421106997-1126::
user22:aS:S-1-5-21-3188177830-2933342842-421106997-1127::
user23:Y6G:S-1-5-21-3188177830-2933342842-421106997-1128::
user24:*qFT:S-1-5-21-3188177830-2933342842-421106997-1129::
user25:*Vqc(:S-1-5-21-3188177830-2933342842-421106997-1130::
user26:976b0:S-1-5-21-3188177830-2933342842-421106997-1131::
user27:XjW*wL:S-1-5-21-3188177830-2933342842-421106997-1132::
user28:A9LT5J$r:S-1-5-21-3188177830-2933342842-421106997-1133::
user29:Crx3#W+f:S-1-5-21-3188177830-2933342842-421106997-1134::
user30:F-62RqTo@m:S-1-5-21-3188177830-2933342842-421106997-1135::
user31:8N)IMRgQ57_:S-1-5-21-3188177830-2933342842-421106997-1136::
user32:43PDlBR8tS#V:S-1-5-21-3188177830-2933342842-421106997-1137::
user33:b#f1HvU@Qz7nk:S-1-5-21-3188177830-2933342842-421106997-1138::
user34:WBJ_Pvtz6i42AV:S-1-5-21-3188177830-2933342842-421106997-1139::

31 password hashes cracked, 12 left

Brute-force cracking with John the Ripper is done with incremental mode. Incremental mode is not just trying out the full key space, it follows an order based on trigraph frequencies to recover passwords asap.

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --incremental --pot=john-bruteforce-lm.pot lm.john.out

Working through the complete LM hash key space will take many days:

Warning: detected hash type "LM", but the string is also recognized as "HAVAL-128-4"
Use the "--format=HAVAL-128-4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "lotus5"
Use the "--format=lotus5" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "MD2"
Use the "--format=MD2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mdc2"
Use the "--format=mdc2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash"
Use the "--format=mscash" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash2"
Use the "--format=mscash2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "NT"
Use the "--format=NT" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "nt2"
Use the "--format=nt2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD4"
Use the "--format=Raw-MD4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5"
Use the "--format=Raw-MD5" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5u"
Use the "--format=Raw-MD5u" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "ripemd-128"
Use the "--format=ripemd-128" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Snefru-128"
Use the "--format=Snefru-128" option to force loading these as that type instead

Loaded 47 password hashes with no different salts (LM [DES 128/128 SSE2])
Warning: poor OpenMP scalability for this hash type
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (user01)
1                (user09:2)
2020             (user06:2)
AS               (user22)
F                (user29:2)
R                (user28:2)
LM11819          (user16:1)
V                (user21)
EANNE            (user03:2)
T1               (user10:2)
CUNINGO          (user17)
AMOROSA          (user07:1)
12g 0:00:00:14 0.00% (ETA: 2016-08-17 08:26) 0.8329g/s 2887Kp/s 2887Kc/s 104518KC/s HSV29S..HS3A18
Warning: passwords printed above might be partial
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

You use option –show to display recovered passwords:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-bruteforce-lm.pot lm.john.out
user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106::
user03:???????EANNE:S-1-5-21-3188177830-2933342842-421106997-1108::
user06:???????2020:S-1-5-21-3188177830-2933342842-421106997-1111::
user07:AMOROSA???????:S-1-5-21-3188177830-2933342842-421106997-1112::
user09:???????1:S-1-5-21-3188177830-2933342842-421106997-1114::
user10:???????T1:S-1-5-21-3188177830-2933342842-421106997-1115::
user16:LM11819???????:S-1-5-21-3188177830-2933342842-421106997-1121::
user17:CUNINGO:S-1-5-21-3188177830-2933342842-421106997-1122::
user21:V:S-1-5-21-3188177830-2933342842-421106997-1126::
user22:AS:S-1-5-21-3188177830-2933342842-421106997-1127::
user28:???????R:S-1-5-21-3188177830-2933342842-421106997-1133::
user29:???????F:S-1-5-21-3188177830-2933342842-421106997-1134::

The command for NT hashes is almost the same:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --incremental --pot=john-bruteforce-nt.pot nt.john.out

This will never end (unless all passwords are recovered), because the password length is not limited like for LM hashes:

Warning: detected hash type "NT", but the string is also recognized as "nt2"
Use the "--format=nt2" option to force loading these as that type instead
Loaded 43 password hashes with no different salts (NT [MD4 128/128 SSE2 + 32/32])
Warning: no OpenMP support for this hash type
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (user01)
1g 0:00:00:11  0.08373g/s 13795p/s 13795c/s 579415C/s melace1..meremia
V                (user21)
cuningo          (user17)
aS               (user22)
4g 0:00:01:17  0.05132g/s 3317Kp/s 3317Kc/s 132700KC/s ihxhl..ihxfg
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

After password cracking examples with hashcat, I want to show you how to crack passwords with John the Ripper (remember we also produced hashes for John the Ripper: lm.john.out and nt.john.out).

First we use the rockyou wordlist to crack the LM hashes:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --wordlist=rockyou.txt --pot=john-rockyou-lm.pot lm.john.out

Option –wordlist specifies the wordlist to use, and option –pot specifies the pot file I want to create/use.

Output:

Warning: detected hash type "LM", but the string is also recognized as "HAVAL-128-4"
Use the "--format=HAVAL-128-4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "lotus5"
Use the "--format=lotus5" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "MD2"
Use the "--format=MD2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mdc2"
Use the "--format=mdc2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash"
Use the "--format=mscash" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash2"
Use the "--format=mscash2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "NT"
Use the "--format=NT" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "nt2"
Use the "--format=nt2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD4"
Use the "--format=Raw-MD4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5"
Use the "--format=Raw-MD5" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5u"
Use the "--format=Raw-MD5u" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "ripemd-128"
Use the "--format=ripemd-128" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Snefru-128"
Use the "--format=Snefru-128" option to force loading these as that type instead
Loaded 47 password hashes with no different salts (LM [DES 128/128 SSE2])
Warning: poor OpenMP scalability for this hash type
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (user01)
RACHELL          (user03:1)
AMOROSA          (user07:1)
BEAUFOR          (user10:1)
GIRLISH          (user06:1)
2020             (user06:2)
1                (user09:2)
007              (user12:2)
THURLOW          (user09:1)
OVEJA            (user07:2)
EANNE            (user03:2)
AS               (user22)
MAISIE2          (user12:1)
F                (user29:2)
ZORDIC7          (user04)
YELIZ6           (user14)
TADOB            (user15)
R                (user28:2)
LM11819          (user16:1)
KURT!!!          (user05)
CUNINGO          (user17)
LZAC08@          (user19)
FEPARAG          (user20:1)
4537584          (user08:1)
24g 0:00:00:00 DONE (2016-07-15 23:57) 27.39g/s 16374Kp/s 16374Kc/s 461233KC/s "WHENIC..♦*♥7▒VA
Warning: passwords printed above might be partial
Use the "--show" option to display all of the cracked passwords reliably
Session completed

And then we use option –show to display the (partially) recovered passwords:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-rockyou-lm.pot lm.john.out

Output:

user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106::
user03:RACHELLEANNE:S-1-5-21-3188177830-2933342842-421106997-1108::
user04:ZORDIC7:S-1-5-21-3188177830-2933342842-421106997-1109::
user05:KURT!!!:S-1-5-21-3188177830-2933342842-421106997-1110::
user06:GIRLISH2020:S-1-5-21-3188177830-2933342842-421106997-1111::
user07:AMOROSAOVEJA:S-1-5-21-3188177830-2933342842-421106997-1112::
user08:4537584???????:S-1-5-21-3188177830-2933342842-421106997-1113::
user09:THURLOW1:S-1-5-21-3188177830-2933342842-421106997-1114::
user10:BEAUFOR???????:S-1-5-21-3188177830-2933342842-421106997-1115::
user12:MAISIE2007:S-1-5-21-3188177830-2933342842-421106997-1117::
user14:YELIZ6:S-1-5-21-3188177830-2933342842-421106997-1119::
user15:TADOB:S-1-5-21-3188177830-2933342842-421106997-1120::
user16:LM11819???????:S-1-5-21-3188177830-2933342842-421106997-1121::
user17:CUNINGO:S-1-5-21-3188177830-2933342842-421106997-1122::
user19:LZAC08@:S-1-5-21-3188177830-2933342842-421106997-1124::
user20:FEPARAG???????:S-1-5-21-3188177830-2933342842-421106997-1125::
user22:AS:S-1-5-21-3188177830-2933342842-421106997-1127::
user28:???????R:S-1-5-21-3188177830-2933342842-421106997-1133::
user29:???????F:S-1-5-21-3188177830-2933342842-421106997-1134::

24 password hashes cracked, 23 left

Cracking NTLM hashes is done with a similar command, it’s just the name of the files that changes:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --wordlist=rockyou.txt --pot=john-rockyou-nt.pot nt.john.out

Output:

Warning: detected hash type "NT", but the string is also recognized as "nt2"
Use the "--format=nt2" option to force loading these as that type instead
Loaded 43 password hashes with no different salts (NT [MD4 128/128 SSE2 + 32/32])
Warning: no OpenMP support for this hash type
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (user01)
mychemicalromance (user02)
beautifulprincess (user11)
beaufort1        (user10)
thurlow1         (user09)
rachelleanne     (user03)
maisie2007       (user12)
maiseythorne2007 (user13)
zordic7          (user04)
yeliz6           (user14)
tadob            (user15)
lm1181992        (user16)
kurt!!!          (user05)
girlish2020      (user06)
cuningo          (user17)
amorosaoveja     (user07)
Lzac08@          (user19)
Horselover1493@hotmail.com (user18)
FEPARAGON        (user20)
453758487l       (user08)
20g 0:00:00:01 DONE (2016-07-16 00:06) 19.15g/s 13739Kp/s 13739Kc/s 411618KC/s    000..♦*♥7▒Vamos!♥
Use the "--show" option to display all of the cracked passwords reliably
Session completed

And then we use option –show to display the recovered passwords:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-rockyou-nt.pot nt.john.out

Output:

user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106::
user02:mychemicalromance:S-1-5-21-3188177830-2933342842-421106997-1107::
user03:rachelleanne:S-1-5-21-3188177830-2933342842-421106997-1108::
user04:zordic7:S-1-5-21-3188177830-2933342842-421106997-1109::
user05:kurt!!!:S-1-5-21-3188177830-2933342842-421106997-1110::
user06:girlish2020:S-1-5-21-3188177830-2933342842-421106997-1111::
user07:amorosaoveja:S-1-5-21-3188177830-2933342842-421106997-1112::
user08:453758487l:S-1-5-21-3188177830-2933342842-421106997-1113::
user09:thurlow1:S-1-5-21-3188177830-2933342842-421106997-1114::
user10:beaufort1:S-1-5-21-3188177830-2933342842-421106997-1115::
user11:beautifulprincess:S-1-5-21-3188177830-2933342842-421106997-1116::
user12:maisie2007:S-1-5-21-3188177830-2933342842-421106997-1117::
user13:maiseythorne2007:S-1-5-21-3188177830-2933342842-421106997-1118::
user14:yeliz6:S-1-5-21-3188177830-2933342842-421106997-1119::
user15:tadob:S-1-5-21-3188177830-2933342842-421106997-1120::
user16:lm1181992:S-1-5-21-3188177830-2933342842-421106997-1121::
user17:cuningo:S-1-5-21-3188177830-2933342842-421106997-1122::
user18:Horselover1493@hotmail.com:S-1-5-21-3188177830-2933342842-421106997-1123::
user19:Lzac08@:S-1-5-21-3188177830-2933342842-421106997-1124::
user20:FEPARAGON:S-1-5-21-3188177830-2933342842-421106997-1125::

20 password hashes cracked, 23 left

When you have LM and NTLM hashes, you can first crack the LM hashes and then use the recovered passwords to crack the NTLM hashes.

File hashcat-mask-lm.pot contains the passwords we recovered from brute-forcing the LM hashes.

This command creates file lm-results.txt:

hashcat-3.00\hashcat64.exe -m 3000 --username --show --potfile-path hashcat-mask-lm.pot --outfile-format 2 --outfile lm-results.txt lm.ocl.out

Content of lm-results.txt:

Administrator:ROOT1$
user01:123456
user03:RACHELLEANNE
user04:ZORDIC7
user05:KURT!!!
user06:GIRLISH2020
user07:AMOROSAOVEJA
user08:453758487L
user09:THURLOW1
user10:BEAUFORT1
user12:MAISIE2007
user14:YELIZ6
user15:TADOB
user16:LM1181992
user17:CUNINGO
user19:LZAC08@
user20:FEPARAGON
user21:V
user22:AS
user23:Y6G
user24:*QFT
user25:*VQC(
user26:976B0
user27:XJW*WL
user28:A9LT5J$R
user29:CRX3#W+F
user30:F-62RQTO@M
user31:8N)IMRGQ57_
user32:43PDLBR8TS#V
user33:B#F1HVU@QZ7NK
user34:WBJ_PVTZ6I42AV

The passwords are uppercase since they are recovered from LM hashes.
Now let’s extract the passwords:

gawk.exe -F : "{print $2}" < lm-results.txt > lm-passwords.txt

Result:

ROOT1$
123456
RACHELLEANNE
ZORDIC7
KURT!!!
GIRLISH2020
AMOROSAOVEJA
453758487L
THURLOW1
BEAUFORT1
MAISIE2007
YELIZ6
TADOB
LM1181992
CUNINGO
LZAC08@
FEPARAGON
V
AS
Y6G
*QFT
*VQC(
976B0
XJW*WL
A9LT5J$R
CRX3#W+F
F-62RQTO@M
8N)IMRGQ57_
43PDLBR8TS#V
B#F1HVU@QZ7NK
WBJ_PVTZ6I42AV

And now we can use this list of passwords for a dictionary attack on the NTLM hashes. But passwords recovered from NTLM hashes can contain lowercase and uppercase letters. So we need to generate all possible combinations of lowercase and uppercase letters for our password list. This can be done with the toggle rule file toggles-lm-ntlm.rule I created with this new tool.

hashcat-3.00\hashcat64.exe -a 0 -m 1000 --potfile-path hashcat-lm-passwords-nt.pot --username --rules toggles-lm-ntlm.rule nt.ocl.out lm-passwords.txt

Output:

hashcat (v3.00-1-g67a8d97) starting...

OpenCL Platform #1: Intel(R) Corporation
========================================
- Device #1: Intel(R) HD Graphics 5000, 356/1425 MB allocatable, 40MCU
- Device #2: Intel(R) Core(TM) i7-4650U CPU @ 1.70GHz, skipped

Hashes: 43 hashes; 43 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 16384
Applicable Optimizers:
* Zero-Byte
* Precompute-Init
* Precompute-Merkle-Demgard
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
Watchdog: Temperature abort trigger disabled
Watchdog: Temperature retain trigger disabled

Cache-hit dictionary stats lm-passwords.txt: 274 bytes, 31 words, 507904 keyspace

ATTENTION!
  The wordlist or mask you are using is too small.
  Therefore, hashcat is unable to utilize the full parallelization power of your device(s).
  The cracking speed will drop.
  Workaround: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_to_create_more_work_for_full_speed

INFO: approaching final keyspace, workload adjusted

32ed87bdb5fdc5e9cba88547376818d4:123456
9180c11efd4cb6149557f59b0cf80573:FEPARAGON
adc5df4b1f4a1b2501bbeef236f5be92:V
b6c0168748dcdba30141914c959d9f8c:Y6G
2a3d0e353eadfb8c7b5d7d503efad47d:aS
e14af367857363b0f16418bcce9f96b9:*qFT
a474953d36f287fefc73f8917ca27290:8N)IMRgQ57_
024b7f87b902332ac1369f2fd1a1d4e9:976b0
458d16d08f6ba7c5c61cd3850b704015:A9LT5J$r
81ed9d39c208fb710f16fd01df2c5ea3:453758487l
f85bbc519f1d4b9453d0d316d2f43efd:lm1181992
23f8c70f8c51c5535e4ef372ffe9500a:XjW*wL
c57128805cc3e445a338126080ce52bb:*Vqc(
80fadb7eb493333387c36c3a30a86a9c:43PDlBR8tS#V
c09c4e921a0f7763e22aa5f38d73016a:Lzac08@
eb37f9cd74303274cb923442a7348ef4:Root1$
85ec40bb1fadfcd4f1cdd8f5c745338a:Crx3#W+f
584c3288cdb9249191d01028fc3c1d06:F-62RqTo@m
336413710df33e5d6ef4ba82ba762543:kurt!!!
2fce06c6e6303f0850416dfe57f809ac:WBJ_Pvtz6i42AV
7f5ab070d31e61251ab4ef78b6601941:yeliz6
0794f987708fd36dc158c3435d1e9d65:tadob
3081116936973f2a1019178a085e77cd:maisie2007
2a54f9c00701830e44923a19eea7df62:zordic7
236ff73b5ec46c68c37d27d51bd4fa8f:b#f1HvU@Qz7nk
0d870c8d2ed66211a6cd19b6c8c6939a:thurlow1
5bd6fddd235507a2baf82843b6174b4e:cuningo
8810b6cff094d7bbfa9254a47e460e8c:girlish2020
c1d5ff9561074a64e8164745f7e057a3:beaufort1
9aeae4ad385c29a8d3e25a2032df95ec:rachelleanne
d10107259670c218d8389bb05a6ca9a5:amorosaoveja

Session.Name...: hashcat
Status.........: Exhausted
Rules.Type.....: File (toggles-lm-ntlm.rule)
Input.Mode.....: File (lm-passwords.txt)
Hash.Target....: File (nt.ocl.out)
Hash.Type......: NTLM
Time.Started...: Fri Jul 15 23:02:55 2016 (1 sec)
Speed.Dev.#1...:   468.3 kH/s (0.24ms)
Recovered......: 31/43 (72.09%) Digests, 0/1 (0.00%) Salts
Progress.......: 507904/507904 (100.00%)
Rejected.......: 0/507904 (0.00%)

Started: Fri Jul 15 23:02:55 2016
Stopped: Fri Jul 15 23:02:59 2016

And finally, we can display the result:

hashcat-3.00\hashcat64.exe -m 1000 --potfile-path hashcat-lm-passwords-nt.pot --username --show nt.ocl.out

Output:

hashcat (v3.00-1-g67a8d97) starting...

Administrator:eb37f9cd74303274cb923442a7348ef4:Root1$
user01:32ed87bdb5fdc5e9cba88547376818d4:123456
user03:9aeae4ad385c29a8d3e25a2032df95ec:rachelleanne
user04:2a54f9c00701830e44923a19eea7df62:zordic7
user05:336413710df33e5d6ef4ba82ba762543:kurt!!!
user06:8810b6cff094d7bbfa9254a47e460e8c:girlish2020
user07:d10107259670c218d8389bb05a6ca9a5:amorosaoveja
user08:81ed9d39c208fb710f16fd01df2c5ea3:453758487l
user09:0d870c8d2ed66211a6cd19b6c8c6939a:thurlow1
user10:c1d5ff9561074a64e8164745f7e057a3:beaufort1
user12:3081116936973f2a1019178a085e77cd:maisie2007
user14:7f5ab070d31e61251ab4ef78b6601941:yeliz6
user15:0794f987708fd36dc158c3435d1e9d65:tadob
user16:f85bbc519f1d4b9453d0d316d2f43efd:lm1181992
user17:5bd6fddd235507a2baf82843b6174b4e:cuningo
user19:c09c4e921a0f7763e22aa5f38d73016a:Lzac08@
user20:9180c11efd4cb6149557f59b0cf80573:FEPARAGON
user21:adc5df4b1f4a1b2501bbeef236f5be92:V
user22:2a3d0e353eadfb8c7b5d7d503efad47d:aS
user23:b6c0168748dcdba30141914c959d9f8c:Y6G
user24:e14af367857363b0f16418bcce9f96b9:*qFT
user25:c57128805cc3e445a338126080ce52bb:*Vqc(
user26:024b7f87b902332ac1369f2fd1a1d4e9:976b0
user27:23f8c70f8c51c5535e4ef372ffe9500a:XjW*wL
user28:458d16d08f6ba7c5c61cd3850b704015:A9LT5J$r
user29:85ec40bb1fadfcd4f1cdd8f5c745338a:Crx3#W+f
user30:584c3288cdb9249191d01028fc3c1d06:F-62RqTo@m
user31:a474953d36f287fefc73f8917ca27290:8N)IMRgQ57_
user32:80fadb7eb493333387c36c3a30a86a9c:43PDlBR8tS#V
user33:236ff73b5ec46c68c37d27d51bd4fa8f:b#f1HvU@Qz7nk
user34:2fce06c6e6303f0850416dfe57f809ac:WBJ_Pvtz6i42AV

As you can see, we recovered all passwords shorter than 15 characters.

After cracking LM hashes we extracted from our Active Directory database file with a wordlist, we will perform a brute-force attack on the LM hashes.

This is the command:

hashcat-3.00\hashcat64.exe -a 3 -m 3000 --potfile-path hashcat-mask-lm.pot --username -1 ?u?d?s --increment lm.ocl.out ?1?1?1?1?1?1?1

Some of the options and arguments are the same as for the wordlist attack, I will explain what is different:

Option -a 3 instructs hashcat to perform a brute-force attack (a mask attack). A mask attack is a brute-force attack where you have to specify a mask for the candidate passwords. The characters used in candidate passwords for LM hashes can be anything, except lowercase letters (the LM hash algorithm uses uppercase letters). So the mask we specify needs to instruct hashcat to try uppercase letters, digits and special characters.

We do this by specifying a user-defined character set:

-1 ?u?d?s

This specifies that user-defined character set 1 is composed of uppercase letters (?u), digits (?d) and special characters (?s).

A LM hash is composed of 2 individual parts, one part represents a password up to 7 characters long. This is what hashcat will crack. So our mask is ?1?1?1?1?1?1?1. This instructs hashcat to use user-defined character set 1 for the first character in the candidate password (?1), the second character (?1), … until the seventh character (?1).

This mask will only generate candidate passwords of 7 characters. But we also need to test passwords of 1 character, 2 characters, … and 6 characters. Therefor we use option –increment.

Cracking LM hash is very fast because it is based on DES and because we only need to test passwords up to 7 characters. On a dedicated machine with GPUs, it can take less than an hour. Even on an old desktop with just an Intel HD Graphics 4500 it will take a bit less than 3 days.

Here is the output:

hashcat (v3.00-1-g67a8d97) starting...

OpenCL Platform #1: NVIDIA Corporation
======================================
- Device #1: GeForce GTX 650, 256/1024 MB allocatable, 2MCU
- Device #1: WARNING! Kernel exec timeout is not disabled, it might cause you errors of code 702
See the wiki on how to disable it: https://hashcat.net/wiki/doku.php?id=timeout_patch

Hashes: 62 hashes; 48 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Precompute-Final-Permutation
* Not-Iterated
* Single-Salt
* Brute-Force
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 75c

ATTENTION!
The wordlist or mask you are using is too small.
Therefore, hashcat is unable to utilize the full parallelization power of your device(s).
The cracking speed will drop.
Workaround: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_to_create_more_work_for_full_speed

INFO: approaching final keyspace, workload adjusted

c2265b23734e0dac:1
aad3b435b51404ee:
944e2df489a880e4:R
1104594f8c2ef12b:F
fdcfc2afb2d1be34:V

Session.Name...: hashcat
Status.........: Exhausted
Input.Mode.....: Mask (?1) [1]
Hash.Target....: 88d84c068ac05e0a, c8e4acdacab3b812
Hash.Type......: LM
Time.Started...: 0 secs
Speed.Dev.#1...:        0 H/s (0.48ms)
Recovered......: 5/48 (10.42%) Digests, 0/1 (0.00%) Salts
Progress.......: 69/69 (100.00%)
Rejected.......: 0/69 (0.00%)

ATTENTION!
The wordlist or mask you are using is too small.
Therefore, hashcat is unable to utilize the full parallelization power of your device(s).
The cracking speed will drop.
Workaround: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_to_create_more_work_for_full_speed

INFO: approaching final keyspace, workload adjusted

9fdfa4280126e140:AS
27bcbf149915a329:T1
158759f68c114883:92
8358f3d2c80c1dc5:ON

Session.Name...: hashcat
Status.........: Exhausted
Input.Mode.....: Mask (?1?1) [2]
Hash.Target....: 88d84c068ac05e0a, c8e4acdacab3b812
Hash.Type......: LM
Time.Started...: 0 secs
Speed.Dev.#1...:    23935 H/s (0.75ms)
Recovered......: 9/48 (18.75%) Digests, 0/1 (0.00%) Salts
Progress.......: 4761/4761 (100.00%)
Rejected.......: 0/4761 (0.00%)

7a01665eb2eb6c14:007
036d85e885962cfa:O@M
c3f5ba53c6ea977d:87L
b273d8f0d4cb5bbc:Y6G
INFO: approaching final keyspace, workload adjusted


Session.Name...: hashcat
Status.........: Exhausted
Input.Mode.....: Mask (?1?1?1) [3]
Hash.Target....: 88d84c068ac05e0a, c8e4acdacab3b812
Hash.Type......: LM
Time.Started...: 0 secs
Speed.Dev.#1...:  1321.8 kH/s (9.05ms)
Recovered......: 13/48 (27.08%) Digests, 0/1 (0.00%) Salts
Progress.......: 328509/328509 (100.00%)
Rejected.......: 0/328509 (0.00%)

19d76dfe3931be22:2020
6d91129363e71245:*QFT
[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =>

After hashcat finishes running, you can display the recovered passwords with this command:

hashcat-3.00\hashcat64.exe -m 3000 --show --username --potfile-path hashcat-mask-lm.pot lm.ocl.out

Here is the output:

hashcat (v3.00-1-g67a8d97) starting...

Administrator:111f37ed915c5716aad3b435b51404ee:ROOT1$
user01:44efce164ab921caaad3b435b51404ee:123456
user03:56c94ea187dbb8d6d4b8a9676de6053e:RACHELLEANNE
user04:58ee1ecfcb1952c1aad3b435b51404ee:ZORDIC7
user05:22d8afdd59cc02d1aad3b435b51404ee:KURT!!!
user06:843201b3eec511e619d76dfe3931be22:GIRLISH2020
user07:d0d0b0a89785fea7dacc48edf1058ae1:AMOROSAOVEJA
user08:eb9fdbf6dde9d8a3c3f5ba53c6ea977d:453758487L
user09:ee3c975e9312263ac2265b23734e0dac:THURLOW1
user10:e69e57fcbfc3742627bcbf149915a329:BEAUFORT1
user12:3c152122664981d07a01665eb2eb6c14:MAISIE2007
user14:6595863b3f65214eaad3b435b51404ee:YELIZ6
user15:8dfa87789573aa6caad3b435b51404ee:TADOB
user16:bfa8b0f05b2ce944158759f68c114883:LM1181992
user17:63aa06ca844a0123aad3b435b51404ee:CUNINGO
user19:078198d4eefc6c55aad3b435b51404ee:LZAC08@
user20:44f388db34bb96628358f3d2c80c1dc5:FEPARAGON
user21:fdcfc2afb2d1be34aad3b435b51404ee:V
user22:9fdfa4280126e140aad3b435b51404ee:AS
user23:b273d8f0d4cb5bbcaad3b435b51404ee:Y6G
user24:6d91129363e71245aad3b435b51404ee:*QFT
user25:9ad12257392cdacaaad3b435b51404ee:*VQC(
user26:12bd073e0404ed39aad3b435b51404ee:976B0
user27:d12e81eacd737b89aad3b435b51404ee:XJW*WL
user28:adfc3aa0a57f3d1e944e2df489a880e4:A9LT5J$R
user29:5971713f415d2ff41104594f8c2ef12b:CRX3#W+F
user30:9ede745407ca42b2036d85e885962cfa:F-62RQTO@M
user31:3ceb8cc097f4b3bc274d6a66ff41a32b:8N)IMRGQ57_
user32:863a6a296d3d379888d84c068ac05e0a:43PDLBR8TS#V
user33:e7c148e3c455aa1f8138c5e16c20cfc5:B#F1HVU@QZ7NK
user34:c8e4acdacab3b81243b673bc86137536:WBJ_PVTZ6I42AV

As you can see we cracked all LM hashes.

Remark: if your output is slightly different (e.g. some of the passwords have an extra character appended), then that’s because of a bug in hashcat 3.00.

Cracking NTLM hashes with a mask-attack is almost the same as cracking LM hashes. Here is the command:

hashcat-3.00\hashcat64.exe -a 3 -m 1000 --potfile-path hashcat-mask-nt.pot --username -1 ?u?l?d?s --increment nt.ocl.out ?1?1?1?1?1?1?1?1

The differences are the hash type (-m 1000), the character set includes lowercase letters (?l) and we use a mask for 8 characters (?1?1?1?1?1?1?1?1). I’m not using candidate passwords longer than 8 characters, because it would take too long to test the complete keyspace.

Character set ?u?l?d?s is also defined as ?a. So we can omit the use of a user-defined character set, like this:

hashcat-3.00\hashcat64.exe -a 3 -m 1000 --potfile-path hashcat-mask-nt.pot --increment nt.ocl.out ?a?a?a?a?a?a?a?a

Now we will use hashcat and the rockyou wordlist to crack the passwords for the hashes we extracted in part 2.

With this command we let hashcat work on the LM hashes we extracted:

hashcat-3.00\hashcat64.exe -a 0 -m 3000 --potfile-path hashcat-rockyou-lm.pot --username lm.ocl.out rockyou.txt

Option -a 0 instructs hashcat to perform a straight attack.

Option -m 3000 informs hashcat that we provide LM hashes.

Option –username informs hashcat that the hash file lm.ocl.out includes usernames.

Argument lm.ocl.out is the hash file.

Argument rockyou.txt is the wordlist.

I also use option –potfile-path to instruct hashcat to use a specific pot file (a file containing the cracked hashes with corresponding passwords).

Here is the output:

hashcat (v3.00-1-g67a8d97) starting...

OpenCL Platform #1: Intel(R) Corporation
========================================
- Device #1: Intel(R) HD Graphics 5000, 356/1425 MB allocatable, 40MCU
- Device #2: Intel(R) Core(TM) i7-4650U CPU @ 1.70GHz, skipped

Hashes: 62 hashes; 48 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable Optimizers:
* Zero-Byte
* Precompute-Final-Permutation
* Not-Iterated
* Single-Salt
Watchdog: Temperature abort trigger disabled
Watchdog: Temperature retain trigger disabled

aad3b435b51404ee:
[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => Cache-hit dictionary stats rockyou.txt: 154179996 bytes, 14343328 words, 14343328 keyspace

c2265b23734e0dac:1
944e2df489a880e4:R
1104594f8c2ef12b:F
9fdfa4280126e140:AS
56c94ea187dbb8d6:RACHELL
8358f3d2c80c1dc5:ON
27bcbf149915a329:T1
d0d0b0a89785fea7:AMOROSA
fdcfc2afb2d1be34:V
7a01665eb2eb6c14:007
e69e57fcbfc37426:BEAUFOR
158759f68c114883:92
843201b3eec511e6:GIRLISH
19d76dfe3931be22:2020
ee3c975e9312263a:THURLOW
dacc48edf1058ae1:OVEJA
d4b8a9676de6053e:EANNE
3c152122664981d0:MAISIE2
58ee1ecfcb1952c1:ZORDIC7
8dfa87789573aa6c:TADOB
bfa8b0f05b2ce944:LM11819
22d8afdd59cc02d1:KURT!!!
INFO: approaching final keyspace, workload adjusted


Session.Name...: hashcat
Status.........: Exhausted
Input.Mode.....: File (rockyou.txt)
Hash.Target....: 88d84c068ac05e0a, c8e4acdacab3b812
Hash.Type......: LM
Time.Started...: Mon Jul 11 22:54:46 2016 (2 secs)
Speed.Dev.#1...:  5193.2 kH/s (13.32ms)
Recovered......: 23/48 (47.92%) Digests, 0/1 (0.00%) Salts
Progress.......: 14343328/14343328 (100.00%)
Rejected.......: 0/14343328 (0.00%)

Started: Mon Jul 11 22:54:46 2016
Stopped: Mon Jul 11 22:54:52 2016

To display the cracked passwords, we use option –show:

hashcat-3.00\hashcat64.exe --show -m 3000 --outfile-format 2 --potfile-path hashcat-rockyou-lm.pot --username lm.ocl.out

Option –show instructs hashcat to display the cracked passwords.

Option -m 3000 informs hashcat that we provide LM hashes. This is necessary for –show.

Option –username informs hashcat that the hash file lm.ocl.out includes usernames.

Option –outfile-format 2 instructs hashcat to output the password without the hash.

Argument lm.ocl.out is the hash file.

I also use option –potfile-path to instruct hashcat to use a specific pot file (a file containing the cracked hashes with corresponding passwords).

Here is the output:

hashcat (v3.00-1-g67a8d97) starting...

Administrator:[notfound]
user01:[notfound]
user03:RACHELLEANNE
user04:ZORDIC7
user05:KURT!!!
user06:GIRLISH2020
user07:AMOROSAOVEJA
user09:THURLOW1
user10:BEAUFORT1
user12:MAISIE2007
user14:[notfound]
user15:TADOB
user16:LM1181992
user17:[notfound]
user19:[notfound]
user20:[notfound]ON
user21:V
user22:AS
user23:[notfound]
user24:[notfound]
user25:[notfound]
user26:[notfound]
user27:[notfound]
user28:[notfound]R
user29:[notfound]F

As you can see we cracked most of the passwords for users 1 through 20, except when the password is longer than 14 characters. Also remark that all passwords are uppercase.

With this command we let hashcat work on the NTLM hashes we extracted:

hashcat-3.00\hashcat64.exe -a 0 -m 1000 --potfile-path hashcat-rockyou-nt.pot --username nt.ocl.out rockyou.txt

The options and arguments are almost the same as for the LM command, except:

Option -m 1000 informs hashcat that we provide NTLM hashes.

Argument nt.ocl.out is the hash file.

Here is the output:

hashcat (v3.00-1-g67a8d97) starting...

OpenCL Platform #1: Intel(R) Corporation
========================================
- Device #1: Intel(R) HD Graphics 5000, 356/1425 MB allocatable, 40MCU
- Device #2: Intel(R) Core(TM) i7-4650U CPU @ 1.70GHz, skipped

Hashes: 43 hashes; 43 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable Optimizers:
* Zero-Byte
* Precompute-Init
* Precompute-Merkle-Demgard
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
Watchdog: Temperature abort trigger disabled
Watchdog: Temperature retain trigger disabled

Cache-hit dictionary stats rockyou.txt: 154179996 bytes, 14343328 words, 14343328 keyspace

32ed87bdb5fdc5e9cba88547376818d4:123456
e550853afc9a68106d73fd6680b25604:mychemicalromance
125fee170ce858738fc08d61291174ed:beautifulprincess
c1d5ff9561074a64e8164745f7e057a3:beaufort1
0d870c8d2ed66211a6cd19b6c8c6939a:thurlow1
9aeae4ad385c29a8d3e25a2032df95ec:rachelleanne
3081116936973f2a1019178a085e77cd:maisie2007
3f77a049f85d9ecb089313d68dc64796:maiseythorne2007
2a54f9c00701830e44923a19eea7df62:zordic7
7f5ab070d31e61251ab4ef78b6601941:yeliz6
0794f987708fd36dc158c3435d1e9d65:tadob
f85bbc519f1d4b9453d0d316d2f43efd:lm1181992
336413710df33e5d6ef4ba82ba762543:kurt!!!
8810b6cff094d7bbfa9254a47e460e8c:girlish2020
5bd6fddd235507a2baf82843b6174b4e:cuningo
d10107259670c218d8389bb05a6ca9a5:amorosaoveja
c09c4e921a0f7763e22aa5f38d73016a:Lzac08@
8d15a7e3fe3271b73180de20f9532111:Horselover1493@hotmail.com
9180c11efd4cb6149557f59b0cf80573:FEPARAGON
INFO: approaching final keyspace, workload adjusted

81ed9d39c208fb710f16fd01df2c5ea3:453758487l

Session.Name...: hashcat
Status.........: Exhausted
Input.Mode.....: File (rockyou.txt)
Hash.Target....: File (nt.ocl.out)
Hash.Type......: NTLM
Time.Started...: Mon Jul 11 23:26:10 2016 (2 secs)
Speed.Dev.#1...:  6402.3 kH/s (12.17ms)
Recovered......: 20/43 (46.51%) Digests, 0/1 (0.00%) Salts
Progress.......: 14343328/14343328 (100.00%)
Rejected.......: 1150/14343328 (0.01%)

Started: Mon Jul 11 23:26:10 2016
Stopped: Mon Jul 11 23:26:17 2016

Remark that this time we cracked all passwords for users 1 through 20 (also the ones longer than 14 characters), and with the proper case.