Didier Stevens

Saturday 30 July 2016

Video: ntds.dit: Extract Hashes With secretsdump.py

Filed under: Encryption — Didier Stevens @ 17:40

In this video I show an alternative to my blogpost on extracting hashes from the Active Directory database file ntds.dit.

I use secretsdump.py from Core Security’s impacket Python modules. The advantage is that this is a pure Python solution, and that it was able to automatically select the correct object ID. Dependencies are pycrypto and pyasn1.

Bugfix: pdf-parser Version 0.6.5

Filed under: My Software,PDF,Update — Didier Stevens @ 16:19

This is a bugfix for pdf-parser. Streams were not properly extracted when they started with whitespace after the normal whitespace following the stream keyword.

pdf-parser_V0_6_5.zip (https)
MD5: 7F0880EB8A954979CA0ADAB2087E1C55
SHA256: E7D2CCA12CC43D626C53873CFF0BC0CE2875330FD5DBC8FB23B07396382DCC85

Friday 29 July 2016

Releasing rtfdump.py

Filed under: maldoc,My Software — Didier Stevens @ 8:59

Today I’m releasing my rtfdump.py tool to analyze RTF documents. I started working on it about a year ago, but I didn’t like the direction it took me in, and stopped working on it. About a week ago I started again with new samples, and I’m more satisfied now with the result.

I will post more information later. But if you want to get an idea how to use my tool, take a look at this analysis in SANS ISC Diary.

rtfdump_V0_0_2.zip (https)
MD5: 368CCACC556E283D5E1759ED5E164BFF
SHA256: DA9B0AB231B1ADBC1083FC0F915A789EF19A5F7540C317CFA80BF3DE038C7952

Monday 25 July 2016

Practice ntds.dit File Overview

Filed under: Encryption — Didier Stevens @ 9:15

I published a sample Active Directory database file (ntds.dit) to practise hash extraction and password cracking. And I published several how-to blog posts.

Here is an overview:

Practice ntds.dit File Part 1

Practice ntds.dit File Part 2: Extracting Hashes

Practice ntds.dit File Part 3: Password Cracking With hashcat – Wordlist

Practice ntds.dit File Part 4: Password Cracking With hashcat – Brute-force

Practice ntds.dit File Part 5: Password Cracking With hashcat – LM NTLM

Practice ntds.dit File Part 6: Password Cracking With John the Ripper – Wordlist

Practice ntds.dit File Part 7: Password Cracking With John the Ripper – Brute-force

Practice ntds.dit File Part 8: Password Cracking With John the Ripper – LM NTLM

 

Thursday 21 July 2016

Practice ntds.dit File Part 8: Password Cracking With John the Ripper – LM NTLM

Filed under: Encryption — Didier Stevens @ 0:00

Using passwords recovered from LM hashes to crack NTLM hashes is easier with John the Ripper, because it comes with a rule (NT) to toggle all letter combinations:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --wordlist=lm-passwords.txt --rules=NT --pot=john-lm-ntlm.pot nt.john.out

Warning: detected hash type "NT", but the string is also recognized as "nt2"
Use the "--format=nt2" option to force loading these as that type instead
Loaded 43 password hashes with no different salts (NT [MD4 128/128 SSE2 + 32/32]
)
Warning: no OpenMP support for this hash type
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (user01)
FEPARAGON        (user20)
V                (user21)
Y6G              (user23)
aS               (user22)
*qFT             (user24)
lm1181992        (user16)
976b0            (user26)
*Vqc(            (user25)
Root1$           (Administrator)
Lzac08@          (user19)
kurt!!!          (user05)
XjW*wL           (user27)
yeliz6           (user14)
tadob            (user15)
zordic7          (user04)
maisie2007       (user12)
8N)IMRgQ57_      (user31)
girlish2020      (user06)
thurlow1         (user09)
cuningo          (user17)
A9LT5J$r         (user28)
Crx3#W+f         (user29)
beaufort1        (user10)
43PDlBR8tS#V     (user32)
453758487l       (user08)
F-62RqTo@m       (user30)
WBJ_Pvtz6i42AV   (user34)
rachelleanne     (user03)
amorosaoveja     (user07)
b#f1HvU@Qz7nk    (user33)
31g 0:00:00:00 DONE (2016-07-18 22:19) 382.7g/s 426851p/s 426851c/s 6317KC/s wbj_pvtz6I42av..wbj_pvtz6i42av
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Using –show:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-lm-ntlm.pot ad-database\kali\dump\nt.john.out

Administrator:Root1$:S-1-5-21-3188177830-2933342842-421106997-500::
user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106::
user03:rachelleanne:S-1-5-21-3188177830-2933342842-421106997-1108::
user04:zordic7:S-1-5-21-3188177830-2933342842-421106997-1109::
user05:kurt!!!:S-1-5-21-3188177830-2933342842-421106997-1110::
user06:girlish2020:S-1-5-21-3188177830-2933342842-421106997-1111::
user07:amorosaoveja:S-1-5-21-3188177830-2933342842-421106997-1112::
user08:453758487l:S-1-5-21-3188177830-2933342842-421106997-1113::
user09:thurlow1:S-1-5-21-3188177830-2933342842-421106997-1114::
user10:beaufort1:S-1-5-21-3188177830-2933342842-421106997-1115::
user12:maisie2007:S-1-5-21-3188177830-2933342842-421106997-1117::
user14:yeliz6:S-1-5-21-3188177830-2933342842-421106997-1119::
user15:tadob:S-1-5-21-3188177830-2933342842-421106997-1120::
user16:lm1181992:S-1-5-21-3188177830-2933342842-421106997-1121::
user17:cuningo:S-1-5-21-3188177830-2933342842-421106997-1122::
user19:Lzac08@:S-1-5-21-3188177830-2933342842-421106997-1124::
user20:FEPARAGON:S-1-5-21-3188177830-2933342842-421106997-1125::
user21:V:S-1-5-21-3188177830-2933342842-421106997-1126::
user22:aS:S-1-5-21-3188177830-2933342842-421106997-1127::
user23:Y6G:S-1-5-21-3188177830-2933342842-421106997-1128::
user24:*qFT:S-1-5-21-3188177830-2933342842-421106997-1129::
user25:*Vqc(:S-1-5-21-3188177830-2933342842-421106997-1130::
user26:976b0:S-1-5-21-3188177830-2933342842-421106997-1131::
user27:XjW*wL:S-1-5-21-3188177830-2933342842-421106997-1132::
user28:A9LT5J$r:S-1-5-21-3188177830-2933342842-421106997-1133::
user29:Crx3#W+f:S-1-5-21-3188177830-2933342842-421106997-1134::
user30:F-62RqTo@m:S-1-5-21-3188177830-2933342842-421106997-1135::
user31:8N)IMRgQ57_:S-1-5-21-3188177830-2933342842-421106997-1136::
user32:43PDlBR8tS#V:S-1-5-21-3188177830-2933342842-421106997-1137::
user33:b#f1HvU@Qz7nk:S-1-5-21-3188177830-2933342842-421106997-1138::
user34:WBJ_Pvtz6i42AV:S-1-5-21-3188177830-2933342842-421106997-1139::

31 password hashes cracked, 12 left

 

Wednesday 20 July 2016

Practice ntds.dit File Part 7: Password Cracking With John the Ripper – Brute-force

Filed under: Encryption — Didier Stevens @ 0:00

Brute-force cracking with John the Ripper is done with incremental mode. Incremental mode is not just trying out the full key space, it follows an order based on trigraph frequencies to recover passwords asap.

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --incremental --pot=john-bruteforce-lm.pot lm.john.out

Working through the complete LM hash key space will take many days:

Warning: detected hash type "LM", but the string is also recognized as "HAVAL-128-4"
Use the "--format=HAVAL-128-4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "lotus5"
Use the "--format=lotus5" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "MD2"
Use the "--format=MD2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mdc2"
Use the "--format=mdc2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash"
Use the "--format=mscash" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash2"
Use the "--format=mscash2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "NT"
Use the "--format=NT" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "nt2"
Use the "--format=nt2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD4"
Use the "--format=Raw-MD4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5"
Use the "--format=Raw-MD5" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5u"
Use the "--format=Raw-MD5u" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "ripemd-128"
Use the "--format=ripemd-128" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Snefru-128"
Use the "--format=Snefru-128" option to force loading these as that type instead

Loaded 47 password hashes with no different salts (LM [DES 128/128 SSE2])
Warning: poor OpenMP scalability for this hash type
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (user01)
1                (user09:2)
2020             (user06:2)
AS               (user22)
F                (user29:2)
R                (user28:2)
LM11819          (user16:1)
V                (user21)
EANNE            (user03:2)
T1               (user10:2)
CUNINGO          (user17)
AMOROSA          (user07:1)
12g 0:00:00:14 0.00% (ETA: 2016-08-17 08:26) 0.8329g/s 2887Kp/s 2887Kc/s 104518KC/s HSV29S..HS3A18
Warning: passwords printed above might be partial
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

You use option –show to display recovered passwords:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-bruteforce-lm.pot lm.john.out
user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106::
user03:???????EANNE:S-1-5-21-3188177830-2933342842-421106997-1108::
user06:???????2020:S-1-5-21-3188177830-2933342842-421106997-1111::
user07:AMOROSA???????:S-1-5-21-3188177830-2933342842-421106997-1112::
user09:???????1:S-1-5-21-3188177830-2933342842-421106997-1114::
user10:???????T1:S-1-5-21-3188177830-2933342842-421106997-1115::
user16:LM11819???????:S-1-5-21-3188177830-2933342842-421106997-1121::
user17:CUNINGO:S-1-5-21-3188177830-2933342842-421106997-1122::
user21:V:S-1-5-21-3188177830-2933342842-421106997-1126::
user22:AS:S-1-5-21-3188177830-2933342842-421106997-1127::
user28:???????R:S-1-5-21-3188177830-2933342842-421106997-1133::
user29:???????F:S-1-5-21-3188177830-2933342842-421106997-1134::

The command for NT hashes is almost the same:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --incremental --pot=john-bruteforce-nt.pot nt.john.out

This will never end (unless all passwords are recovered), because the password length is not limited like for LM hashes:

Warning: detected hash type "NT", but the string is also recognized as "nt2"
Use the "--format=nt2" option to force loading these as that type instead
Loaded 43 password hashes with no different salts (NT [MD4 128/128 SSE2 + 32/32])
Warning: no OpenMP support for this hash type
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (user01)
1g 0:00:00:11  0.08373g/s 13795p/s 13795c/s 579415C/s melace1..meremia
V                (user21)
cuningo          (user17)
aS               (user22)
4g 0:00:01:17  0.05132g/s 3317Kp/s 3317Kc/s 132700KC/s ihxhl..ihxfg
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

 

Tuesday 19 July 2016

Practice ntds.dit File Part 6: Password Cracking With John the Ripper – Wordlist

Filed under: Encryption — Didier Stevens @ 0:00

After password cracking examples with hashcat, I want to show you how to crack passwords with John the Ripper (remember we also produced hashes for John the Ripper: lm.john.out and nt.john.out).

First we use the rockyou wordlist to crack the LM hashes:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --wordlist=rockyou.txt --pot=john-rockyou-lm.pot lm.john.out

Option –wordlist specifies the wordlist to use, and option –pot specifies the pot file I want to create/use.

Output:

Warning: detected hash type "LM", but the string is also recognized as "HAVAL-128-4"
Use the "--format=HAVAL-128-4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "lotus5"
Use the "--format=lotus5" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "MD2"
Use the "--format=MD2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mdc2"
Use the "--format=mdc2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash"
Use the "--format=mscash" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash2"
Use the "--format=mscash2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "NT"
Use the "--format=NT" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "nt2"
Use the "--format=nt2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD4"
Use the "--format=Raw-MD4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5"
Use the "--format=Raw-MD5" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5u"
Use the "--format=Raw-MD5u" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "ripemd-128"
Use the "--format=ripemd-128" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Snefru-128"
Use the "--format=Snefru-128" option to force loading these as that type instead
Loaded 47 password hashes with no different salts (LM [DES 128/128 SSE2])
Warning: poor OpenMP scalability for this hash type
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (user01)
RACHELL          (user03:1)
AMOROSA          (user07:1)
BEAUFOR          (user10:1)
GIRLISH          (user06:1)
2020             (user06:2)
1                (user09:2)
007              (user12:2)
THURLOW          (user09:1)
OVEJA            (user07:2)
EANNE            (user03:2)
AS               (user22)
MAISIE2          (user12:1)
F                (user29:2)
ZORDIC7          (user04)
YELIZ6           (user14)
TADOB            (user15)
R                (user28:2)
LM11819          (user16:1)
KURT!!!          (user05)
CUNINGO          (user17)
LZAC08@          (user19)
FEPARAG          (user20:1)
4537584          (user08:1)
24g 0:00:00:00 DONE (2016-07-15 23:57) 27.39g/s 16374Kp/s 16374Kc/s 461233KC/s "WHENIC..♦*♥7▒VA
Warning: passwords printed above might be partial
Use the "--show" option to display all of the cracked passwords reliably
Session completed

And then we use option –show to display the (partially) recovered passwords:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-rockyou-lm.pot lm.john.out

Output:

user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106::
user03:RACHELLEANNE:S-1-5-21-3188177830-2933342842-421106997-1108::
user04:ZORDIC7:S-1-5-21-3188177830-2933342842-421106997-1109::
user05:KURT!!!:S-1-5-21-3188177830-2933342842-421106997-1110::
user06:GIRLISH2020:S-1-5-21-3188177830-2933342842-421106997-1111::
user07:AMOROSAOVEJA:S-1-5-21-3188177830-2933342842-421106997-1112::
user08:4537584???????:S-1-5-21-3188177830-2933342842-421106997-1113::
user09:THURLOW1:S-1-5-21-3188177830-2933342842-421106997-1114::
user10:BEAUFOR???????:S-1-5-21-3188177830-2933342842-421106997-1115::
user12:MAISIE2007:S-1-5-21-3188177830-2933342842-421106997-1117::
user14:YELIZ6:S-1-5-21-3188177830-2933342842-421106997-1119::
user15:TADOB:S-1-5-21-3188177830-2933342842-421106997-1120::
user16:LM11819???????:S-1-5-21-3188177830-2933342842-421106997-1121::
user17:CUNINGO:S-1-5-21-3188177830-2933342842-421106997-1122::
user19:LZAC08@:S-1-5-21-3188177830-2933342842-421106997-1124::
user20:FEPARAG???????:S-1-5-21-3188177830-2933342842-421106997-1125::
user22:AS:S-1-5-21-3188177830-2933342842-421106997-1127::
user28:???????R:S-1-5-21-3188177830-2933342842-421106997-1133::
user29:???????F:S-1-5-21-3188177830-2933342842-421106997-1134::

24 password hashes cracked, 23 left

Cracking NTLM hashes is done with a similar command, it’s just the name of the files that changes:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --wordlist=rockyou.txt --pot=john-rockyou-nt.pot nt.john.out

Output:

Warning: detected hash type "NT", but the string is also recognized as "nt2"
Use the "--format=nt2" option to force loading these as that type instead
Loaded 43 password hashes with no different salts (NT [MD4 128/128 SSE2 + 32/32])
Warning: no OpenMP support for this hash type
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (user01)
mychemicalromance (user02)
beautifulprincess (user11)
beaufort1        (user10)
thurlow1         (user09)
rachelleanne     (user03)
maisie2007       (user12)
maiseythorne2007 (user13)
zordic7          (user04)
yeliz6           (user14)
tadob            (user15)
lm1181992        (user16)
kurt!!!          (user05)
girlish2020      (user06)
cuningo          (user17)
amorosaoveja     (user07)
Lzac08@          (user19)
Horselover1493@hotmail.com (user18)
FEPARAGON        (user20)
453758487l       (user08)
20g 0:00:00:01 DONE (2016-07-16 00:06) 19.15g/s 13739Kp/s 13739Kc/s 411618KC/s    000..♦*♥7▒Vamos!♥
Use the "--show" option to display all of the cracked passwords reliably
Session completed

And then we use option –show to display the recovered passwords:

John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-rockyou-nt.pot nt.john.out

Output:

user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106::
user02:mychemicalromance:S-1-5-21-3188177830-2933342842-421106997-1107::
user03:rachelleanne:S-1-5-21-3188177830-2933342842-421106997-1108::
user04:zordic7:S-1-5-21-3188177830-2933342842-421106997-1109::
user05:kurt!!!:S-1-5-21-3188177830-2933342842-421106997-1110::
user06:girlish2020:S-1-5-21-3188177830-2933342842-421106997-1111::
user07:amorosaoveja:S-1-5-21-3188177830-2933342842-421106997-1112::
user08:453758487l:S-1-5-21-3188177830-2933342842-421106997-1113::
user09:thurlow1:S-1-5-21-3188177830-2933342842-421106997-1114::
user10:beaufort1:S-1-5-21-3188177830-2933342842-421106997-1115::
user11:beautifulprincess:S-1-5-21-3188177830-2933342842-421106997-1116::
user12:maisie2007:S-1-5-21-3188177830-2933342842-421106997-1117::
user13:maiseythorne2007:S-1-5-21-3188177830-2933342842-421106997-1118::
user14:yeliz6:S-1-5-21-3188177830-2933342842-421106997-1119::
user15:tadob:S-1-5-21-3188177830-2933342842-421106997-1120::
user16:lm1181992:S-1-5-21-3188177830-2933342842-421106997-1121::
user17:cuningo:S-1-5-21-3188177830-2933342842-421106997-1122::
user18:Horselover1493@hotmail.com:S-1-5-21-3188177830-2933342842-421106997-1123::
user19:Lzac08@:S-1-5-21-3188177830-2933342842-421106997-1124::
user20:FEPARAGON:S-1-5-21-3188177830-2933342842-421106997-1125::

20 password hashes cracked, 23 left

 

Monday 18 July 2016

Practice ntds.dit File Part 5: Password Cracking With hashcat – LM NTLM

Filed under: Encryption — Didier Stevens @ 0:00

When you have LM and NTLM hashes, you can first crack the LM hashes and then use the recovered passwords to crack the NTLM hashes.

File hashcat-mask-lm.pot contains the passwords we recovered from brute-forcing the LM hashes.

This command creates file lm-results.txt:

hashcat-3.00\hashcat64.exe -m 3000 --username --show --potfile-path hashcat-mask-lm.pot --outfile-format 2 --outfile lm-results.txt lm.ocl.out

Content of lm-results.txt:

Administrator:ROOT1$
user01:123456
user03:RACHELLEANNE
user04:ZORDIC7
user05:KURT!!!
user06:GIRLISH2020
user07:AMOROSAOVEJA
user08:453758487L
user09:THURLOW1
user10:BEAUFORT1
user12:MAISIE2007
user14:YELIZ6
user15:TADOB
user16:LM1181992
user17:CUNINGO
user19:LZAC08@
user20:FEPARAGON
user21:V
user22:AS
user23:Y6G
user24:*QFT
user25:*VQC(
user26:976B0
user27:XJW*WL
user28:A9LT5J$R
user29:CRX3#W+F
user30:F-62RQTO@M
user31:8N)IMRGQ57_
user32:43PDLBR8TS#V
user33:B#F1HVU@QZ7NK
user34:WBJ_PVTZ6I42AV

The passwords are uppercase since they are recovered from LM hashes.
Now let’s extract the passwords:

gawk.exe -F : "{print $2}" < lm-results.txt > lm-passwords.txt

Result:

ROOT1$
123456
RACHELLEANNE
ZORDIC7
KURT!!!
GIRLISH2020
AMOROSAOVEJA
453758487L
THURLOW1
BEAUFORT1
MAISIE2007
YELIZ6
TADOB
LM1181992
CUNINGO
LZAC08@
FEPARAGON
V
AS
Y6G
*QFT
*VQC(
976B0
XJW*WL
A9LT5J$R
CRX3#W+F
F-62RQTO@M
8N)IMRGQ57_
43PDLBR8TS#V
B#F1HVU@QZ7NK
WBJ_PVTZ6I42AV

And now we can use this list of passwords for a dictionary attack on the NTLM hashes. But passwords recovered from NTLM hashes can contain lowercase and uppercase letters. So we need to generate all possible combinations of lowercase and uppercase letters for our password list. This can be done with the toggle rule file toggles-lm-ntlm.rule I created with this new tool.

hashcat-3.00\hashcat64.exe -a 0 -m 1000 --potfile-path hashcat-lm-passwords-nt.pot --username --rules toggles-lm-ntlm.rule nt.ocl.out lm-passwords.txt

Output:

hashcat (v3.00-1-g67a8d97) starting...

OpenCL Platform #1: Intel(R) Corporation
========================================
- Device #1: Intel(R) HD Graphics 5000, 356/1425 MB allocatable, 40MCU
- Device #2: Intel(R) Core(TM) i7-4650U CPU @ 1.70GHz, skipped

Hashes: 43 hashes; 43 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 16384
Applicable Optimizers:
* Zero-Byte
* Precompute-Init
* Precompute-Merkle-Demgard
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
Watchdog: Temperature abort trigger disabled
Watchdog: Temperature retain trigger disabled

Cache-hit dictionary stats lm-passwords.txt: 274 bytes, 31 words, 507904 keyspace

ATTENTION!
  The wordlist or mask you are using is too small.
  Therefore, hashcat is unable to utilize the full parallelization power of your device(s).
  The cracking speed will drop.
  Workaround: https://hashcat.net/wiki/doku.php?id=frequently_asked_questions#how_to_create_more_work_for_full_speed

INFO: approaching final keyspace, workload adjusted

32ed87bdb5fdc5e9cba88547376818d4:123456
9180c11efd4cb6149557f59b0cf80573:FEPARAGON
adc5df4b1f4a1b2501bbeef236f5be92:V
b6c0168748dcdba30141914c959d9f8c:Y6G
2a3d0e353eadfb8c7b5d7d503efad47d:aS
e14af367857363b0f16418bcce9f96b9:*qFT
a474953d36f287fefc73f8917ca27290:8N)IMRgQ57_
024b7f87b902332ac1369f2fd1a1d4e9:976b0
458d16d08f6ba7c5c61cd3850b704015:A9LT5J$r
81ed9d39c208fb710f16fd01df2c5ea3:453758487l
f85bbc519f1d4b9453d0d316d2f43efd:lm1181992
23f8c70f8c51c5535e4ef372ffe9500a:XjW*wL
c57128805cc3e445a338126080ce52bb:*Vqc(
80fadb7eb493333387c36c3a30a86a9c:43PDlBR8tS#V
c09c4e921a0f7763e22aa5f38d73016a:Lzac08@
eb37f9cd74303274cb923442a7348ef4:Root1$
85ec40bb1fadfcd4f1cdd8f5c745338a:Crx3#W+f
584c3288cdb9249191d01028fc3c1d06:F-62RqTo@m
336413710df33e5d6ef4ba82ba762543:kurt!!!
2fce06c6e6303f0850416dfe57f809ac:WBJ_Pvtz6i42AV
7f5ab070d31e61251ab4ef78b6601941:yeliz6
0794f987708fd36dc158c3435d1e9d65:tadob
3081116936973f2a1019178a085e77cd:maisie2007
2a54f9c00701830e44923a19eea7df62:zordic7
236ff73b5ec46c68c37d27d51bd4fa8f:b#f1HvU@Qz7nk
0d870c8d2ed66211a6cd19b6c8c6939a:thurlow1
5bd6fddd235507a2baf82843b6174b4e:cuningo
8810b6cff094d7bbfa9254a47e460e8c:girlish2020
c1d5ff9561074a64e8164745f7e057a3:beaufort1
9aeae4ad385c29a8d3e25a2032df95ec:rachelleanne
d10107259670c218d8389bb05a6ca9a5:amorosaoveja

Session.Name...: hashcat
Status.........: Exhausted
Rules.Type.....: File (toggles-lm-ntlm.rule)
Input.Mode.....: File (lm-passwords.txt)
Hash.Target....: File (nt.ocl.out)
Hash.Type......: NTLM
Time.Started...: Fri Jul 15 23:02:55 2016 (1 sec)
Speed.Dev.#1...:   468.3 kH/s (0.24ms)
Recovered......: 31/43 (72.09%) Digests, 0/1 (0.00%) Salts
Progress.......: 507904/507904 (100.00%)
Rejected.......: 0/507904 (0.00%)

Started: Fri Jul 15 23:02:55 2016
Stopped: Fri Jul 15 23:02:59 2016

And finally, we can display the result:

hashcat-3.00\hashcat64.exe -m 1000 --potfile-path hashcat-lm-passwords-nt.pot --username --show nt.ocl.out

Output:

hashcat (v3.00-1-g67a8d97) starting...

Administrator:eb37f9cd74303274cb923442a7348ef4:Root1$
user01:32ed87bdb5fdc5e9cba88547376818d4:123456
user03:9aeae4ad385c29a8d3e25a2032df95ec:rachelleanne
user04:2a54f9c00701830e44923a19eea7df62:zordic7
user05:336413710df33e5d6ef4ba82ba762543:kurt!!!
user06:8810b6cff094d7bbfa9254a47e460e8c:girlish2020
user07:d10107259670c218d8389bb05a6ca9a5:amorosaoveja
user08:81ed9d39c208fb710f16fd01df2c5ea3:453758487l
user09:0d870c8d2ed66211a6cd19b6c8c6939a:thurlow1
user10:c1d5ff9561074a64e8164745f7e057a3:beaufort1
user12:3081116936973f2a1019178a085e77cd:maisie2007
user14:7f5ab070d31e61251ab4ef78b6601941:yeliz6
user15:0794f987708fd36dc158c3435d1e9d65:tadob
user16:f85bbc519f1d4b9453d0d316d2f43efd:lm1181992
user17:5bd6fddd235507a2baf82843b6174b4e:cuningo
user19:c09c4e921a0f7763e22aa5f38d73016a:Lzac08@
user20:9180c11efd4cb6149557f59b0cf80573:FEPARAGON
user21:adc5df4b1f4a1b2501bbeef236f5be92:V
user22:2a3d0e353eadfb8c7b5d7d503efad47d:aS
user23:b6c0168748dcdba30141914c959d9f8c:Y6G
user24:e14af367857363b0f16418bcce9f96b9:*qFT
user25:c57128805cc3e445a338126080ce52bb:*Vqc(
user26:024b7f87b902332ac1369f2fd1a1d4e9:976b0
user27:23f8c70f8c51c5535e4ef372ffe9500a:XjW*wL
user28:458d16d08f6ba7c5c61cd3850b704015:A9LT5J$r
user29:85ec40bb1fadfcd4f1cdd8f5c745338a:Crx3#W+f
user30:584c3288cdb9249191d01028fc3c1d06:F-62RqTo@m
user31:a474953d36f287fefc73f8917ca27290:8N)IMRgQ57_
user32:80fadb7eb493333387c36c3a30a86a9c:43PDlBR8tS#V
user33:236ff73b5ec46c68c37d27d51bd4fa8f:b#f1HvU@Qz7nk
user34:2fce06c6e6303f0850416dfe57f809ac:WBJ_Pvtz6i42AV

As you can see, we recovered all passwords shorter than 15 characters.

Sunday 17 July 2016

Overview of Content Published In June

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in June:

Blog posts:

Saturday 16 July 2016

Tool To Generate Hashcat Toggle Rules

Filed under: My Software — Didier Stevens @ 0:00

generate-hashcat-toggle-rules.py is a Python program to generate hashcat toggle rules. Toggle rules toggle the case of letters in words present in a dictionary.

Hashcat comes with toggle rule files for candidate passwords up to 15 characters long. There’s a rules file that will toggle exactly one letter (toggles1.rule), another rule file for up to two letters (toggles2.rule), three, four, and finally a rule file for up to five letters (toggles5.rule). Hashcat does not provide rules with more than five toggles, as empirical data shows that passwords chosen by users only contain a couple of uppercase letters.

These toggle rule files can also be generated with generate-hashcat-toggle-rules.py.

This command generates rules identical to toggles5.rule:

generate-hashcat-toggle-rules.py 5

 

But I want to crack NTLM hashes for randomly generated passwords, and for which I already cracked the LM hash. So I must toggle up to 14 letters. I can use the following command to generate this toggle rule file:

generate-hashcat-toggle-rules.py -n -p 14 14 > toggles-lm-ntlm.rule

-n will include rule :. This rule makes no changes (nothing) to the candidate password. This way I can run hashcat only once with the rule file. I don’t need to run hashcat with and without rule file.

-p 14 generates toggles up to position 14 (the default is up to position 15, but since LM hash passwords are maximum 14 characters long, it’s useless to generate toggles for position 15).

Here is part of this generated file toggles-lm-ntlm.rule:

:
T0
T1
T2
T3
T4
T5
T6
T7
T8
T9
TA
TB
TC
TD
T0T1
T0T2
T0T3
T0T4
T0T5
...
T1T3T4T5T6T7T8T9TATBTCTD
T2T3T4T5T6T7T8T9TATBTCTD
T0T1T2T3T4T5T6T7T8T9TATBTC
T0T1T2T3T4T5T6T7T8T9TATBTD
T0T1T2T3T4T5T6T7T8T9TATCTD
T0T1T2T3T4T5T6T7T8T9TBTCTD
T0T1T2T3T4T5T6T7T8TATBTCTD
T0T1T2T3T4T5T6T7T9TATBTCTD
T0T1T2T3T4T5T6T8T9TATBTCTD
T0T1T2T3T4T5T7T8T9TATBTCTD
T0T1T2T3T4T6T7T8T9TATBTCTD
T0T1T2T3T5T6T7T8T9TATBTCTD
T0T1T2T4T5T6T7T8T9TATBTCTD
T0T1T3T4T5T6T7T8T9TATBTCTD
T0T2T3T4T5T6T7T8T9TATBTCTD
T1T2T3T4T5T6T7T8T9TATBTCTD
T0T1T2T3T4T5T6T7T8T9TATBTCTD

The generated toggle rule file toggles-lm-ntlm.rule is included in the ZIP file:

generate-hashcat-toggle-rules_v0_0_1.zip (https)
MD5: 170F54D69C8581B9379E11E14F31C39E
SHA256: 93AE3CC8123425CEBC85D6CA4DE1ED1DD14F492AB744368729FB38D24436B5D9

« Previous PageNext Page »

Blog at WordPress.com.