Waraxe IT Security Portal
Login or Register
November 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 119
Members: 0
Total: 119
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other hashes -> Results in Cain
Post new topicReply to topic View previous topic :: View next topic
Results in Cain
PostPosted: Sun Jan 18, 2009 11:06 am Reply with quote
Hanna313
Active user
Active user
Joined: Dec 17, 2008
Posts: 26




Hello,

Cain gave me these results about a friend of mine when i was sniffing on a network.

lm hash: 020E3E793046F14E00000000000000000000000000000000
nt hash: CCF3DD7F07AB31BBB2BB2A31D7331A52C55BE04ECF43191E
challenge: 29738582FE12235E

I got a few questions:

Are the lm and nt hash not too long?
What to do with all those 0000... in the lm hash, can this be right?
What is a challenge?

Hanna313
View user's profile Send private message
PostPosted: Sun Jan 18, 2009 2:03 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




What software did you use to get this data? It's best to use Cain for network sniffing. In this way all needed data is already imported to Cain!
Right now you problem is - how to import this data to Cain, right?
I'm doing some tests about this issue, but it takes some time.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Jan 18, 2009 4:33 pm Reply with quote
Hanna313
Active user
Active user
Joined: Dec 17, 2008
Posts: 26




Thanks for your reply Waraxe

Yes I used Cain to get this data, but i dont know why the lm hash has all those 0000... in it and if this is okey? and if the nt hash isnt too long.

So in the end can it be cracked?
View user's profile Send private message
PostPosted: Sun Jan 18, 2009 6:40 pm Reply with quote
Henderson
Valuable expert
Valuable expert
Joined: Jul 11, 2008
Posts: 58




Hanna313 wrote:
Yes I used Cain to get this data, but i dont know why the lm hash has all those 0000... in it and if this is okey? and if the nt hash isnt too long.


Because these are not regular LM/NTLM hashes but rather response hashes of NTLM challenge-response authentication routine. I believe the hashes you provided are derived from so called "NTLM2 Session Response". Bruteforcing it is possible but very time consuming.
View user's profile Send private message
PostPosted: Sun Jan 18, 2009 6:47 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




This is not NTLM v2, it's v1. V2 is using two challenges.

http://en.wikipedia.org/wiki/NTLM

Code:

NTLMv1

NTLMv1 is a challenge-response authentication protocol. The server authenticates the client by sending an 8-byte random number, the challenge. The client performs an operation involving the challenge and a secret shared between client and server, e.g. a password. The client returns the 24-byte result of the computation. In fact, in NTLMv1 two computations are made using two different shared secrets and two 24-byte results are returned. The server verifies that the client has computed the correct result, and from this infers possession of the secret, and hence the identity of the client.

The two secrets are:

* the LANMAN Hash of the user's password and
* the MD4 hash of the user's password

Both these hashes produce 16-byte quantities. Five bytes of zeros are appended to obtain 21 bytes. The 21 bytes are separated in three 7 bytes quantities. Each of these 56 bit quantities is used as a key to DES encrypt the 64 bit challenge. The three encryptions of the challenge are reunited to form the 24-byte response. Both the response using the lanman hash and the MD4 hash (called the NT Hash) are returned as the response.

C = 8-byte server challenge, random
K1 | K2 | K3 = NT-Hash | 5-bytes-0
R1 = DES(K1,C) | DES(K2,C) | DES(K3,C)
K1 | K2 | K3 = LM-Hash | 5-bytes-0
R2 = DES(K1,C) | DES(K2,C) | DES(K3,C)
response = R1 | R2


And probably LM hash is not in use (for example Vista does not use it anymore). Cain is capable of cracking such hashes, but problem is importing them to Cain. This is what i'm doing right now - experimenting and trying to make it work in practice Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Jan 18, 2009 7:10 pm Reply with quote
Henderson
Valuable expert
Valuable expert
Joined: Jul 11, 2008
Posts: 58




It's not really NTLM v2. "NTLM2 Session Response" is an unofficial term. And it does utilize two challenges - LM response hash is in fact null-padded client challenge.

As for importing the data to Cain, either edit your *.LST file or press insert key while in Cain's cracker and import it from a text file.
View user's profile Send private message
PostPosted: Sun Jan 18, 2009 7:54 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




So what mode in Cain? "LM & NTLM Hashes --> NTLM Session Security Hashes"? And in what form that text file should be? Fields separated by ":"? Can you provide working example of text file, importable to Cain?
I'm currently using Cain on Vista x64 and seems that Cain does not like 64-bit Windows. So I have to test my ideas on VMware and it takes some more time.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Jan 18, 2009 8:07 pm Reply with quote
Henderson
Valuable expert
Valuable expert
Joined: Jul 11, 2008
Posts: 58




It would be

Code:
UserName:3:29738582FE12235E:020E3E793046F14E00000000000000000000000000000000:CCF3DD7F07AB31BBB2BB2A31D7331A52C55BE04ECF43191E
View user's profile Send private message
PostPosted: Sun Jan 18, 2009 8:39 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Thanks for useful information Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Jan 19, 2009 7:02 pm Reply with quote
Hanna313
Active user
Active user
Joined: Dec 17, 2008
Posts: 26




So Waraxe, what do you think?

Can it be cracked? and how can it be cracked?
View user's profile Send private message
PostPosted: Mon Jan 19, 2009 7:57 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Hanna313 wrote:
So Waraxe, what do you think?

Can it be cracked? and how can it be cracked?


Make text file as explained above, then go to Cain, navigate to "Cracker" --> "LM and NTLM Hashes"
--> Press Insert key --> "Add NT Hashes from" pops up --> select "Import hashes from a text file" -->
select that text file --> press Next button ==> hashes are imported

Next choose right algorithm - "NTLM Session Security Hashes" and select either Dictionary or Bruteforce method.

I was not successful with that hash cracking, but i'm short of free time and computing resources.
So my suggestion is to use bruteforce and let your PC or PC-s crack it 24/7 as long as possible.
But of course it all depends on initial plaintext password quality
- strong NT password hashes are practically uncrackable (as for this moments state of computing technology).
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Jan 19, 2009 8:04 pm Reply with quote
Hanna313
Active user
Active user
Joined: Dec 17, 2008
Posts: 26




Can't I use LM or NTLM rainbow tables?

Wouldn't that be much faster?
View user's profile Send private message
PostPosted: Mon Jan 19, 2009 8:36 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




No, because of random challenge rainbow tables are not useable.
View user's profile Send private message Send e-mail Visit poster's website
Results in Cain
www.waraxe.us Forum Index -> All other hashes
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.038 Seconds