 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Results in Cain |
 |
 Posted: Sun Jan 18, 2009 11:06 am |
 |
|
| Hanna313 |
| Active user |
 |
|
| Joined: Dec 17, 2008 |
| Posts: 26 |
|
|
|
 |
|
 |
|
Hello,
Cain gave me these results about a friend of mine when i was sniffing on a network.
lm hash: 020E3E793046F14E00000000000000000000000000000000
nt hash: CCF3DD7F07AB31BBB2BB2A31D7331A52C55BE04ECF43191E
challenge: 29738582FE12235E
I got a few questions:
Are the lm and nt hash not too long?
What to do with all those 0000... in the lm hash, can this be right?
What is a challenge?
Hanna313 |
|
|
|
|
| Posted: Sun Jan 18, 2009 2:03 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
What software did you use to get this data? It's best to use Cain for network sniffing. In this way all needed data is already imported to Cain!
Right now you problem is - how to import this data to Cain, right?
I'm doing some tests about this issue, but it takes some time. |
|
|
|
|
| Posted: Sun Jan 18, 2009 4:33 pm |
|
|
| Hanna313 |
| Active user |
|
|
| Joined: Dec 17, 2008 |
| Posts: 26 |
|
|
|
|
|
|
|
Thanks for your reply Waraxe
Yes I used Cain to get this data, but i dont know why the lm hash has all those 0000... in it and if this is okey? and if the nt hash isnt too long.
So in the end can it be cracked? |
|
|
|
|
| Posted: Sun Jan 18, 2009 6:40 pm |
|
|
| Henderson |
| Valuable expert |
|
|
| Joined: Jul 11, 2008 |
| Posts: 58 |
|
|
|
|
|
|
|
| Hanna313 wrote: | | Yes I used Cain to get this data, but i dont know why the lm hash has all those 0000... in it and if this is okey? and if the nt hash isnt too long. |
Because these are not regular LM/NTLM hashes but rather response hashes of NTLM challenge-response authentication routine. I believe the hashes you provided are derived from so called "NTLM2 Session Response". Bruteforcing it is possible but very time consuming. |
|
|
|
|
|
|
|
|
| Posted: Sun Jan 18, 2009 6:47 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
This is not NTLM v2, it's v1. V2 is using two challenges.
http://en.wikipedia.org/wiki/NTLM
| Code: |
NTLMv1
NTLMv1 is a challenge-response authentication protocol. The server authenticates the client by sending an 8-byte random number, the challenge. The client performs an operation involving the challenge and a secret shared between client and server, e.g. a password. The client returns the 24-byte result of the computation. In fact, in NTLMv1 two computations are made using two different shared secrets and two 24-byte results are returned. The server verifies that the client has computed the correct result, and from this infers possession of the secret, and hence the identity of the client.
The two secrets are:
* the LANMAN Hash of the user's password and
* the MD4 hash of the user's password
Both these hashes produce 16-byte quantities. Five bytes of zeros are appended to obtain 21 bytes. The 21 bytes are separated in three 7 bytes quantities. Each of these 56 bit quantities is used as a key to DES encrypt the 64 bit challenge. The three encryptions of the challenge are reunited to form the 24-byte response. Both the response using the lanman hash and the MD4 hash (called the NT Hash) are returned as the response.
C = 8-byte server challenge, random
K1 | K2 | K3 = NT-Hash | 5-bytes-0
R1 = DES(K1,C) | DES(K2,C) | DES(K3,C)
K1 | K2 | K3 = LM-Hash | 5-bytes-0
R2 = DES(K1,C) | DES(K2,C) | DES(K3,C)
response = R1 | R2
|
And probably LM hash is not in use (for example Vista does not use it anymore). Cain is capable of cracking such hashes, but problem is importing them to Cain. This is what i'm doing right now - experimenting and trying to make it work in practice  |
|
|
|
|
|
|
|
|
| Posted: Sun Jan 18, 2009 7:10 pm |
|
|
| Henderson |
| Valuable expert |
|
|
| Joined: Jul 11, 2008 |
| Posts: 58 |
|
|
|
|
|
|
|
It's not really NTLM v2. "NTLM2 Session Response" is an unofficial term. And it does utilize two challenges - LM response hash is in fact null-padded client challenge.
As for importing the data to Cain, either edit your *.LST file or press insert key while in Cain's cracker and import it from a text file. |
|
|
|
|
| Posted: Sun Jan 18, 2009 7:54 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
So what mode in Cain? "LM & NTLM Hashes --> NTLM Session Security Hashes"? And in what form that text file should be? Fields separated by ":"? Can you provide working example of text file, importable to Cain?
I'm currently using Cain on Vista x64 and seems that Cain does not like 64-bit Windows. So I have to test my ideas on VMware and it takes some more time. |
|
|
|
|
| Posted: Sun Jan 18, 2009 8:07 pm |
|
|
| Henderson |
| Valuable expert |
|
|
| Joined: Jul 11, 2008 |
| Posts: 58 |
|
|
|
|
|
|
|
It would be
| Code: | | UserName:3:29738582FE12235E:020E3E793046F14E00000000000000000000000000000000:CCF3DD7F07AB31BBB2BB2A31D7331A52C55BE04ECF43191E |
|
|
|
|
|
| Posted: Sun Jan 18, 2009 8:39 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Thanks for useful information |
|
|
|
|
| Posted: Mon Jan 19, 2009 7:02 pm |
|
|
| Hanna313 |
| Active user |
|
|
| Joined: Dec 17, 2008 |
| Posts: 26 |
|
|
|
|
|
|
|
So Waraxe, what do you think?
Can it be cracked? and how can it be cracked? |
|
|
|
|
|
|
|
|
| Posted: Mon Jan 19, 2009 7:57 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Hanna313 wrote: | So Waraxe, what do you think?
Can it be cracked? and how can it be cracked? |
Make text file as explained above, then go to Cain, navigate to "Cracker" --> "LM and NTLM Hashes"
--> Press Insert key --> "Add NT Hashes from" pops up --> select "Import hashes from a text file" -->
select that text file --> press Next button ==> hashes are imported
Next choose right algorithm - "NTLM Session Security Hashes" and select either Dictionary or Bruteforce method.
I was not successful with that hash cracking, but i'm short of free time and computing resources.
So my suggestion is to use bruteforce and let your PC or PC-s crack it 24/7 as long as possible.
But of course it all depends on initial plaintext password quality
- strong NT password hashes are practically uncrackable (as for this moments state of computing technology). |
|
|
|
|
|
|
|
|
| Posted: Mon Jan 19, 2009 8:04 pm |
|
|
| Hanna313 |
| Active user |
|
|
| Joined: Dec 17, 2008 |
| Posts: 26 |
|
|
|
|
|
|
|
Can't I use LM or NTLM rainbow tables?
Wouldn't that be much faster? |
|
|
|
|
| Posted: Mon Jan 19, 2009 8:36 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| No, because of random challenge rainbow tables are not useable. |
|
|
|
|
www.waraxe.us Forum Index -> All other hashes
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 84
Members: 0
Total: 84
