Half LM mass cracking



For those of you familiar with cracking HLM hashes, or perhaps for those of you who aren’t, this is a script designed to make cracking HLM even easier. I am aware that there is a script out there for doing this. However, for those of you familiar with this process will know that it involves often numerous scripts or commands and worse of all it only cracks 1 at a time. The process to crack a HLM hash is as follows:

  1. Crack the first part of the hash (first 16 digits of the hash) using rcracki_mt
  2. Use the cracked result as a seed to crack the rest of the hash
  3. Use netntlm.pl to crack the remaining hash

e.g.

Crack first Part of Hash (first 16 Characters of LM Hash)

root@bt:~cd /root/rcracki_mt_0.6.6_src/ ./rcracki_mt -h 53a3588c7edca4b4 /root/Halflmchall/
result:
——————————————————-
53a3588c7edca4b4 WINDOWS hex:4c4f4253544552
 Crack second Part of Hash:
root@bt:/pentest/passwords/john# ./netntlm.pl –seed WINDOWS –file /netbios/john_netntlm
My script incorporates the use of rcrack and netntlm.pl by combining the entire process and running that through a loop of a file containing all your HLM hashes.

Example Scenario: Let’s assume you’ve captured LM/NTLM challenge/response set for the password Cricket88!.
 
You may be able to crack the first part (i.e. CRICKET) using “Half LM” Rainbow Tables.
 
This script will use that value as a seed and attempt to crack the second part (i.e. “88!”) via an incremental brute.
 
It’ll then use the NetNTLM response hash to crack the case-sensitive version of the entire password.
The script can be found here at my pastebin.
 
Any amendments to the script to make it better would be much appreciated!

Comments

Popular posts from this blog

Null Session Domain Controller Enumeration

MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution

NetBIOS / NBNS Spoofing