Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incorrect hash length for netntlmv2 captured hash #24

Open
neofito opened this issue Sep 16, 2020 · 4 comments
Open

Incorrect hash length for netntlmv2 captured hash #24

neofito opened this issue Sep 16, 2020 · 4 comments

Comments

@neofito
Copy link

neofito commented Sep 16, 2020

Hello Kevin,

I've obtained several NetNTLM v2 hashes using your tool but hashcat is throwing an error with the hash length (type 5600: NetNTLMv2)

Hashfile 'netntlmv2.lst' on line 1 (-- redacted ---): Salt-length exception

The same error for all hashes.

Checking the format against the hashcat examples I've accomplished an inusual length of 32 characters for the captured hash.

Any idea or hint?

Thanks in advance!

@Kevin-Robertson
Copy link
Owner

SMB or HTTP? I'm guessing the challenge is missing? There is something that can cause that with the packet sniffer on the SMB side that I have not been able to track down.

@neofito
Copy link
Author

neofito commented Sep 18, 2020

Hi Kevin,

SMB and the challenge is present in the logfile:

[+] [2020-09-17T07:51:35] SMB(445) negotiation request detected from 192.168.0.10:51243 [+] [2020-09-17T07:51:36] SMB(445) NTLM challenge F91F2FCA9466DCC4 sent to 192.168.0.10:51243 [+] [2020-09-17T07:51:36] SMB(445) NTLMv2 captured for DOMAIN\username from 192.168.0.10(COMPUTERNAME):51243: [redacted]

The attacker's machine is a "Windows Server 2012 R2 Standard" and the tool was launched with admin privs. I can send you a captured hash if need be.

In the other hand using Inveigh-Zero in the same scenario it works like a charm.

Thanks for your support!

@Kevin-Robertson
Copy link
Owner

Hi,

Ugh, I'm guessing you don't see F91F2FCA9466DCC4 listed in the full hash output? If so, I think I see the bug. I combined the SMB and HTTP NTLM code but it looks like it's only checking the HTTP session table to grab the challenge.

Since it is indeed seeing the challenge in this case, you should be able to just paste it in right after DOMAIN:. I'll get it fixed this weekend. Thanks!

@neofito
Copy link
Author

neofito commented Sep 19, 2020

Hi Kevin,

As you said, using the challenge from the logfile the problem has gone. I should have thought about it before!

Thanks for your support and such great tool!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants