Frequently during penetration tests, we will capture halflmchall password hashes from the network. These can come from a variety of sources, but common sources include NBNS spoofing and SQL queries/SQL injection. Both methods can be easy ways to get halflmchall hashes during a pen test.
For those who are unfamiliar with halflmchall hashes and how they are created, the process is pretty simple. When a client makes an authentication request with a server, the server responds with a challenge (which is basically a seed value used for hashing) for the client to use. If we are acting as the server, we can specify the challenge and the authentication protocol that we want to use. If we have a static challenge (1122334455667788) and a weak authentication protocol (LANMAN v1), we’re able to quickly look up the captured hashes in rainbow tables. Now, this isn’t the full technical detail of the process, but hopefully this gives you a good idea as to how this can work to our advantage.
For a much more in-depth review of the process, here’s a great write up – https://www.foofus.net/?page_id=63 The typical capture to cracked password process goes like this:
Obtain a man-in-the-middle position, or force a server to authenticate to your evil server.
Capture the hash (via SMB or HTTP servers).
Look up the first 16 characters of the captured LM hash in the HalfLMChall rainbow tables.
Use the cracked portion of the LM hash to feed into the John the Ripper netntlm.pl script to crack the rest of the LM hash.
Feed the case insensitive password (from step 3) back into the netntlm.pl script to crack the case sensitive NTLM hash and get the full password.
The cracking process goes pretty quickly, but it does require multiple commands to run that includes some copy and paste work. I’ve found that this process takes up more of my time than I would like, so I wrote a PowerShell script to automate the whole cracking process.
PowerShell cracking script requirements:
The halflmchall rainbow tables
John the Ripper (Jumbo release)
Perl (required to run netntlm.pl)
You will also need to enable PowerShell to run scripts: “Set-ExecutionPolicy RemoteSigned”
Within the script you will have to specify your John, rcrack, Perl, and rainbow table locations, but you should be able to run the script from any directory.
The script usage is simple:
PS_MultiCrack.ps1 Input_File Output_File
You should be able to use the john formatted output file generated from the metasploit modules, but below is the basic format that the script will require:
The “1122334455667788” is the default static salt that is used by most of the tools used for capturing the hashes. It’s also the salt used by the rainbow tables (Download here).
The script will write out each username and password to the output file when it’s done. Hashes that are already in the john.pot file will be prefixed in your output file as “Previously Cracked:” so that you don’t have to worry about cleaning out your input file as you add more hashes. Additionally, the script won’t go through the effort of cracking the same hash again, as that would be a waste of time.
If you have any comments, suggestions, issues, please let me know through here or GitHub and I’ll try to address them.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
YouTube session cookie.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Discover why security operations teams choose NetSPI.