Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 14 Nov 2011 08:17:36 +0100
From: rootkit rootkit <>
Subject: Re: NTLM challenge/response cracking (again...)

On Sat, Nov 12, 2011 at 1:10 AM, rootkit rootkit <> wrote:

> I'm a little bit confused now. From NETNTLMv2_fmt_plug.c I see that
> the challenge/response should be in the following format
> where ServerChallenge is 8 bytes, NTLMv2Response is 16 bytes, and
> ClientChallenge is variable (90 bytes in the example provided).
> My sample looks more to be in the NTLM format. From NETNTLM_fmt_plug.c
> with both LMResponse and NTLMResponse being 24 bytes.
> How should I format it in the NETNTLMv2 cracking mode?
> I take a wild guess here: maybe ettercap does not recognize NTLMv2
> (development stopped in 2005) and is trunkating the NTLMv2 response at
> the 24th byte. That would explain why all my captured hashes terminate
> with 0101000000000000.


so, I guess I was right (or at least in the right direction). Ettercap
doesn't dump properly NTLMv2 authentication C/R, instead it's
formatting them as NTLMv1.

So I tried a different approach, using wireshark to capture the
packets, and then extracting the hashes myself. Cracking them with
john NETNTLMv2 mode worked wonderfully.

Thanks again for your help.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.