Jump to content

NTLM Challenge and Response..


Urieal

Recommended Posts

Well, let's reformat things slightly and break it down, you'll see why nobody answerd (long story short, doesn't look like it can be done).

100B 41B5 94BA 04DA 63FA E1BA 5435 6F70 // HMAC-MD5 of a big chunk of data
0101 0000|0000 0000|81C0 E3F7 63DE CF01 // Signature | reserved | timestamp (which in this case is apparently Thu, 02 Oct 2014 17:11:55 GMT)
A2A1 0142 9D93 08BA|0000 0000|0200 1600 // Nonce | whatever | Target Information Block
4F00 5200 4C00 4100 4E00 4400 4F00 4300 // more TIB...
4F00 5200 5000 0100 1600 4200 4100 5500 // and more...
4D00 4100 4E00 4C00 2D00 3000 3000 3100 // and more..
0400 2A00 6C00 6F00 6300 6100 6C00 2E00
6F00 7200 6C00 6100 6E00 6400 6F00 6300
6F00 7200 7000 2E00 6300 6F00 6D00 0300
4200 4200 4100 5500 4D00 4100 4E00 4C00
2D00 3000 3000 3100 2E00 6C00 6F00 6300
6100 6C00 2E00 6F00 7200 6C00 6100 6E00
6400 6F00 6300 6F00 7200 7000 2E00 6300
6F00 6D00 0500 2A00 6C00 6F00 6300 6100
6C00 2E00 6F00 7200 6C00 6100 6E00 6400
6F00 6300 6F00 7200 7000 2E00 6300 6F00
6D00 0800 3000 3000 0000 0000 0000 0000
0000 0030 0000 E42E 6D57 6615 B39A 2EC0
EC94 D30E 549B 670B EC19 EDA0 12CC 5216
C45D BD51 5C19 0A00 1000 0000 0000 0000
0000 0000 0000 0000 0000 0900 2800 6300
6900 6600 7300 2F00 3100 3900 3200 2E00
3100 3600 3800 2E00 3100 3000 3500 2E00
3100 3000 3800 0000 0000|0000 0000 // Final bit of TIB | unknown.

Now, the password is used somewhere in that first chunk, but not in a particularly useful manner. To wit:

1. Take the password and create the MD4 hash of it. This produces the NTLM Hash.

2. Concatenate the username and the domain name, uppercase it and compute the HMAC-MD5 of it using the NTLM Hash as a key. This produces the NTLMv2 Hash.

3. Now take ALL that data from the response after that first chunk. Prepend the challenge, and then compute the HMAC-MD5 of it, using the NTLMv2 hash as a key. This is that first chunk.

I don't expect people will be lining up to tell you just what that password in step 1 was, based on the data available.

Detailed description, with examples, of the NTLM challenge-response protocol

Edited by Cooper
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...