Urieal Posted October 2, 2014 Share Posted October 2, 2014 (edited) Cleared for Confidentiality. Mods please delete post. Edited October 5, 2014 by Urieal Quote Link to comment Share on other sites More sharing options...
Urieal Posted October 3, 2014 Author Share Posted October 3, 2014 (edited) Cleared for Confidentiality. Mods please delete post. Edited October 5, 2014 by Urieal Quote Link to comment Share on other sites More sharing options...
Urieal Posted October 3, 2014 Author Share Posted October 3, 2014 (edited) Cleared for Confidentiality. Mods please delete post. Edited October 5, 2014 by Urieal Quote Link to comment Share on other sites More sharing options...
cooper Posted October 3, 2014 Share Posted October 3, 2014 (edited) Well, let's reformat things slightly and break it down, you'll see why nobody answerd (long story short, doesn't look like it can be done). 100B 41B5 94BA 04DA 63FA E1BA 5435 6F70 // HMAC-MD5 of a big chunk of data 0101 0000|0000 0000|81C0 E3F7 63DE CF01 // Signature | reserved | timestamp (which in this case is apparently Thu, 02 Oct 2014 17:11:55 GMT) A2A1 0142 9D93 08BA|0000 0000|0200 1600 // Nonce | whatever | Target Information Block 4F00 5200 4C00 4100 4E00 4400 4F00 4300 // more TIB... 4F00 5200 5000 0100 1600 4200 4100 5500 // and more... 4D00 4100 4E00 4C00 2D00 3000 3000 3100 // and more.. 0400 2A00 6C00 6F00 6300 6100 6C00 2E00 6F00 7200 6C00 6100 6E00 6400 6F00 6300 6F00 7200 7000 2E00 6300 6F00 6D00 0300 4200 4200 4100 5500 4D00 4100 4E00 4C00 2D00 3000 3000 3100 2E00 6C00 6F00 6300 6100 6C00 2E00 6F00 7200 6C00 6100 6E00 6400 6F00 6300 6F00 7200 7000 2E00 6300 6F00 6D00 0500 2A00 6C00 6F00 6300 6100 6C00 2E00 6F00 7200 6C00 6100 6E00 6400 6F00 6300 6F00 7200 7000 2E00 6300 6F00 6D00 0800 3000 3000 0000 0000 0000 0000 0000 0030 0000 E42E 6D57 6615 B39A 2EC0 EC94 D30E 549B 670B EC19 EDA0 12CC 5216 C45D BD51 5C19 0A00 1000 0000 0000 0000 0000 0000 0000 0000 0000 0900 2800 6300 6900 6600 7300 2F00 3100 3900 3200 2E00 3100 3600 3800 2E00 3100 3000 3500 2E00 3100 3000 3800 0000 0000|0000 0000 // Final bit of TIB | unknown. Now, the password is used somewhere in that first chunk, but not in a particularly useful manner. To wit: 1. Take the password and create the MD4 hash of it. This produces the NTLM Hash. 2. Concatenate the username and the domain name, uppercase it and compute the HMAC-MD5 of it using the NTLM Hash as a key. This produces the NTLMv2 Hash. 3. Now take ALL that data from the response after that first chunk. Prepend the challenge, and then compute the HMAC-MD5 of it, using the NTLMv2 hash as a key. This is that first chunk. I don't expect people will be lining up to tell you just what that password in step 1 was, based on the data available. Detailed description, with examples, of the NTLM challenge-response protocol Edited October 3, 2014 by Cooper Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.