Jump to content

SMB NTLMv2 password cracking with wireshark


Elevant
 Share

Recommended Posts

Hey fellow haxors!

So I went to this Boecore CTF the other day and there was this SMB challenge that I couldn't solve and it bothers me. I grabbed the pcap file and having been trying to crack it. The SMB pcap file can be found here. https://files.fm/u/9y2urrne

In the .pcap you can see someone connecting to a SMB share and using NTLMv2 authentication. It was hinted that weak authentication was used. So I extracted the hashes and constructed the following hash:

alice::WORKGROUP:85b0128d82e3e115:014E8558E4FCA12FFA3BC61C343CD2C5:0101000000000000078FD032B8B8D201BCE1291B57213FCC00000000020016004D0053004500440047004500570049004E0031003000010016004D0053004500440047004500570049004E0031003000040016004D0053004500440047004500570049004E0031003000030016004D0053004500440047004500570049004E003100300007000800078FD032B8B8D2010600040002000000080030003000000000000000000000000000000076B67B136D3A6BAB88BE1C2FBC2CA4D2E4678A89DE1D404D79C218AFB77937A40A001000000000000000000000000000000000000900220063006900660073002F003100390032002E003100360038002E0031002E003200360000000000

I have tried to crack this with hashcat using rockyou and darkc0de wordlists but no luck. Does anybody have some ideas how to crack this? Am I looking at the wrong place or I just need a better wordlist? Since it is a CTF challenge, it can't to be too sophisticated.

 

Link to comment
Share on other sites

I don't think you can crack the hash like that. I tried hashcat with some dictionaries but I realised password complexity is not the issue.

If you check the packets closely you will see that he is using null values for most fields.

In packet 8 he is presented with the server challenge value of 85b0128d82e3e115 which is later used for crypting the pass hash (LM hash)

He sends the encrypted pass hashes (LM hash and NTLM hash) in packet 9 and requests path \\192.168.1.26\C$ along with extended signature values in packet 11.

Link to comment
Share on other sites

I am not sure I understand you how the null values would effect cracking this. To my knowledge the server sends the challenge and client responds with a NTLM challenge of which part of is that the client encrypts the serve challenge with its password hash. So having the server challenge and the response should be enough to crack it but I agree with you in that there must be something more to it.

Link to comment
Share on other sites

15 hours ago, Elevant said:

I am not sure I understand you how the null values would effect cracking this. 

What I'm saying is, it's probably a null password as well but hashcat just doesn't recognise it as one.

Reference packet 11: signature states that password length is 1 and password value is 00.

At this point, it doesn't even matter what the password value is because you can just use the hash value itself to authenticate.

Link to comment
Share on other sites

7 hours ago, icarus255 said:

What I'm saying is, it's probably a null password as well but hashcat just doesn't recognise it as one.

Reference packet 11: signature states that password length is 1 and password value is 00.

At this point, it doesn't even matter what the password value is because you can just use the hash value itself to authenticate.

Ahh, I see now. Did not think of looking for that. I guess the solution was easier than I thought. Thanks m8!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...