Elevant Posted November 10, 2018 Share Posted November 10, 2018 Hey fellow haxors! So I went to this Boecore CTF the other day and there was this SMB challenge that I couldn't solve and it bothers me. I grabbed the pcap file and having been trying to crack it. The SMB pcap file can be found here. https://files.fm/u/9y2urrne In the .pcap you can see someone connecting to a SMB share and using NTLMv2 authentication. It was hinted that weak authentication was used. So I extracted the hashes and constructed the following hash: alice::WORKGROUP:85b0128d82e3e115:014E8558E4FCA12FFA3BC61C343CD2C5:0101000000000000078FD032B8B8D201BCE1291B57213FCC00000000020016004D0053004500440047004500570049004E0031003000010016004D0053004500440047004500570049004E0031003000040016004D0053004500440047004500570049004E0031003000030016004D0053004500440047004500570049004E003100300007000800078FD032B8B8D2010600040002000000080030003000000000000000000000000000000076B67B136D3A6BAB88BE1C2FBC2CA4D2E4678A89DE1D404D79C218AFB77937A40A001000000000000000000000000000000000000900220063006900660073002F003100390032002E003100360038002E0031002E003200360000000000 I have tried to crack this with hashcat using rockyou and darkc0de wordlists but no luck. Does anybody have some ideas how to crack this? Am I looking at the wrong place or I just need a better wordlist? Since it is a CTF challenge, it can't to be too sophisticated. Quote Link to comment Share on other sites More sharing options...
icarus255 Posted November 10, 2018 Share Posted November 10, 2018 I don't think you can crack the hash like that. I tried hashcat with some dictionaries but I realised password complexity is not the issue. If you check the packets closely you will see that he is using null values for most fields. In packet 8 he is presented with the server challenge value of 85b0128d82e3e115 which is later used for crypting the pass hash (LM hash) He sends the encrypted pass hashes (LM hash and NTLM hash) in packet 9 and requests path \\192.168.1.26\C$ along with extended signature values in packet 11. Quote Link to comment Share on other sites More sharing options...
Elevant Posted November 10, 2018 Author Share Posted November 10, 2018 I am not sure I understand you how the null values would effect cracking this. To my knowledge the server sends the challenge and client responds with a NTLM challenge of which part of is that the client encrypts the serve challenge with its password hash. So having the server challenge and the response should be enough to crack it but I agree with you in that there must be something more to it. Quote Link to comment Share on other sites More sharing options...
Bigbiz Posted November 11, 2018 Share Posted November 11, 2018 Use john the ripper?/ Quote Link to comment Share on other sites More sharing options...
icarus255 Posted November 11, 2018 Share Posted November 11, 2018 15 hours ago, Elevant said: I am not sure I understand you how the null values would effect cracking this. What I'm saying is, it's probably a null password as well but hashcat just doesn't recognise it as one. Reference packet 11: signature states that password length is 1 and password value is 00. At this point, it doesn't even matter what the password value is because you can just use the hash value itself to authenticate. Quote Link to comment Share on other sites More sharing options...
Elevant Posted November 11, 2018 Author Share Posted November 11, 2018 7 hours ago, icarus255 said: What I'm saying is, it's probably a null password as well but hashcat just doesn't recognise it as one. Reference packet 11: signature states that password length is 1 and password value is 00. At this point, it doesn't even matter what the password value is because you can just use the hash value itself to authenticate. Ahh, I see now. Did not think of looking for that. I guess the solution was easier than I thought. Thanks m8! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.