Jump to content

QuickCreds - NTLMv2 Hash - Isn't recognized?!


Kevin Johnson
 Share

Recommended Posts

Hello.  I have a bashbunny and when using quickcreds, I got the following in loot\quickcreds\T405020-1\HTTP-NTLMv2-172.16.64.10.txt:

T405020$::TAHOMASD:faffc9ccfc0ded35:A0989EB9360BF247E6BECA9B27515429:01010000000000008FBE655A2170D501A267FDD3D836A289000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C0008003000300000000000000000000000004000006DA227EC2F9D7B71310153621DA861C0203DFC934FFB4D00B039DC31B1F9CB860A001000000000000000000000000000000000000900380048005400540050002F00630074006C0064006C002E00770069006E0064006F00770073007500700064006100740065002E0063006F006D000000000000000000
T405020$::TAHOMASD:faffc9ccfc0ded35:A0989EB9360BF247E6BECA9B27515429:01010000000000008FBE655A2170D501A267FDD3D836A289000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C0008003000300000000000000000000000004000006DA227EC2F9D7B71310153621DA861C0203DFC934FFB4D00B039DC31B1F9CB860A001000000000000000000000000000000000000900380048005400540050002F00630074006C0064006C002E00770069006E0064006F00770073007500700064006100740065002E0063006F006D000000000000000000
 

Hashcat will start processing it via brute force, but then again, when I try and use hashcat on another machine with a simple password, it doesn't grab it... so I'm not confident in hashcat.  

I try and use John the Ripper and it doesn't even recognize this as a valid format.

What am I doing wrong?  Is this not a valid hash?  Why are there 2 of the same entries???  I try and paste this on various online hash databases, and they all report it's an invalid/unrecognized format.

 

Please help, thanks!

Link to comment
Share on other sites

Hmm, maybe it is responder.  From smbserver a ntlmv2 hash that hashcat and john can recognize and smbserver is producing for me from a win10 machine should be:

Username::MachineorDomain:VectororSeed:Very_long_hash

I remember responder used to make the seed 0123456789012345 or something like that and smbserver uses 41 8 times.

You have an extra hash in there.

 

Link to comment
Share on other sites

Okay, I installed Reponder really quick so I can remember the output it gives and had my test win10 box hit it.  Yelp.  That is the correct hash format for responder.  I use Hashcat so I tried it and it matched my password.  Brute forcing will take forever if you are doing it without a wordlist and of course it will not be guessed it word is not in list that is password.

In hashcat you are looking for mode 5600  "-m 5600".

Following it up at the end here, I was blind.  Both hashes from responder and smbserver are the same.  The case difference threw me off.  I looked more carefully and they are identical so -m 5600 is the correct argument for hashcat.

 

I also forgot about the rule of the dollarsign at the end of the account.  Is that a hash of a service account?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...