Kevin Johnson Posted September 23, 2019 Share Posted September 23, 2019 Hello. I have a bashbunny and when using quickcreds, I got the following in loot\quickcreds\T405020-1\HTTP-NTLMv2-172.16.64.10.txt: T405020$::TAHOMASD:faffc9ccfc0ded35:A0989EB9360BF247E6BECA9B27515429:01010000000000008FBE655A2170D501A267FDD3D836A289000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C0008003000300000000000000000000000004000006DA227EC2F9D7B71310153621DA861C0203DFC934FFB4D00B039DC31B1F9CB860A001000000000000000000000000000000000000900380048005400540050002F00630074006C0064006C002E00770069006E0064006F00770073007500700064006100740065002E0063006F006D000000000000000000 T405020$::TAHOMASD:faffc9ccfc0ded35:A0989EB9360BF247E6BECA9B27515429:01010000000000008FBE655A2170D501A267FDD3D836A289000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C0008003000300000000000000000000000004000006DA227EC2F9D7B71310153621DA861C0203DFC934FFB4D00B039DC31B1F9CB860A001000000000000000000000000000000000000900380048005400540050002F00630074006C0064006C002E00770069006E0064006F00770073007500700064006100740065002E0063006F006D000000000000000000 Hashcat will start processing it via brute force, but then again, when I try and use hashcat on another machine with a simple password, it doesn't grab it... so I'm not confident in hashcat. I try and use John the Ripper and it doesn't even recognize this as a valid format. What am I doing wrong? Is this not a valid hash? Why are there 2 of the same entries??? I try and paste this on various online hash databases, and they all report it's an invalid/unrecognized format. Please help, thanks! Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted September 23, 2019 Share Posted September 23, 2019 Hmm, wierd looking ntlmv2 hash. Normally they have username::DomainorMachineName::ntlmv2 hash with salt or vector or whatever you want to call it. I will have to do a smbserver connect to see it and remember but your hash in the beginning looks funky. Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted September 24, 2019 Share Posted September 24, 2019 Hmm, maybe it is responder. From smbserver a ntlmv2 hash that hashcat and john can recognize and smbserver is producing for me from a win10 machine should be: Username::MachineorDomain:VectororSeed:Very_long_hash I remember responder used to make the seed 0123456789012345 or something like that and smbserver uses 41 8 times. You have an extra hash in there. Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted September 25, 2019 Share Posted September 25, 2019 Okay, I installed Reponder really quick so I can remember the output it gives and had my test win10 box hit it. Yelp. That is the correct hash format for responder. I use Hashcat so I tried it and it matched my password. Brute forcing will take forever if you are doing it without a wordlist and of course it will not be guessed it word is not in list that is password. In hashcat you are looking for mode 5600 "-m 5600". Following it up at the end here, I was blind. Both hashes from responder and smbserver are the same. The case difference threw me off. I looked more carefully and they are identical so -m 5600 is the correct argument for hashcat. I also forgot about the rule of the dollarsign at the end of the account. Is that a hash of a service account? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.