Cracking NTLMv1 \w ESS/SSP

A number of people have been asking about how they can crack NTLMv1 with SSP that they’ve been getting from using Responder. These are hashes that look like this:

[SMB] NTLMv1-SSP Client   : 184.64.60.62
[SMB] NTLMv1-SSP Username : DUSTIN-5AA37877\hashcat
[SMB] NTLMv1-SSP Hash     : hashcat::DUSTIN-5AA37877:85D5BC2CE95161CD00000000000000000000000000000000:892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0:1122334455667788

To do this, you’ll need to reformat your hash to properly be submitted to the system. First, check out EvilMog‘s great ntlmv1-multi tool on github: https://github.com/evilmog/ntlmv1-multi#ntlmv1-with-ssp

This outlines how to take a NTLMv1 SSP hash from Responder and run it through their ntlmv1-ssp.py tool:

$ python ntlmv1-ssp.py --ssp "hashcat::DUSTIN-5AA37877:85D5BC2CE95161CD00000000000000000000000000000000:892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0:1122334455667788"
Hashfield Split:
['hashcat', '', 'DUSTIN-5AA37877', '85D5BC2CE95161CD00000000000000000000000000000000', '892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0', '1122334455667788']

Hostname: DUSTIN-5AA37877
Username: hashcat
LM Response: 85D5BC2CE95161CD00000000000000000000000000000000
NT Response: 892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0
Client Challenge: 1122334455667788
SRV Challenge: b36d2b9a8607ea77

To Calculate final 4 characters of NTLM hash use:
./ct3_to_ntlm.bin 2BBD6C9ABCD021D0 1122334455667788 85D5BC2CE95161CD00000000000000000000000000000000

To crack with hashcat create a file with the following contents:
892F905962F76D32:b36d2b9a8607ea77
3837F613F88DE27C:b36d2b9a8607ea77

To crack with hashcat:
./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset hashes.txt ?1?1?1?1?1?1?1?1

To Crack with crack.sh use the following token
$NETLM$b36d2b9a8607ea77$892F905962F76D323837F613F88DE27C2BBD6C9ABCD021D0

EvilMog was so nice to modify ntlmv1-ssp.py to output a JtR/crack.sh formatted hash that you can then copy and paste into our job submission system. You’ll notice that the challenge/plaintext is no longer 1122334455667788 so we won’t be able to crack it with the rainbow table. You can submit it to the system to crack it for $20 however!