The best ways to capture NETLM/NETNTLMv1 authentication is through either something like Metasploit’s SMB Capture or with Responder. Keep in mind that this will only work for clients that are susceptible to being downgraded to using LANMAN or NTLMv1 (typically enabled if there’s any pre-Windows Vista machines on the network). There’s a number of articles on the LmCompatibilityLevel setting in Windows, but this will only work if a client has this setting at 2 or lower. Below we will show you how to capture a NETNTLMv1 hash using Responder and Kali Linux and then cracking the NTHASH (password equivalent) for free using our service which works 100% of the time.
Capturing using Responder
First you’ll want to install Kali Linux and edit the /etc/responder/Responder.conf file to include the magical 1122334455667788 challenge:
... HTTPS = On DNS = On LDAP = On ; Custom challenge. ; Use "Random" for generating a random challenge for each requests (Default) Challenge = 1122334455667788 ; SQLite Database file ...
Then fire up responder on your network interface and tell it to downgrade to lm:
# responder -I eth0 --lm
Only LANMAN and NTLMv1 hashes from Responder can be cracked by crack.sh, NTLMv2 don’t use DES and will need to be cracked to the password by using a tool like John the Ripper. To crack a captured hash, just take the 48 HEX response characters from the hash string and add NTHASH: in front.
username::hostname:response:response:challenge -> NTHASH:response
For example, the submission hash for the capture shown above would be
And then submit the NTHASH to our Get Cracking page to crack it for free. If you have a LANMAN or NTLMv1 challenge/response hash that’s not for the 1122334455667788 challenge, we will also accept them in John the Ripper NETNTLM and NETLM format, but they aren’t free because they must be brute-forced.