The best ways to capture NETLM/NETNTLMv1 authentication is through either something like Metasploit’s SMB Capture or with Responder. Keep in mind that this will only work for clients that are susceptible to being downgraded to using LANMAN or NTLMv1 (typically enabled if there’s any pre-Windows Vista machines on the network). There’s a number of articles on the LmCompatibilityLevel setting in Windows, but this will only work if a client has this setting at 2 or lower. Below we will show you how to capture a NETNTLMv1 hash using Responder and Kali Linux and then cracking the NTHASH (password equivalent) for free using our service which works 100% of the time.
Capturing using Responder
First you’ll want to install Kali Linux and edit the /etc/responder/Responder.conf file to include the magical 1122334455667788 challenge:
... HTTPS = On DNS = On LDAP = On ; Custom challenge. ; Use "Random" for generating a random challenge for each requests (Default) Challenge = 1122334455667788 ; SQLite Database file ...
Then fire up responder on your network interface and tell it to downgrade to lm:
# responder -I eth0 --lm
Only LANMAN and NTLMv1 hashes from Responder can be cracked by crack.sh, NTLMv2 don’t use DES and will need to be cracked to the password by using a tool like John the Ripper. If you happen to capture NTLMv1-SSP hashes, you will need to properly format them for submission to the system, and unfortunately they cannot be cracked for free with the rainbow table.
To crack a captured hash, just take the 48 HEX response characters from the hash string and add NTHASH: in front.
username::hostname:response:response:challenge -> NTHASH:response
For example, the submission hash for the capture shown above would be
And then submit the NTHASH to our Get Cracking page to crack it for free. If you have a LANMAN or NTLMv1 challenge/response hash that’s not for the 1122334455667788 challenge, we will also accept them in John the Ripper NETNTLM and NETLM format, but they aren’t free because they must be brute-forced.
NOTE: Due to major backlogs of jobs, we have recently changed our service to not brute-force free jobs that don’t fall within the 95% coverage of our rainbow tables. If your free job fails, you will need to resubmit and pay to have it brute-forced. Otherwise, you’re more than welcome to keep submitting other free jobs until a key is found within the rainbowtable coverage!