Git Product home page Git Product logo

ntlmrawunhide's Introduction

NTLMRawUnhide.py

Author : Mike Gualtieri
Blog : https://www.mike-gualtieri.com
Twitter : https://twitter.com/mlgualtieri
GitHub : https://github.com/mlgualtieri/NTLMRawUnhide
Write up: https://www.mike-gualtieri.com/posts/live-off-the-land-and-crack-the-ntlmssp-protocol

Intro

NTLMRawUnhide.py is a Python3 script designed to parse network packet capture files and extract NTLMv2 hashes in a crackable format. The tool was developed to extract NTLMv2 hashes from files generated by native Windows binaries like NETSH.EXE and PKTMON.EXE without conversion.

The following binary network packet capture formats are supported:

  • *.pcap
  • *.pcapng
  • *.cap
  • *.etl

Usage

Usage: NTLMRawUnhide.py -i <inputfile> [-o <outputfile>] [-f] [-h] [-q] [-v]

Main options:
  -f, --follow               Continuously "follow" (e.g. "read from")
                             input file for new data
  -h, --help
  -i, --input  <inputfile>   Binary packet data input file
                             (.pcap, .pcapng, .cap, .etl, others?)
  -o, --output <outputfile>  Output file to record any found NTLM
                             hashes
  -q, --quiet                Be a lot more quiet and only output
                             found NTLM hashes. --quiet will also
                             disable verbose, if specified.
  -v, --verbose

Examples

Extract NTLMv2 hashes from examples/capture.pcap:

python3 NTLMRawUnhide.py -i examples/capture.pcap

Same, but with verbose output:

python3 NTLMRawUnhide.py -i examples/capture.pcap -v

Extract NTLMv2 hashes from examples/capture.pcap and continue to monitor the file for new hashes (like tail -f):

python3 NTLMRawUnhide.py -i examples/capture.pcap -f

Extract NTLMv2 hashes from examples/capture.pcap and write extracted hashes to /tmp/hashes.txt

python3 NTLMRawUnhide.py -i examples/capture.pcap -o /tmp/hashes.txt

Packet Capture Methods

To create a compatible packet capture file, any of the following methods can be used:

  • Wireshark:
Set capture filter as "tcp port 445"; Save as .pcapng
  • tcpdump
tcpdump -i eth0 -w capture.pcap "port 445"
  • NETSH.EXE
netsh.exe trace start persistent=yes capture=yes TCP.AnyPort=445 tracefile=C:\Users\Public\capture.etl
netsh.exe trace stop
  • PKTMON.EXE
pktmon.exe filter add SMB -p 445
:: List all filters 
pktmon.exe filter list
:: Find id of the network adapter (example > Id: 9)
pktmon.exe comp list
:: pktmon.exe start --etw -p 0 -c [Adapter ID]     
pktmon.exe start --etw -p 0 -c 9 
:: Will create the file PktMon.etl in current directory
pktmon.exe stop
:: Cleanup
pktmon.exe filter remove

References

The following URL was very helpful when building this tool: The NTLM Authentication Protocol and Security Support Provider http://davenport.sourceforge.net/ntlm.html

ntlmrawunhide's People

Contributors

mlgualtieri avatar varcella-ctf avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

itzdan securityanalysts hatchetxuexi w00t3k dannymas alainw68 shantanu561993 askyeye jermainlaforce chertogun flatl1neapt jg789346bnfgewrew09876345 killvxk n1f2c3 ashr l1ves jackyyvan y0d4a rvrsh3ll fengjixuchui hackinglz polling-repo-continua ondrik8 addenial mlynchcogent h4xl0r juan157 chaos-monkey-island wwilson83 rf-peixoto bigbrobro dekoder fdlucifer gavz xshill beerandgin naturalkei coolaf atropineal stanhardy aquilino iamanubhavsaini h4rdc0d3 paran0ids0ul 3att3 gysf666 skyn9ne ofalwl wx-t rmartinilg shyftxero bravery9 ignitionlab thinkst-cs noorahsmith varcella-ctf sinmygit l0ann xtenex rickhlx zha0 iseesec

ntlmrawunhide's Issues

Output from NTLMRawUnhide not cracked by hashcat because of backslash in user name field.

For testing NTLMRawUnhide I captured a NTLMv2 challenge in my AD lab for a user I had created with a password from rockyou.txt

The password was cracked without problems by John the Ripper, but hashcat 6.1.1 wouldn't crack it.

After some testing testing I found that the backslash in the username field was the problem.

Changing it from ADLAB\dabob::DC01:30d31bd5(...) to dabob::ADLAB:30d31bd5(...) or dabob::DC01:30d31bd5(...) made hashcat crack the hash without problems.

Looking at the hashcat example hashes at https://hashcat.net/wiki/doku.php?id=example_hashes, the username field there contains only the username, not the domain.

Attached

The attached file, files.zip contains the following:

  • trace.etl: the capture I ran NTLMRawUnhide on
  • hashes.txt: The file output by NTLMRawUnhide, which JtR did crack, but not hashcat
  • hashes_modified.txt: The modified file that were cracked by both JtR and hashcat

Recursion Error

This works well, and it runs for a while using
python NTLMRawUnHide.py -i tsharkoutput.pcapng -f -o tsharkhashes.txt
It finds and saves some hashes, but eventually fails with the following:

Traceback (most recent call last):
File "c:\apps\NTLM\NTLMRawUnHide.py", line 413, in
main(sys.argv[1:])
File "c:\apps\NTLM\NTLMRawUnHide.py", line 408, in main
searchCaptureFile(infile, outfile, verbose, follow, quiet, 0)
File "c:\apps\NTLM\NTLMRawUnHide.py", line 263, in searchCaptureFile
searchCaptureFile(infile, outfile, verbose, follow, quiet, last_byte)
File "c:\apps\NTLM\NTLMRawUnHide.py", line 263, in searchCaptureFile
searchCaptureFile(infile, outfile, verbose, follow, quiet, last_byte)
File "c:\apps\NTLM\NTLMRawUnHide.py", line 263, in searchCaptureFile
searchCaptureFile(infile, outfile, verbose, follow, quiet, last_byte)
[Previous line repeated 990 more times]
File "c:\apps\NTLM\NTLMRawUnHide.py", line 92, in searchCaptureFile
with open(infile, 'rb') as fp:
RecursionError: maximum recursion depth exceeded while calling a Python object.

packets are captured in a separate (root) terminal using
tshark -a filesize:1000000 -i 7 -f "tcp port 445" -F pcapng -w tsharkoutput.pcapng

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.