NTLM, NTLMv2
Last modified: 2023-11-11
Windows New Technology LAN Manager (NTLM) is a suite of security protocols.
Hash Formats
The NTLM hash format is a bit comfused, but it looks like the following.
When cracking, we can copy them as they are and paste it.
# NTLM
b4b9b02e6f09a9bd760f388b67351e2b
# NTLMv2 (NetNTLMv2)
admin::EXAMPLE:aaaaaaaaaaaaaaaa:05e616169cf91bd88952bc3ef021dbaf:010100000000000080fc3d82a538d90182f1dba634ba98dd000000000100100053006b005400410052006e00520064000300100053006b005400410052006e0052006400020010006700480068007500670042006200470004001000670048006800750067004200620047000700080080fc3d82a538d901060004000200000008003000300000000000000000000000003000007c8dad06f879f804f9ee43a11aeaf5bf40609db4020697af76cd06f80d81241b0a0010000000000000000000000000000000000009001a0063006900660073002f00310030002e0032002e0034002e0033000000000000000000
Decrypt
There are online cracking tools sucy as CrackStation available.
Using John TheRipper, it might work without specyfing the hash format by detecting automatically, so try the following command.
john --wordlist=wordlist.txt hash.txt
NTLM
john --format=nt --wordlist=wordlist.txt hash.txt
hashcat -m 1000 -a 0 hash.txt wordlist.txt
NTLMv2
john --format=netntlmv2 --wordlist=wordlist.txt hash.txt
hashcat -m 5600 -a 0 hash.txt wordlist.txt
Pass The Hash
Also we can use NTLM hashes to login Windows system via some protocol such as WinRM.