icon

NTLM, NTLMv2

Last modified: 2023-11-11

Windows New Technology LAN Manager (NTLM) is a suite of security protocols.

Hash Formats

The NTLM hash format is a bit comfused, but it looks like the following.
When cracking, we can copy them as they are and paste it.

# NTLM
b4b9b02e6f09a9bd760f388b67351e2b

# NTLMv2 (NetNTLMv2)
admin::EXAMPLE:aaaaaaaaaaaaaaaa:05e616169cf91bd88952bc3ef021dbaf:010100000000000080fc3d82a538d90182f1dba634ba98dd000000000100100053006b005400410052006e00520064000300100053006b005400410052006e0052006400020010006700480068007500670042006200470004001000670048006800750067004200620047000700080080fc3d82a538d901060004000200000008003000300000000000000000000000003000007c8dad06f879f804f9ee43a11aeaf5bf40609db4020697af76cd06f80d81241b0a0010000000000000000000000000000000000009001a0063006900660073002f00310030002e0032002e0034002e0033000000000000000000

Decrypt

There are online cracking tools sucy as CrackStation available.

Using John TheRipper, it might work without specyfing the hash format by detecting automatically, so try the following command.

john --wordlist=wordlist.txt hash.txt

NTLM

john --format=nt --wordlist=wordlist.txt hash.txt

hashcat -m 1000 -a 0 hash.txt wordlist.txt

NTLMv2

john --format=netntlmv2 --wordlist=wordlist.txt hash.txt

hashcat -m 5600 -a 0 hash.txt wordlist.txt

Pass The Hash

Also we can use NTLM hashes to login Windows system via some protocol such as WinRM.