NTLM, NTLMv2

Last modified: 2023-02-05

Cryptography Windows

Windows New Technology LAN Manager (NTLM) is a suite of security protocols.

Hash Formats

The NTLM hash format is a bit comfused, but it looks like the following.
When cracking, we can copy them as they are and paste it.

# NTLM
b4b9b02e6f09a9bd760f388b67351e2b

# NTLMv2 (NetNTLMv2)
admin::EXAMPLE:aaaaaaaaaaaaaaaa:05e616169cf91bd88952bc3ef021dbaf:010100000000000080fc3d82a538d90182f1dba634ba98dd000000000100100053006b005400410052006e00520064000300100053006b005400410052006e0052006400020010006700480068007500670042006200470004001000670048006800750067004200620047000700080080fc3d82a538d901060004000200000008003000300000000000000000000000003000007c8dad06f879f804f9ee43a11aeaf5bf40609db4020697af76cd06f80d81241b0a0010000000000000000000000000000000000009001a0063006900660073002f00310030002e0032002e0034002e0033000000000000000000

Decrypt

There are online cracking tools sucy as CrackStation available.

We can simply run the following command without specifying the hash format (auto detected).

john --wordlist=wordlist.txt hash.txt

NTLM

john --format=nt --wordlist=wordlist.txt hash.txt
# or
hashcat -m 1000 -a 0 hash.txt wordlist.txt

NTLMv2

john --format=netntlmv2 --wordlist=wordlist.txt hash.txt

Pass The Hash

Also we can use NTLM hashes to login Windows system via some protocol such as WinRM.