Awesome
Local NetNTLMv2 Checker
Summary
NB: This is NOT a netNTLMv2 password cracking tool. For large scale dictionary or brute-force attacks a tool such as John or hashcat is recomended.
Check collected cleartext passwords against a netNTLMv2 Response. Designed to process the output from Internal Monologue. This allows verification of cleartext passwords without attempting authentication.
Usage
string netNTLMv2Response = "user::DOMAIN:0123456789abcdef:cbabbca713eb795d04c97abc01ee4983:01010000000000000090d336b734c301ffffff00112233440000000002000c0044004f004d00410049004e0001000c005300450052005600450052000400140064006f006d00610069006e002e0063006f006d00030022007300650072007600650072002e0064006f006d00610069006e002e0063006f006d000000000000000000";
IMChecker checker = new IMChecker(netNTLMv2Response);
Console.WriteLine("password: " + checker.checkPassword("password")); // False
Console.WriteLine("SecREt01: " + checker.checkPassword("SecREt01")); // True
NTLMv2 Response Message
This primarily refereneces an excellent article by Eric Glass on sourceforge and Microsoft's MSD NTLM documentation. Infomration here will touch on the netNTLMv2 Repsonse (Type 3) message. For a more complete understanding of the protocol please read the article and documentation.
Overview
- NTLM hash is obtained (MD4 of user's password).
- Unicode uppercase username is concatenated with the domain or severname (this would normally be provided in the server response message - Type 2).
- The NTLMv2 Hash is calulated from the HMAC_MD5 of these values, using the NTLM hash (see 1.) as the key giving a 16-byte (128-bit) hash (see HMAC for more details on the difference between MD5).
- The NTLMv2 hash is concatenated with some "random" data called the blob (In this usecase we are not concerned with the structure of the blob howerver, it is important in the protocol as it prevents attackers creating rainbow tables for precomputed passwords).
- The HMAC_MD5 is calulated from the NTLMv2 Hash and blob resulting in the final NTLMv2 Response (this is what we see in a netNTLMv2 Response Message).
netNTLMv2
When netNTLMv2 Response Messages (Type 3) are captured they will be in the following format.
USERNAME::DOMAIN:SERVER_CHALLENGE:NTLMv2 Response:Blob
Once captured the type 3 message above can be used, along with a supplied password, to generated a new NTLMv2 Response and the values compared. If a brute-force or dicationary approach is required a tool such as John or Hashcat is more appropriate.
Credits
- C# MD4 Algorithm novotnyllc