carnal0wnage [Shared Reader]

Thursday, July 1, 2010

Revisiting HALFLM Stuff

I covered some of the halflm challenge sniffing stuff in a previous post.

but I had to revisit it the other day for work and couldn't find the actually tables and program from the post.

so here are some updated links.

where to grab the tables:

http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/

where to grab the program:

http://sourceforge.net/projects/rcracki/

Some gotchas I ran into on the last PT was some reason getting odd hashes in the SMB and NTLM sniffing modules.

in some cases the hashes were not the same for the same username and hostname, these were unusable, I also had some that had a bunch of zeros in them, those were also not crackable.

Windows 2000 2195:Windows 2000 5.0:1122334455667788:4c4d5353500003000000010001004600000000000000470000000000000040000000000000004000000006000600400000001000100047000000158a88e048004f0044000081196a7af2e4491c28af3025741067535700:00000000000000000000000000000000

But I did get smb_login scanned, that was fun:

ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:59de5d885e583167c3a9a92ac42c0ae52f85252cc731bb25:5ada49d539bd174e7049805dc1004925e25130c33dbe892a ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:40305b22075d6000d0508d9ad1f7beb02f85252cc731bb25:337c939e66480243d1833309b8afe49a81fe4c5e646bf00a ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:daf3570c10ed2817c3d8a05d69f9ef292f85252cc731bb25:d3fb390bac5d152f7a394466fbef686e275d05b99c0a115e ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:d737aa8f95ce38359cab5d8a2519c4b92f85252cc731bb25:0624a3f7d457c54b163c641dbf4b7963548ef1c5d0397cbf ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:0e89a68d07e315c6035e82b757b955882f85252cc731bb25:58f2d720179b4a38a0523e02aef0d41dacccd6577eaa943c ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:aa9436c1d40cb53f3e7a20091c4b931c2f85252cc731bb25:8ac45acdbd60f2fad3081ecf005536efa6009c21ca5faf36 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:dce867f0cb638db2dbcc3576a52dc4612f85252cc731bb25:8990b33dac65c5ef75073829894b911a983c1e260fbd1097 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:6f9d851d74c8a095c9df672a1554bebc2f85252cc731bb25:89953de6f957b7db5fe664d23af3de41dd38f5ec0a4a6eb0 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:cc96cc93b4dc9b7582273227fd61a5952f85252cc731bb25:76d3c3deb0bb8ef1a1e41ab6a3f6c686a321ce016c624567 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:cc96cc93b4dc9b754db66776827758d30b7892eef2e3f2bc:df58ae0f786becc11be11034dc53b21bdf1d73579af868d1 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:de5d1d85daf6593d0a09ff32049013ab2f85252cc731bb25:526471d8c4a0ecc8af05851804ea8fdd26848fa3ccc63152 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:b8489edee1058b43f3ce0f0abe5a16872f85252cc731bb25:57b9c47a75335692f60e787e41cd16a292a21bc667b3fd02 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:2b6b134af8d48f2a972bff5660420d582f85252cc731bb25:5018402148e15a8d77cb22dd46f1449a2791416b73ee9c3d ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:bb49aefd51ed0dccd5be291bd33be3052f85252cc731bb25:c9b255750bd88ac72e03adafda261e62618c943f7d59daf5

1 comment:

solardiz said...

Here's how these C/R's can be processed with John the Ripper with the jumbo patch applied (and no other tool involved). I formatted the input file as follows (with some sed magic):

ADMIN:::59DE5D885E583167C3A9A92AC42C0AE52F85252CC731BB25:5ADA49D539BD174E7049805DC1004925E25130C33DBE892A:1122334455667788
[...cut...]
ADMIN:::BB49AEFD51ED0DCCD5BE291BD33BE3052F85252CC731BB25:C9B255750BD88AC72E03ADAFDA261E62618C943F7D59DAF5:1122334455667788

First, attack the "NETLM" "hashes" (case insensitive):

host!solar:~/john/john-1.7.6-jumbo-4/run$ ./john --format=netlm pw-netntlm
Loaded 15 password hashes with no different salts (LM C/R DES [netlm])
ADMIN (ADMIN)
PASSWORD (ADMIN)
1234 (ADMIN)
123 (ADMIN)
ASDFGH (ADMIN)
1 (ADMIN)
000000 (ADMIN)
00000000 (ADMIN)
guesses: 8 time: 0:00:00:01 (3) c/s: 1306K trying: BETEMOR
12 (ADMIN)
ROOT (ADMIN)
guesses: 10 time: 0:00:00:04 (3) c/s: 1994K trying: MELACCT
00 (ADMIN)
0000 (ADMIN)
guesses: 12 time: 0:00:00:07 (3) c/s: 1920K trying: KH6869
000 (ADMIN)
0000000 (ADMIN)
guesses: 14 time: 0:00:00:19 (3) c/s: 1281K trying: CESKET1

Now let's try "NETNTLM" (case sensitive):

host!solar:~/john/john-1.7.6-jumbo-4/run$ ./john --format=netntlm pw-netntlm
Loaded 15 password hashes with no different salts (NTLMv1 C/R MD4 DES [netntlm])
ADMIN (ADMIN)
password (ADMIN)
1234 (ADMIN)
123 (ADMIN)
asdfgh (ADMIN)
1 (ADMIN)
000000 (ADMIN)
00000000 (ADMIN)
guesses: 8 time: 0:00:00:01 (3) c/s: 1306K trying: sadie
12 (ADMIN)
root (ADMIN)
guesses: 10 time: 0:00:00:03 (3) c/s: 2371K trying: phdigh
0000 (ADMIN)
00 (ADMIN)
guesses: 12 time: 0:00:00:06 (3) c/s: 2296K trying: rh3gap
000 (ADMIN)
guesses: 13 time: 0:00:00:09 (3) c/s: 2033K trying: gte2g
0000000 (ADMIN)
guesses: 14 time: 0:00:00:19 (3) c/s: 1626K trying: mbblum

As you can see, either gets to 8 guesses in 1 second, and to 14 (out of 15 total) in under 19 seconds (the status line was displayed when I pressed a key; the actual guess occurred a bit earlier). It is also possible to go from known case insensitive passwords (cracked from NETLM hashes) to "crack the case" (from the NETNTLM hashes) nearly instantly, but this was not required in this case (we got to the same 14 hashes cracked quickly with a direct attack on NETNTLM as well). All of this was with JtR's default settings.

Rainbow tables may be hot, but other approaches are viable as well, especially when the number of hashes or C/R's to audit is large (with rainbow tables, the attack time is per-hash, but with JtR the attack is against all hashes at once).