Abstact

Notes on brute-force Windows NTLM Hash with hashcat on a Windows/Linux machine with decent graphics card/cards.

Environment

  • Latest graphics card driver installed;
  • A text file hash.txt of all the NTLM hash like this `aad3b435b51404eeaad3b435b51404ee’, one for each line.

Benchmark

Just grab the latest copy of hashcat from here, extract it and you are good to go.

Then, copy the text file of the NTLM hash to the root of the hashcat directory.

Run

hashcat64.bin(on Linux) -b
hashcat64.exe(on Windows) -b

to simply run a benchmark, and to also make sure that the graphics card driver are properly recognized.

Brute-Force

Options

Some of the most commonly used options are as follows:

Options Short, Long Type Description Example
-m, –hash-type Num Hash-type, see references below -m 1000
-a, –attack-mode Num Attack-mode, see references below -a 3
-b, –benchmark   Run benchmark  
-O, –optimized-kernel-enable   Enable optimized kernels (limits password length)  
-w, –workload-profile Num Enable a specific workload profile, see pool below -w 3
-1, –custom-charset1 CS User-defined charset ?1 -1 ?l?d?u
-2, –custom-charset2 CS User-defined charset ?2 -2 ?l?d?s
-i, –increment   Enable mask increment mode  
–increment-min Num Start mask incrementing at X –increment-min=4
–increment-max Num Stop mask incrementing at X –increment-max=8

-m specifies the hash mode, i.e., LM(3000), NTLM(1000), MD5(0), SHA1(100);

-a is for the attack mode, they are

Num Mode
0 Straight
1 Combination
3 Brute-force
6 Hybrid Wordlist + Mask
7 Hybrid Mask + Wordlist

we will use 3 Brute-force in our case;

-w sets the workload profile

Num Performance Runtime Power Consumption Desktop Impact
1 Low 2 ms Low Minimal
2 Default 12 ms Economic Noticeable
3 High 96 ms High Unresponsive
4 Nightmare 480 ms Insane Headless

You may choose the Nightmare mode if on a dedicated machine;

-1/2/3 creates customized charsets which can be used later in the password mask

Hashcat has the following built-in charsets:

? Charset  
l abcdefghijklmnopqrstuvwxyz  
u ABCDEFGHIJKLMNOPQRSTUVWXYZ  
d 0123456789  
h 0123456789abcdef  
H 0123456789ABCDEF  
s !”#$%&’()*+,-./:;<=>[email protected][]^_`{ }~
a ?l?u?d?s  
b 0x00 - 0xff  

you may use these charsets in your password mask directly.

I.E. for numeric, 6 character long password NTLM hash:

.\hashcat64.exe -m 1000 -a 3 hash.txt ?d?d?d?d?d?d

As you can see, in brute-fore mode, the string ?d?d?d?d?d?d is the mask,

the charset of each position can be designated with a ? followed by its charset.

?d?d?d?d?d?d means that hashcat should try every possible numeric strings of length 6.

You can change the charset of any position to reduce the overall complexity.

For a complex password consisting of both lowercase, numbers and special characters,

you can use

-1 ?l?d?s

for convenience.

That is

.\hashcat64.exe -m 1000 -a 3 hash.txt -1 ?l?d?s ?1?1?1?1?1?1

if the password is still 6 characters long.

-i enables mask increment mode, for example

.\hashcat64.exe -m 1000 -a 3 hash.txt ?d?d?d?d?d?d

only tries combinations that are 6 characters long.

With -i set, hashcat will start from 1 character to 6 characters.

You can also set the minimum length with --increment-min=[length] and the maxmum length with --increment-max=[length].

Attack

In our case, the NTLM hash is obtained with the metasploit framework module post/windows/gather/hashdump executed in a meterpreter reverse shell.

[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY []...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...


Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[username]:1000:aad3b435b51404eeaad3b435b51404ee:0b82e1dace77e29dd1de00896ba1c5bc:::

Columns are separated by colon :, the 3rd one is LM(LAN Manager) hash, which has been deprecated since Windows Vista.

The 4th one 0b82e1dace77e29dd1de00896ba1c5bc is the NTLM(NT LAN Manager) hash used by modern Windows operating systems,

and that is exactly what we are trying to brute-force here.

First create the hash.txt file

echo "0b82e1dace77e29dd1de00896ba1c5bc" > hash.txt

As we have no idea how long the password is, nor what characters may have been used,

we make an assumption that the length is between 5 and 9 , and only lowercase and numbers are used.

Use the custom charset

-1 ?l?d

This should word for most non tech-savvy people.

Then run

./hashcat64.bin -m 1000 -a 3 -w 3 -O hash.txt -1 ?l?d ?1?1?1?1?1?1?1?1?1 -i --increment-min=5

Finally we will get the result qqqqqq.

This should be pretty quick if your graphics cards have enough horse power.

Reference