Capturing And Cracking NTLMv2 Hashes On The LAN

Target Name: John Doe
Target box: (domain joined)
Attack/facilitator box: (Kali Linux)
Wireshark box: (Kali Linux)

With a comprised host on the network, the idea is to get an unsuspecting victim to click a link to a network share from their workstation. As a result, when they do, it will ultimately pass NTLM challenge/response packets which can be captured and viewed using Wireshark.  Below is the process for capturing such packets, rebuilding them into a format that is usable by hashcat for the purposes of cracking their Active Directory password.

First the “victim” (John Doe) must be convinced to click on a link.  This really isn’t all that difficult but outside of the scope of this document.  Consider an email message with a link to \\ (attacker/facilitator machine). Prior to clicking, we want Wireshark to be open and listening on the appropriate interface in order to capture the required packets.


The quickest way to find the packets we are most concerned with is to setup a filter for “ntlmssp”.  From there, we only need two packets: The highlighted line, and the one directly below it.


At this point, we want to have a text editor open so that we can copy the values from the below screenshots as plain text.  After everything is pasted into the editor, it will need to be rearranged into a particular order.


It is important to capture the NTLMv2 Response as “Hex Stream”.


Below is an example of the information one would need to properly built the challenge/response information back into a format that is able to be cracked. The domain username and domain name can be gleaned from the NTLMSSP_AUTH packet (2nd one in the original screenshot)  The most important thing to notice is the location of the colons. Specifically, there MUST be a colon after the first 32 bits of the NTLM RESPONCE.  This usually where you will notice a few 010101’s. Also, notice the double colons (::) after the domain username too.


This entire string needs to be saved into a single line text file (again, remember the placement of the colons):


Once in a text file, this file can be piped through hashcat and against your favorite wordlists using the following command:

hashcat -m 5600 asdf.txt wordlist.txt


As seen in the screengrab above, the password for John Doe’s AD account is “Summer2016”





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s