Ntlmv2-ssp Hash Crack Online

[Etienne Levic]

Ntlmis an authentification protocol created by Microsoft. This function is used for a lot of different applications and is based on cryptographic function Md4, with few differencies. Ntlm is often used to encrypt Windows users passwords. It's the new "version" of LM, which was the old encryption system used for Windows passwords.

This website allows you to decrypt, if you're lucky, your ntlm hashes, and give you the corresponding plaintext, you can also encrypt any word using the NTLM hash generator. We proceed by comparing your hash with our online database, which contains more than 1.000.000.000 different hashes. The decryption database is coming from all the wordlists I was able to find on the internet. Then I enlarged the wordlist by creating my own script and add several letters to each word, to make my database unique and pertinent. It will help you decrypt your NTLM Hash for free.

Explore and analyze PCAP files online using A-Packets, designed to provide comprehensive insights into network protocols like IPv4/IPv6, HTTP, Telnet, FTP, DNS, SSDP, and WPA2. This tool allows users to easily view details of network communications and dissect layers of data transmission.

Delve into the specifics of HTTP by examining headers, requests, and responses. Extract transferred files such as office documents and images seamlessly, and recover passwords across various protocols.

You can effortlessly build pcap visualisation for network communications. Explore network devices map and all communications between nodes. Classify network nodes by their type through pcap analysis. Visualize TCP/UDP communications from pcap file with network graph.

Pcap reader allows detect and extract pictures. View office documents and other file formats found during analyzing of uploaded pcap file. You can quick preview found files in network traffic and download them.

Another one interesting thing could be found in SMB communicsations is users credentials. Like NTLMv2-SSP authentication between nodes. Upload pcap file and you can try to crack found hashes with appropriate tools.

ARP (Address Resolution Protocol) messages contains valuable information about devices topology. It uses MAC addresses on Layer 2 (OSI). You can elicit device-IP accordance directly from ARP requests and responses. Investigate gratuitous ARP messages during devices boot.

Basic automatic analyze enables to detect various anomalies in ARP communications. Detect routers and smart switches and WiFi access points integrated into LAN. It is possible to detect malicious activities like ARP spoofing nodes.

A-Packets scans uploaded pcap file for various protocols to find user credentials. You can find plain text passwords in authorization headers or detect cryptographic hashes. The service is also looking for complex challenge-base auth protocols.

By using the API, you can automate the process of uploading pcap files and parse them to extract useful information. This allows you to efficiently analyze large volumes of network data without requiring manual intervention for each individual file.

One key advantage of using the API for pcap file analysis is the ability to schedule the process. This means that you can set up a regular schedule for uploading and analyzing pcap files, ensuring that you always have up-to-date information about your network traffic. The APIs can help you streamline your network analysis process and gain insights into your network's performance and security.

You can view detailed information about each session, including the source and destination IP addresses, the protocol version, the cipher suite used, and any certificate information. Additionally, our tool can identify anomalies in SSL/TLS traffic, such as unexpected cipher suites or expired certificates, helping you to detect potential attacks or configuration issues.

Overall, our SSL/TLS diagnostic tool is an essential tool for anyone involved in network security. Whether you are a network administrator, security analyst, or researcher, our tool can provide valuable insights into SSL/TLS traffic that can help you identify and mitigate potential threats.

Efficiency Meets Vigilance: Seamlessly integrating into your workflow, Advanced Event Detection automates the process of analyzing uploaded pcap files. This means you can focus on strategic tasks while our technology works tirelessly in the background. Whether it's passwords over insecure channels or potential breaches, our comprehensive approach keeps you informed and in control. Elevate your network security today and experience proactive protection like never before.

Absolutely! You can upload, download, and analyze pcap files (including pcapng) without any cost. No personalization or charges required. Just keep in mind that there is a 25MB limit for free .pcap file usage.

FootholdAfter running the port scan with Nmap we discover that this machine is a Windows box with an Active Directory. This machine also functions as a Web Server that suffers from a Remote File Inclusion vulnerability. Through this vulnerability we are able to capture the NTLMv2 hash from the user svc_apache. After cracking the password with hashcat we have established our foothold.

UserAfter enumerating all existing user accounts on this machine with rpcclient, we have started a password spray attack against those user accounts and found that the already cracked password is also being used by the user account s.moon. s.moon has read-write access to the SMB-share Shared and by uploading a malicious desktop.ini, we can capture the NTLMv2 hash from the user account c.bum and then we can read the user flag.

RootThe user account c.bum has read-write permissions to the Web share, and through this level of permissions, we can upload a PHP webshell, and from this webshell, we can establish a reverse shell as svc_apache and execute commands in the user context of c.bum with RunasCs to upload WinPeas to this machine. From the output of WinPeas, we discovered another website on this machine on port 8000/tcp. With the use of chisel, we forwarded this port to our attacker machine and after uploading a ASPX webshell to the website folder, we can establish a reverse shell as iis apppool\defaultapppool. This account has the SeImpersonatePrivilege privilege. After exploiting this privilege with JuicyPotatoNG.exe we have SYSTEM level permissions on this box.

Before I found something useful, I had enumerated the Kerberos service on port 88/tcp with krb5-enum-users script from Nmap. This revealed only the user account [email protected]. Then, I enumerated LDAP on port 389/tcp and found the hostname go.flight.htb. Then I checked SMB on port 445/tcp but that was a dead-end because I do not have any user credentials.

Again nothing. We can check if there are subdomains active on this machine. We had first tried to do a Zone Transfer through DNS and enumerate the current DNS records through 53/tcp, but nothing interesting to found. So, we can try to enumerate the virtual hosts.

As we look at the URL, it could be that this website suffers from a Local File Intrusion (LFI) or a Remote File Inclusion (RFI). We can try some parameters. Well, it seems that there is some protection in place.

The domain password policy requires a minimum password of 7 characters. Before we use a custom password list for password spraying, we check if the current password is also being used on other user accounts. We use the following userlist in users.txt.

s.moon has read-write permissions to the Shared folder. We have tried to put various files in the Shared folder, but not every file extension is accepted. Files as exe, url, and ps1 are prohibited. File extensions such as vba, xml, and .ini are allowed. After some searching online, I found this source -hardening/ntlm/places-to-steal-ntlm-creds#desktop.ini to create a desktop.ini file and use again Responder to grab the hashes.

How to convert formats?

To convert an authentication token from one format to another, simply submit it freely to the Hash-Shucking module or use the Converter to follow algorithm's dissection.

The hash shucker dedicated to the NetNTLMv1 (with or without ESS/SSP), PPTP VPN and WPA-Enterprise MSCHAPv2 algorithms is available online, as well as on-premise on GitHub since the begining of 2023!

For several weeks / months during the last quarter of 2022, the services of the Crack.sh online platform were unavailable / under maintenance. Now the platform is fully functional since the beginning of 2023!

Pwned Passwords are hundreds of millions of real world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they're at much greater risk of being used to take over other accounts. Version 8 was released by Troy Hunt in December 2021 and contains 847,223,402 leaks.

We have a few ports to take a look at here, notably the HTTP server, LDAP, and SMB. Another big thing to mention is that MSSQL seems to be externally facing - which is a vulnerability in of itself. This database and this service should be internal.

These specific shares are share and Users, which we can enumerate for the possibility of any obscene abnormalities. The Users share did not seem to have anything within it aside from the default user folder, so I moved on to see if there was anything within share.

Given what we know (or lack thereof) at this point, I tried to get a nudge from the Wiki to see if there were any leads. It seems that the site says - Assume that someone is visiting the share regulary., which points us back at SMB.

As you can see from the above, a valid TGS was retrieved for the user svc_mssql. We can attempt to crack this with hashcat. You can find a list of hash modes here at the hashcat wiki. The specific hash type we have is TGS-REP Kerberos 5 e-Type 23, which is denoted as hash mode ID 13100.

This corresponds with the MSSQL service that is currently present on the domain controller. Given that we currently have credentials for this user, we could simply attempt to log in via their credentials and see what we can enumerate.

3a8082e126