Incorrect hash length for netntlmv2 captured hash

[neofito]

Hello Kevin,

I've obtained several NetNTLM v2 hashes using your tool but hashcat is throwing an error with the hash length (type 5600: NetNTLMv2)

Hashfile 'netntlmv2.lst' on line 1 (-- redacted ---): Salt-length exception

The same error for all hashes.

Checking the format against the hashcat examples I've accomplished an inusual length of 32 characters for the captured hash.

Any idea or hint?

Thanks in advance!

[Kevin-Robertson]

SMB or HTTP? I'm guessing the challenge is missing? There is something that can cause that with the packet sniffer on the SMB side that I have not been able to track down.

[neofito]

Hi Kevin,

SMB and the challenge is present in the logfile:

[+] [2020-09-17T07:51:35] SMB(445) negotiation request detected from 192.168.0.10:51243 [+] [2020-09-17T07:51:36] SMB(445) NTLM challenge F91F2FCA9466DCC4 sent to 192.168.0.10:51243 [+] [2020-09-17T07:51:36] SMB(445) NTLMv2 captured for DOMAIN\username from 192.168.0.10(COMPUTERNAME):51243: [redacted]

The attacker's machine is a "Windows Server 2012 R2 Standard" and the tool was launched with admin privs. I can send you a captured hash if need be.

In the other hand using Inveigh-Zero in the same scenario it works like a charm.

Thanks for your support!

[Kevin-Robertson]

Hi,

Ugh, I'm guessing you don't see F91F2FCA9466DCC4 listed in the full hash output? If so, I think I see the bug. I combined the SMB and HTTP NTLM code but it looks like it's only checking the HTTP session table to grab the challenge.

Since it is indeed seeing the challenge in this case, you should be able to just paste it in right after DOMAIN:. I'll get it fixed this weekend. Thanks!

[neofito]

Hi Kevin,

As you said, using the challenge from the logfile the problem has gone. I should have thought about it before!

Thanks for your support and such great tool!