gwen001
commented
8 months ago Issue correctly handled, tool is waiting for human validation.
Closed gwen001 closed 8 months ago
gwen001
commented
8 months ago Issue correctly handled, tool is waiting for human validation.
gwen001
commented
8 months ago Tool has been accepted by the team: https://offsec.tools/tool/shucknt
Thank you for your contribution!
[tags]authentication,windows,ntlm[/tags] [short_descr]Dowgrade, convert, dissect and shuck authentication token based on Data Encryption Standard.[/short_descr] [link] https://shuck.sh [/link] [link] https://github.com/yanncam/ShuckNT [/link] [long_descr] Behind Shuck.sh's script ShuckNT is simply an efficient and optimized binary-search for DES-keys collisions from a subset of NT-hashes candidate, whose last two bytes are known, in custom-reversed-binary HIBP's database.
During a security assessment (limited in time), if you capture ~100 NetNTLMv1 (with or without ESS) via a tool such as Responder, the search for the corresponding NT-Hashes (if leaked on HIBP) only takes a few seconds via Shuck.sh/ShuckNT (~10s).
Shuck.sh's script ShuckNT takes care of simplifying by converting the cryptographic algorithm to a weaker form (without ESS if possible, in a free format for Crack.Sh or directly in NT-Hash format if leaked on HIBP). Thus a NetNTLMv1-ESS/SSP, PPTP VPN or MSCHAPv2 challenge (not-free and time-consuming on Crack.Sh) can potentially be shucked instantly for free!
The initial idea of Shuck.sh/ShuckNT was born from a desire to save time during security assessments for customers, not to rely on a third-party online service whose availability is not necessarily continuous and to be able to be locally autonomous.
Algorithms / formats supported :
ShuckNT rely on hash shucking principle to optimize challenge-response cracking and exploitability. [/long_descr] [image] https://raw.githubusercontent.com/gwen001/offsectools_www/main/tmp/27c838803b84995dcf77a5b5099dda38.png [/image]