search

lgandx / Responder

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
GNU General Public License v3.0
5.46k stars 774 forks source link

Responder parses broken (uncrackable) NTLMv2 hashes #195

Open a1rb0rn3 opened 2 years ago

a1rb0rn3 commented 2 years ago

Hi,

in my test setup i am using Responder v3.1.1.0 to capture NTLMv2 Hashes (Options: -d, -w, -P). Unfortunately, some hashes output by Responder are uncrackable (tried both with hashcat and john the ripper). There was already a similar Issue in the past (#94).

During testing i ran Responder and recorded the network traffic with tshark. Responder found a total of 68 hashes, but only 59 are crackable. I currently don't have enough time to find the exact spot in your code that is causing this problem, but i think it's somewhere in your NTLMv2 parser. I found a simple Python script that parses NTLMv2 hashes from a pcap (https://github.com/sinnaj-r/NTLMssp-Extract). Coincidentally, this script extracts exactly 59 hashes, all of which are crackable.

Below you can find the file containing all 68 hashes extracted by Responder. The associated super-secure password is "secret" ;).

hashes.txt

lgandx commented 2 years ago

Hello, Could you provide a pcap file reproducing this issue?