SpiderLabs/Responder

LDAP-NTLMV1

D-Hutch opened this issue · 2 comments

D-Hutch commented

HI,
I tested Responder in my org and got the following hash :

test::testdomain:000000000000000000000000000000000000000000000000:A44B9396CE62039A99632E13E5C8B8F80101000000000000646BE9505325D3014F560F72D60C217B0000000002000A0073006D006200310032000100140053004500520056004500520032003000300038000400160073006D006200310032002E006C006F00630061006C0003002C0053004500520056004500520032003000300038002E0073006D006200310032002E006C006F00630061006C000500160073006D006200310032002E006C006F00630061006C0008003000300000000000000000000000002000008D2149B9EA8B826B9EDA0C33F483A937BD9D9CB89DB0F8FE898AAB0E25C004FD0A00100000000000000000000000000000000000090014006C006400610070002F006C00650075006D0069000000000000000000:1122334455667788

it's seems to be output from "ldap.py" and the Responder repersent it as : "[LDAP] NTLMv1 Hash"
but HashID could not recognize it, and hashcat couldn't crack it too,
Maybe the hash format is wrong ?

thank you !

GGGunrunner commented

I'm not 100% sure if its applicable, but somebody asked similar question on StackExchange, and they confirmed it was a bug:

https://security.stackexchange.com/questions/139957/responder-smbv2-and-cracking

Hope it helps...

D-Hutch commented

thanks, I later on found lgandx fork that seems to fix the problem .