Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Cracking HALFLM

I was recently reading through Chris Gates post on capturing and cracking HALFLM hashes with Metasploit and thought I’d give it a quick run through. (I won’t be rehashing what Chris already covered here, so I suggest you pop over to his blog for a quick coverage of HALFLM and the rainbowtable cracking method).

Until I read the post I’d been using the SMB_relay attack to load up a meterpreter shell onto the remote target, but seeing as Microsoft have finally decided this is a bug worth patching, it’s time to move on to other attack vectors. SMB_relay will still be a good attack vector for some attacks, but the patch against reflective relays means it’s not going to always be available.

msfAll was going well with the walkthrough, I’d captured the hash from the target machine and had the HALFLM tables downloaded (halflmchall _alphanumeric #1-7_x_2400_ 1122334455667788). So after running the rcracki_mt_0.5.exe *.rti -h <First16Chars> was depressed to see that the first half wasn’t found (the tables are only alpha numeric after all). Not a problem I thought, and went back to Chris’ walkthrough to see the next step. That’s where it all went wrong. If you can’t find the first part of the hash, then the rest of the walkthrough isn’t going to help. I had a little hunt around the big WWW and like any good Googler I found some hints on what other tools could do a brute force or password guessing attack aginst the HALFLM format. I picked CAIN and set about trying to manually tell it what the username, LM hash and challenge were, without much luck. Cain can sometimes be stubborn on the input formats and you can’t manually tell it what should go where. I went back to the Metasploit smb capture module and had a closer look at the set options to see what I could do. Here I found the option to output captured the hashes straight into a format readable by Cain&Able (set PWFILE cain_hashdump.txt) instead of to the screen in a generic format.

After performing the SMB capture again, the file cain_hashdump.txt was created, allowing me to directly import it into CAIN (along with the challenge this time).

For those that may have already captured the HALFLM hash and need to import this into CAIN, the format of the dump output from Metasploit is as follows .:



The 1122334455667788 in the middle tells Cain what challenge was used by the Metasploit module. In this case Metasploit is hard coded to use \x11\x22\x33\x44\x55\x66\x77\x88 as the challenge string.

Hope you find this useful, and remember to checkout the Carnal0wnage blog for the RainbowTable method, as well as lots of other Metasploit hints, tips and examples.

3 responses to “Cracking HALFLM

  1. Teriyakiboy June 27, 2009 at 18:21

    What can be done when the challenge isnt 1122334455667788 ?
    Does rainbowtablesonline support suc hashes ?
    How much time will it take to generate a halflmchall rt for a custom challenge ??


  2. ChrisJohnRiley June 27, 2009 at 21:25

    Things become a little more tricky if the challenge isn’t 1122334455667788. The beauty of rainbow tables is that the hard processing work has already been done once for the challenge, so whenever you use the rainbow table the time is significantly reduced. If the challenge isn’t set to 1122334455667788 (as it should be if you use something like CAIN or Metasploit to effect the authentication) then there is little point in creating a rainbow table specifically for that challenge. It will take just as much time (possible a more with overhead on writing the tables to disk etc..) as performing a simple brute-force attack against it. I’d suggest inputting the hashes into CAIN (with the challenge) using the USERNAME:DOMAIN:1122334455667788:LMHASH:NTHASH format and letting it perform a brute-force attack. Unless you’ve got a stack of hashes using this new challenge then going the rainbow tables route isn’t realy going to bring you much benefit.

    Hope that helped, and good luck with the cracking.

  3. Teriyakiboy July 1, 2009 at 18:11

    Thanks ChrisJohnRiley. Your answer was really helpful.
    Thanks a lot 🙂

%d bloggers like this: