Jan 022014

When you obtain a NetLM password hash with the known challenge of 1122334455667788 you are able to utilize the HALFLMCHALL rainbowtable to identify the first seven (7) characters of the password. The second half is left to identify. Tutorials exist (including my site, as well as here and here) on how to capture the NetLM hash using Metasploit. Metasploit comes with a Ruby script in the tools folder that will bruteforce the remaining characters of the password when you provide the complete NetLM hash and the first seven (7) characters of the recovered password. However, for passwords that are 11+ characters it is time prohibitive to bruteforce the remaining characters as show below.

/opt/metasploit-framework/tools# ruby halflm_second.rb -n 1c6e27fb87220408930041fca2d43260f3831c004b1486d8 -p RYANCHI
[*] Trying one character...
[*] Trying two characters (eta: 10.010079860687256 seconds)...
[*] Trying three characters (eta: 2292.3082880973816 seconds)...
[*] Trying four characters (eta: 524938.5979743004 seconds)...

An eleven (11) character password will take 6.075 days. You do not have that long on a penetration test. I have no idea how long a 12 character password would take but know that it is exponentially longer and not even scripted into halflm_second.rb . So oclHashcat and GPU password cracking to the rescue!

We will need to account for every combination of upper and lowercase letter for the first seven (7) characters identified and bruteforce the remaining characters using the NetNTLMv1 password hash that was also obtained by Metasploit. This will give us the actual password used.

As of this article oclHastcat (v1.01) does not support password rule files and bruteforcing at the same time (it only supports a password file with bruteforcing). We will first need to create a dictionary of all possible combinations of upper and lower case letters for the first seven (7) characters of the password obtained through the rainbowtables. Google did not help me that much when it came to creating a rule file to do this or on creating the dictionary first so my way may not be the best way but it works.

First we will create the Hashcat rule file. Information on the syntax used in the rule files can be found here. The only function we will be using is Toggle @ (TN) where we will toggle the case of the letter at position N. I wrote a perl script to create the rule file for every combination of a seven (7) character word. Also, I lied…you will need one more function. Place a colon (:) at the top of the file created. The colon (:) represents “do nothing” which will try the original password provided.

use strict;
use warnings;

open (RULEFILE, '>>toggle.rule');
for(my $x=0;$x<128;$x++){
    my $binaryString = substr(dec2bin($x), -7);
    my @binaryDigits = split(//,$binaryString);
    for(my $i=0;$i<=$#binaryDigits;$i++){
        if($binaryDigits[$i] eq 1){
            print RULEFILE "T". $i;
    print RULEFILE "\n";
close (RULEFILE);

#from Perl Cookbook
sub dec2bin {
    my $str = unpack("B32", pack("N", shift));
    #$str =~ s/^0+(?=\d)//;   # otherwise you'll get leading zeros
    return $str;

It may not be the most elegant way of doing it but I used the language I know and this was the thought process I came up with. I iterate from 1-127 (all 7 bit numbers in decimal), convert that decimal number to binary, then swap out every one (1) with a TN where N is the position in the binary number where the one (1) is located, and write it to a file. So the decimal number 54 becomes 0110110, which then becomes T1T2T4T5. Note T0 is position one. I also ignore all zeros (0).

We then have to use the older tool Hashcat to create the dictionary file. oclHashcat does not support the –stdout option so we cannot use it to create our dictionary file.

We will start with our base “dictionary” of RYANCHI, create our rule file, and run hashcat to create the dictionary we will use

~/tools/hashcat-0.47# echo “RYANCHI” &gt; baseDict.txt
~/tools/hashcat-0.47# perl secondHalf.pl
~/tools/hashcat-0.47# ./hashcat-cli64.bin -r toggle.rule baseDict.txt --stdout &gt; secondHalf.dict.txt
~/tools/hashcat-0.47# cp secondHalf.dict.txt ~/tools/oclHashcat-1.01/

We then use oclHashcat to obtain the password.

~/tools/hashcat-0.47# cd ~/tools/ oclHashcat-1.01/
~/tools/oclHashcat-1.01# ./cudaHashcat64.bin -m 5500 -a 6 hashfile.txt secondHalf.dict.txt ?a?a?a?a


Session.Name...: cudaHashcat
Status.........: Cracked
Input.Base.....: File (secondHalf.dict.txt)
Input.Mod......: Mask (?a?a?a?a) [4]
Hash.Target....: USERNAME::DOMAIN:1c6e27fb87220408930041fca2d43260f3831c004b1486d8:eab0974cad5cf20ab14e0d264865973bbffc0e5ca4725e33:1122334455667788
Hash.Type......: NetNTLMv1-VANILLA / NetNTLMv1+ESS
Time.Started...: Mon Jan 20 11:30:03 2014 (5 secs)
Speed.GPU.#1...: 13879.6 kH/s
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 109094016/10344229375 (1.05%)
Rejected.......: 0/109094016 (0.00%)
HWMon.GPU.#1...: -1% Util, 32c Temp, 40% Fan

Started: Mon Jan 20 11:30:03 2014
Stopped: Mon Jan 20 11:30:09 2014

It took oclHashcat five (5) seconds compared to six (6) days it would take the halflm_second.rb Ruby script to identify the password. Bruteforcing the last 7 characters, which would be the maximum length of 14 characters supported by LanManager hashing would only take 3.5 hours. The graphics card used is a “not the top of the line” Nvidia GeForce GTX 650 Ti.

  One Response to “oclHashcat, HalfLM (netlm), and Bruteforcing the Second Half”

  1. […] continue the saga visit this tutorial on using Hashcat to bruteforce the second half of the […]

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>