Tutorial: NT LAN Manager (NTLM) Security Support Provider (NTLMSSP)



NT LAN Manager (NTLM) is a Microsoft AAA protocol which has its weaknesses. Hence, we wrote a plugin ntlmsspDecode which extracts some vital info and the hash, which can be cracked.


First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:

t2build -e -y

Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied

Then compile the following plugins:

t2build tranalyzer2 basicFlow tcpStates ntlmsspDecode txtSink


If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:

mkdir ~/data ~/results

The sample PCAP used in this tutorial can be downloaded here: smb2.pcap.

Please save it in your ~/data folder.

Now you are all set for analyzing NTLMSSP traffic!


Let’s look at the plugin configuration first:


vi src/ntlmsspDecode.h

Run t2 on the supplied pcap.

t2conf ntlmsspDecode -D NTLMSSP_CLI_CHALL=1 && t2build ntlmsspDecode

t2 -r ~/data/smb2.pcap -w ~/results/

Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 30057
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
    01: basicFlow, 0.8.14
    02: tcpStates, 0.8.14
    03: ntlmsspDecode, 0.8.14
    04: txtSink, 0.8.14
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K)
Processing file: /home/wurst/data/smb2.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1131413212.631817 sec (Tue 08 Nov 2005 01:26:52 GMT)
Dump stop : 1131413245.234942 sec (Tue 08 Nov 2005 01:27:25 GMT)
Total dump duration: 32.603125 sec
Finished processing. Elapsed time: 0.001077 sec
Finished unloading flow memory. Time: 0.001135 sec
Percentage completed: 100.00%
Number of processed packets: 1126 (1.13 K)
Number of processed bytes: 217593 (217.59 K)
Number of raw bytes: 217593 (217.59 K)
Number of pcap bytes: 235633 (235.63 K)
Number of IPv4 packets: 1126 (1.13 K) [100.00%]
Number of A packets: 556 [49.38%]
Number of B packets: 570 [50.62%]
Number of A bytes: 103832 (103.83 K) [47.72%]
Number of B bytes: 113761 (113.76 K) [52.28%]
Average A packet load: 186.75
Average B packet load: 199.58
tcpStates: Aggregated tcpStatesAFlags=0x03
ntlmsspDecode: Aggregated ntlmsspStat=0x5f
ntlmsspDecode: Number of NTLMSSP packets: 3 [0.27%]
ntlmsspDecode: Number of NetNTLMv1 hashes extracted: 1
Headers count: min: 3, max: 3, average: 3.00
Number of TCP packets: 1126 (1.13 K) [100.00%]
Number of TCP bytes: 217593 (217.59 K) [100.00%]
Number of processed   flows: 2
Number of processed A flows: 1 [50.00%]
Number of processed B flows: 1 [50.00%]
Number of request     flows: 1 [50.00%]
Number of reply       flows: 1 [50.00%]
Total   A/B    flow asymmetry: 0.00
Total req/rply flow asymmetry: 0.00
Number of processed   packets/flows: 563.00
Number of processed A packets/flows: 556.00
Number of processed B packets/flows: 570.00
Number of processed total packets/s: 34.54
Number of processed A+B   packets/s: 34.54
Number of processed A     packets/s: 17.05
Number of processed   B   packets/s: 17.48
Number of average processed flows/s: 0.06
Average full raw bandwidth: 53392 b/s (53.39 Kb/s)
Average full bandwidth : 53392 b/s (53.39 Kb/s)
Max number of flows in memory: 2 [0.00%]
Memory usage: 0.01 GB [0.02%]
Aggregated flowStat=0x0400000000004000
[INF] IPv4 flows

So the aggregated ntlmsspStat shows that there is indeed NTLM protocol and it contains negotiate, challenge and authenticate messages. As NTLMSSP_NAME_LEN=64 the ntlmsspCliChallenge hash is truncated, but the full hash is extracted in NTLMSSP_AUTH_FILE besides the flow file.

tawk -V ntlmsspStat=0x5f

The ntlmsspStat column with value 0x5f is to be interpreted as follows:

   bit | ntlmsspStat | Description
     0 | 0x01        | Flow is NTLMSSP
     1 | 0x02        | Flow contains Negotiate messages
     2 | 0x04        | Flow contains Challenge messages
     3 | 0x08        | Flow contains Authenticate messages
     4 | 0x10        | NetNTLMv1 hash was extracted for this flow
     6 | 0x40        | String output was truncated... increase NTLMSSP_NAME_LEN

If you want to see the full HASH in the flow file increase NTLMSSP_NAME_LEN.

tcol ~/results/smb2_flows.txt

%dir  flowInd  flowStat            timeFirst          timeLast           duration   numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP            srcIPCC  srcIPOrg           srcPort  dstIP            dstIPCC  dstIPOrg           dstPort  l4Proto  tcpStatesAFlags  ntlmsspStat  ntlmsspTarget  ntlmsspDomain  ntlmsspUser    ntlmsspHost  ntlmsspNegotiateFlags  ntlmsspSessKey                    ntlmsspNTProofStr                                 ntlmsspServChallenge  ntlmsspVersionMajor_Minor_Build_Rev  ntlmsspNbComputer  ntlmsspNbDomain  ntlmsspDnsComputer  ntlmsspDnsDomain  ntlmsspDnsTree  ntlmsspAttrTarget  ntlmsspTimestamp
A     1        0x0400000000004000  1131413212.631817  1131413245.234537  32.602720  1           3        eth:ipv4:tcp  00:0c:29:5c:2e:c7  00:0c:29:30:60:27  0x0800       07       "Private network"  49258  07       "Private network"  445      6        0x03             0x5b                        VISTA1         Administrator  VISTA1       0xe2888297             ecf0989b0840ad241400e8f985aa11df  ebb89904e84648e500000000000000000000000000000000                        6_0_5231_15                                                                                                                                       0.000000
B     1        0x0400000000004001  1131413212.647561  1131413245.234942  32.587381  1           3        eth:ipv4:tcp  00:0c:29:30:60:27  00:0c:29:5c:2e:c7  0x0800      07       "Private network"  445   07       "Private network"  49258    6        0x03             0x05         VISTA2                                                    0xe28a8215                                                                                                 f550096e81044aa5      6_0_5231_15                          VISTA2             VISTA2           vista2              vista2                                               1131481062.000000

As we only used this plugin for troubleshooting and NetNTLM hash extraction, no packet info is produced so far. But in smb2_NetNTLMv1.txt, the important NetNTLM hash is extracted!

cat ~/results/smb2_NetNTLMv1.txt


Cracking the Hashes

Nice, we have extracted the hash… what’s next? Let’s get cracking!

First, download the latest version of hashcat. (Note that John the Ripper could be used as well.)

wget https://hashcat.net/files/hashcat-6.2.1.tar.gz

tar xzf hashcat-6.2.1.tar.gz

cd hashcat-6.2.1


Different hashes require different hashcat -m option, so first, we need to known which type of hash we want to crack… This is actually really easy, as NetNTLMv1 hashes are extracted in the smb2_NetNTLMv1.txt file and NetNTLMv2 hashes are extracted in the smb2_NetNTLMv2.txt file! In our example, we can see that the hash extracted is a NetNTLMv1 hash. Let’s see which -m option we need for NetNTLMv1 hashes:

./hashcat --help | grep NetNTLM

   5500 | NetNTLMv1 / NetNTLMv1+ESS                        | Network Protocols
   5600 | NetNTLMv2                                        | Network Protocols

Ok, so we’ll use -m 5500 (-m 5600 for NetNTLMv2). We also need a dictionary, i.e., a list of words. Luckily, hashcat provides one, namely example.dict!

cat example.dict


Okay, so now, we are all set… let’s run hashcat and see what happens!

./hashcat -m 5500 --show ~/results/smb2_NetNTLMv1.txt example.dict


Nice, now we know that penguin is the password for Administrator!


Don’t forget to reset the plugin configuration for the next tutorial.

t2conf ntlmsspDecode --reset && t2build ntlmsspDecode

Have fun analyzing.