Skip to content

Instantly share code, notes, and snippets.

@clavoillotte
Forked from tothi/openssl-legacy-md4.md
Created January 9, 2023 11:01
Show Gist options
  • Save clavoillotte/54b63bdc6976f0d3cd5dd1bbe0daf264 to your computer and use it in GitHub Desktop.
Save clavoillotte/54b63bdc6976f0d3cd5dd1bbe0daf264 to your computer and use it in GitHub Desktop.
/etc/ssl/openssl.cnf supporting legacy digests like MD4 (useful for offensive tools requiring NTLM support)

This is a minimal /etc/ssl/openssl.cnf supporting legacy algorithms on modern openssl installations where it is disabled by default.

The marked (######) lines should be added to your openssl.cnf (other parts may be unchanged).

For checking if legacy providers are enabled successfully:

$ openssl list -providers
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.0.7
    status: active
  legacy
    name: OpenSSL Legacy Provider
    version: 3.0.7
    status: active

Or checking directly if e.g. MD4 is working:

$ echo test | openssl dgst -md4
MD4(stdin)= 36d729ab4ff7260da6fb010ef5747bb3

In Python (calculating NTLM):

$ python -c 'import hashlib; print(hashlib.new("md4", "P@ssw0rd!".encode("utf-16le")).hexdigest())'
217e50203a5aba59cefa863c724bf61b

Openssl MD4 is mandatory for (Python) offensive tools using NTLM.

openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
legacy = legacy_sect ######
[default_sect]
activate = 1
[legacy_sect] ######
activate = 1 ######
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment