NTLM Algorithm Confusion
As I understand, NTLM isn't really a hash function as it relies mainly on MD4. After searching around the internet, as I understand it, it is simply as follows. Convert your string to hexadecimal, add 00 to the end of each character and then pass this new string into the MD4 algorithm. The problem is, once I have my hexadecimal string with added 00's, it does not result in the hash i expect as I have previously calculated it using a website (I am certain it is working correctly). I am simply at a loss at what to do with my hexadecimal string (with added 00's) to retrieve the NTLM hash. Any help would be greatly appreciated and if I have missed something vital in the algorithm, please do tell me, thank you.
P.S I am certain the sites I used to convert to hexadecimal and to calculate MD4 hashes are working correctly.
I do apologize for not making myself clear. I am looking to develop a function in C++ to calculate the NTLM hash of a given string, as I have searched the internet yet cannot find one. I used http://nediam.com.mx/winhashes/index.php to calculate the NTLM hash of "cheese" for example; the result is: "208adb08381adab3032eedbd35399642". The problem is after reading multiple articles on the process to get from "cheese" to the above hash, I am still confused. The algorithm I have derived from multiple sites is simply to convert the plain text to hexadecimal and then add 00 after each character. This gets me from "cheese" to "630068006500650073006500". Then put this value into the MD4 algorithm. I used http://www.brent0n.com/?page_id=103 to do this yet the result is "0a09757d0c75ca9dade4eecd2270b812". I am simply confused at what I did wrong and how I can get from "630068006500650073006500" to "208adb08381adab3032eedbd35399642". I hope that was clearer, thank you again.
Which version of NTLM are you attempting to hit?
NTLMv1 is done this way
C = 8-byte server challenge, random K1 | K2 | K3 = NT-Hash | 5-bytes-0 R1 = DES(K1,C) | DES(K2,C) | DES(K3,C) K1 | K2 | K3 = LM-Hash | 5-bytes-0 R2 = DES(K1,C) | DES(K2,C) | DES(K3,C) response = R1 | R2
NTLMv2 is done this way
CS = 8-byte server challenge, random CC = 8-byte client challenge, random CC* = (X, time, CC, domain name) v2-Hash = HMAC-MD5(NT-Hash, user name, domain name) LMv2 = HMAC-MD5(v2-Hash, CS, CC) NTv2 = HMAC-MD5(v2-Hash, CS, CC*) response = LMv2 | CC | NTv2 | CC*
or are you talking about LM hash?
The LM hash is computed as follows.
- The user’s password as an OEM string is converted to uppercase.
- This password is either null-padded or truncated to 14 bytes.
- The “fixed-length” password is split into two 7-byte halves.
- These values are used to create two DES keys, one from each 7-byte half, by converting the seven bytes into a bit stream, and inserting a zero bit after every seven bits. This generates the 64 bits needed for the DES key.
- Each of these keys is used to DES-encrypt the constant ASCII string “KGS!@#$%”, resulting in two 8-byte ciphertext values.
- These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.
If you are looking to crack the passwords try OphCrack ;)
Thank you for your reply, but I am struggling to understand the method you described. If it helps, I simply wish to know how http://nediam.com.mx/winhashes/index.php converts plain text to the NT hash or how windows encodes user passwords to form the hash present in the SAM file. Thank you again.
The ntlm AldarHawk is descibing is more of the network protocol of ntlm as descibed here: http://curl.haxx.se/rfc/ntlm.html Your looking for the nt alogarith in the sam files. I pulled up some links to help you understand a little better: http://courses.cit.cornell.edu/ece576/FinalProjects/f2008/tt236/tt236/high_level_design.html http://technet.microsoft.com/en-us/library/cc875839.aspx These should clarify things for you.
I worry I am not being completely clear. I have searched the internet more than enough yet the algorithms described do not work for me. Rather than being redirected to more articles on the concept, I would love if someone could simply go through the algorithm with me getting from plain text to the hash. Please bear in mind I have located examples like that on the internet yet they did not help, I am hoping you can, thank you again.
Sorry, I wasn't sure if anyone would be interested.
WetMackerel begged:
I would love if someone could simply go through the algorithm with me getting from plain text to the hash
You've read tons of links including the ones I posted and still didn't understand the algorithm. Well I guess next time we'll just have to sit you on are lap and explain it to you. If you didn't get it from the links you'll never get it.
Also that code you found is incorrect.
If there is a problem with that code, I have not found it, it works completely fine for me so perhaps you have made a mistake compiling it. Also, I did not ask to be patronized, I was simply asking for some of your help rather than you modeling a search engine and sending me to articles I have already read.
meh, Of course it compiles fine but you don't get it, that's because you didn't write the code. Oh and yes I was not patronizing you I was simply making a fact. You were given links as to how the Algorithm works but yet you couldn't write your own code for it. If you post in the forums we can help you but NOT give you answers. Use your brain and Research.
EDIT: Spelling and fail on your part for using someone else's code.