Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/tools/password/lm2ntcrack.rb
Views: 11766
#!/usr/bin/env ruby12##3# This module requires Metasploit: https://metasploit.com/download4# Current source: https://github.com/rapid7/metasploit-framework5##67#8# This script cracks any type of NTLM hash9# Credit to -Yannick Hamon <yannick.hamon[at]xmcopartners.com> for the original idea/perl code10# -Alexandre Maloteaux <a.maloteaux[at]gmail.com> for improvements11#1213msfbase = __FILE__14while File.symlink?(msfbase)15msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))16end1718$:.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', '..', 'lib')))19require 'msfenv'2021$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']2223require 'rex'2425CRYPT = Rex::Proto::NTLM::Crypt2627BRUTE_MODE = 128HASH_MODE = 229PASS_MODE = 33031def usage32$stderr.puts("\nUsage: #{$0} -t type <options>\n" + $args.usage)33$stderr.puts("This tool can be use in 3 ways whatever type is chosen\n")34$stderr.puts("-If only a password (-p) is provided, it will display the hash.\n")35$stderr.puts("-If a password (-p) and an hash (-a) is provided, it will test the password against the hash.\n")36$stderr.puts("-If a list of password (-l) is provided and an hash (-a), it will try to bruteforce the hash \n\n")37exit38end3940def permute_pw(pw)41# fast permutation from http://stackoverflow.com/a/139890042perms = [""]43if pw.nil?44return perms45end46tail = pw.downcase47while tail.length > 0 do48head, tail, psize = tail[0..0], tail[1..-1], perms.size49hu = head.upcase50for i in (0...psize)51tp = perms[i]52perms[i] = tp + hu53if hu != head54perms.push(tp + head)55end56end57end58return perms59end6061type = hash = pass = srvchal = clichal = calculatedhash = list = user = domain = nil6263$args = Rex::Parser::Arguments.new(64"-t" => [ true, "The type of hash to crack : HALFLM/LM/NTLM/HALFNETLMv1/NETLMv1/NETNTLMv1/NETNTLM2_SESSION/NETLMv2/NETNTLMv2" ],65"-a" => [ true, "The hash to crack" ],66"-p" => [ true, "The password " ],67"-l" => [ true, "The list of password to check against an hash" ],68"-s" => [ true, "The LM/NTLM Server Challenge (NET* type only)" ],69"-c" => [ true, "The LM/NTLM Client Challenge (NETNTLM2_SESSION/NETLMv2/NETNTLMv2/ type only)" ],70"-u" => [ true, "The user name (NETLMv2/NETNTLMv2 type only)" ],71"-d" => [ true, "The domain (machine) name (NETLMv2/NETNTLMv2 type only)" ],72"-h" => [ false, "Display this help information" ])7374$args.parse(ARGV) { |opt, idx, val|75case opt76when "-t"77type = val78when "-a"79hash = val80when "-p"81pass = val82when "-l"83list = val84when "-s"85srvchal = val86when "-c"87clichal = val88when "-u"89user = val90when "-d"91domain = val92when "-h"93usage94else95usage96end97}9899if not type100usage101else102if pass and (not (hash or list))103mode = HASH_MODE104elsif pass and hash and not list105mode = PASS_MODE106elsif list and hash and not pass107mode = BRUTE_MODE108if not File.exist? list109$stderr.puts "[*] The passwords list file does not exist"110exit111end112if not File.file? list113$stderr.puts "[*] The passwords list provided is not a file"114exit115end116if not File.readable? list117$stderr.puts "[*] The passwords list file is not readable"118exit119end120else121usage122end123end124125if type == "HALFLM" or type == "LM" or type == "NTLM" then126if srvchal != nil or clichal != nil or user != nil or domain != nil then127$stderr.puts "[*] No challenge, user or domain must be provided with this type"128exit129end130elsif type == "HALFNETLMv1" or type == "NETLMv1" or type == "NETNTLMv1" then131if clichal != nil or user != nil or domain != nil then132$stderr.puts "[*] Client challenge, user or domain must not be provided with this type"133exit134end135elsif type == "NETNTLM2_SESSION" then136if user != nil or domain != nil then137$stderr.puts "[*] User or domain must not be provided with this type"138exit139end140end141142case type143when "HALFLM"144case mode145when BRUTE_MODE146if not hash =~ /^([a-fA-F0-9]{16})$/147$stderr.puts "[*] HALFLM HASH must be exactly 16 bytes of hexadecimal"148exit149end150File.open(list,"rb") do |password_list|151password_list.each_line do |line|152password = line.gsub("\r\n",'').gsub("\n",'')153if password =~ /^.{1,7}$/154puts password155calculatedhash = CRYPT::lm_hash(password,true).unpack("H*")[0].upcase156if calculatedhash == hash.upcase157puts "[*] Correct password found : #{password.upcase}"158exit159end160end161end162end163puts "[*] No password found"164exit165when HASH_MODE166if not pass =~ /^.{0,7}$/167$stderr.puts "[*] LM password can not be bigger then 7 characters"168exit169end170calculatedhash = CRYPT::lm_hash(pass,true).unpack("H*")[0].upcase171puts "[*] The LM hash for #{pass.upcase} is : #{calculatedhash}"172exit173when PASS_MODE174if not pass =~ /^.{0,7}$/175$stderr.puts "[*] LM password can not be bigger then 7 characters"176exit177end178if not hash =~ /^([a-fA-F0-9]{16})$/179$stderr.puts "[*] LM HASH must be exactly 16 bytes of hexadecimal"180exit181end182calculatedhash = CRYPT::lm_hash(pass,true).unpack("H*")[0].upcase183if hash.upcase == calculatedhash184puts "[*] Correct password provided : #{pass.upcase}"185exit186else187puts "[*] Incorrect password provided : #{pass.upcase}"188exit189end190end191192when "LM"193case mode194when BRUTE_MODE195if not hash =~ /^([a-fA-F0-9]{32})$/196$stderr.puts "[*] LM HASH must be exactly 32 bytes of hexadecimal"197exit198end199File.open(list,"rb") do |password_list|200password_list.each_line do |line|201password = line.gsub("\r\n",'').gsub("\n",'')202if password =~ /^.{1,14}$/203puts password204calculatedhash = CRYPT::lm_hash(password.upcase).unpack("H*")[0].upcase205if calculatedhash == hash.upcase206puts "[*] Correct password found : #{password.upcase}"207exit208end209end210end211end212puts "[*] No password found"213exit214when HASH_MODE215if not pass =~ /^.{0,14}$/216$stderr.puts "[*] LM password can not be bigger then 14 characters"217exit218end219calculatedhash = CRYPT::lm_hash(pass.upcase).unpack("H*")[0].upcase220puts "[*] The LM hash for #{pass.upcase} is : #{calculatedhash}"221exit222when PASS_MODE223if not pass =~ /^.{0,14}$/224$stderr.puts "[*] LM password can not be bigger then 14 characters"225exit226end227if not hash =~ /^([a-fA-F0-9]{32})$/228$stderr.puts "[*] LM HASH must be exactly 32 bytes of hexadecimal"229exit230end231calculatedhash = CRYPT::lm_hash(pass.upcase).unpack("H*")[0].upcase232if hash.upcase == calculatedhash233puts "[*] Correct password provided : #{pass.upcase}"234exit235else236puts "[*] Incorrect password provided : #{pass.upcase}"237exit238end239end240241when "NTLM"242case mode243when BRUTE_MODE244if not hash =~ /^([a-fA-F0-9]{32})$/245$stderr.puts "[*] NTLM HASH must be exactly 32 bytes of hexadecimal"246exit247end248File.open(list,"rb") do |password_list|249password_list.each_line do |line|250password = line.gsub("\r\n",'').gsub("\n",'')251for permutedpw in permute_pw(password)252puts permutedpw253calculatedhash = CRYPT::ntlm_hash(permutedpw).unpack("H*")[0].upcase254if calculatedhash == hash.upcase255puts "[*] Correct password found : #{permutedpw}"256exit257end258end259end260end261puts "[*] No password found"262exit263when HASH_MODE264calculatedhash = CRYPT::ntlm_hash(pass).unpack("H*")[0].upcase265puts "[*] The NTLM hash for #{pass} is : #{calculatedhash}"266exit267when PASS_MODE268if not hash =~ /^([a-fA-F0-9]{32})$/269$stderr.puts "[*] NTLM HASH must be exactly 32 bytes of hexadecimal"270exit271end272for permutedpw in permute_pw(pass)273calculatedhash = CRYPT::ntlm_hash(permutedpw).unpack("H*")[0].upcase274if hash.upcase == calculatedhash275puts "[*] Correct password provided : #{permutedpw}"276exit277end278end279puts "[*] Incorrect password provided : #{pass}"280end281when "HALFNETLMv1"282case mode283when BRUTE_MODE284if not hash =~ /^([a-fA-F0-9]{16})$/285$stderr.puts "[*] NETLMv1 HASH must be exactly 16 bytes of hexadecimal"286exit287end288if not srvchal289$stderr.puts "[*] Server challenge must be provided with this type"290exit291end292if not srvchal =~ /^([a-fA-F0-9]{16})$/293$stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal"294exit295end296File.open(list,"rb") do |password_list|297password_list.each_line do |line|298password = line.gsub("\r\n",'').gsub("\n",'')299if password =~ /^.{1,7}$/300puts password301#Rem : cause of the [0,7] there is only 1/256 chance that the guessed password will be the good one302arglm = { :lm_hash => CRYPT::lm_hash(password,true)[0,7],303:challenge => [ srvchal ].pack("H*") }304calculatedhash = CRYPT::lm_response(arglm,true).unpack("H*")[0].upcase305if calculatedhash == hash.upcase306puts "[*] Correct password found : #{password.upcase}"307exit308end309end310end311end312puts "[*] No password found"313exit314when HASH_MODE315if not pass =~ /^.{0,7}$/316$stderr.puts "[*] HALFNETLMv1 password can not be bigger then 7 characters"317exit318end319if not srvchal320$stderr.puts "[*] Server challenge must be provided with this type"321exit322end323if not srvchal =~ /^([a-fA-F0-9]{16})$/324$stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal"325exit326end327arglm = { :lm_hash => CRYPT::lm_hash(pass,true)[0,7],328:challenge => [ srvchal ].pack("H*") }329330calculatedhash = CRYPT::lm_response(arglm,true).unpack("H*")[0].upcase331puts "[*] The HALFNETLMv1 hash for #{pass.upcase} is : #{calculatedhash}"332exit333when PASS_MODE334if not pass =~ /^.{0,7}$/335$stderr.puts "[*] HALFNETLMv1 password can not be bigger then 7 characters"336exit337end338if not hash =~ /^([a-fA-F0-9]{16})$/339$stderr.puts "[*] HALFNETLMv1 HASH must be exactly 16 bytes of hexadecimal"340exit341end342if not srvchal343$stderr.puts "[*] Server challenge must be provided with this type"344exit345end346if not srvchal =~ /^([a-fA-F0-9]{16})$/347$stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal"348exit349end350#Rem : cause of the [0,7] there is only 1/256 chance that the guessed password will be the good one351arglm = { :lm_hash => CRYPT::lm_hash(pass,true)[0,7],352:challenge => [ srvchal ].pack("H*") }353354calculatedhash = CRYPT::lm_response(arglm,true).unpack("H*")[0].upcase355if hash.upcase == calculatedhash356puts "[*] Correct password provided : #{pass.upcase}"357exit358else359puts "[*] Incorrect password provided : #{pass.upcase}"360exit361end362end363when "NETLMv1"364case mode365when BRUTE_MODE366if not hash =~ /^([a-fA-F0-9]{48})$/367$stderr.puts "[*] NETLMv1 HASH must be exactly 48 bytes of hexadecimal"368exit369end370if not srvchal371$stderr.puts "[*] Server challenge must be provided with this type"372exit373end374if not srvchal =~ /^([a-fA-F0-9]{16})$/375$stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal"376exit377end378File.open(list,"rb") do |password_list|379password_list.each_line do |line|380password = line.gsub("\r\n",'').gsub("\n",'')381if password =~ /^.{1,14}$/382puts password383arglm = { :lm_hash => CRYPT::lm_hash(password),384:challenge => [ srvchal ].pack("H*") }385calculatedhash = CRYPT::lm_response(arglm).unpack("H*")[0].upcase386if calculatedhash == hash.upcase387puts "[*] Correct password found : #{password.upcase}"388exit389end390end391end392end393puts "[*] No password found"394exit395when HASH_MODE396if not pass =~ /^.{1,14}$/397$stderr.puts "[*] NETLMv1 password can not be bigger then 14 characters"398exit399end400if not srvchal401$stderr.puts "[*] Server challenge must be provided with this type"402exit403end404if not srvchal =~ /^([a-fA-F0-9]{16})$/405$stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal"406exit407end408arglm = { :lm_hash => CRYPT::lm_hash(pass),409:challenge => [ srvchal ].pack("H*") }410411calculatedhash = CRYPT::lm_response(arglm).unpack("H*")[0].upcase412puts "[*] The NETLMv1 hash for #{pass.upcase} is : #{calculatedhash}"413exit414when PASS_MODE415if not pass =~ /^.{1,14}$/416$stderr.puts "[*] NETLMv1 password can not be bigger then 14 characters"417exit418end419if not hash =~ /^([a-fA-F0-9]{48})$/420$stderr.puts "[*] NETLMv1 HASH must be exactly 48 bytes of hexadecimal"421exit422end423if not srvchal424$stderr.puts "[*] Server challenge must be provided with this type"425exit426end427if not srvchal =~ /^([a-fA-F0-9]{16})$/428$stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal"429exit430end431arglm = { :lm_hash => CRYPT::lm_hash(pass),432:challenge => [ srvchal ].pack("H*") }433434calculatedhash = CRYPT::lm_response(arglm).unpack("H*")[0].upcase435if hash.upcase == calculatedhash436puts "[*] Correct password provided : #{pass.upcase}"437exit438else439puts "[*] Incorrect password provided : #{pass.upcase}"440exit441end442end443when "NETNTLMv1"444case mode445when BRUTE_MODE446if not hash =~ /^([a-fA-F0-9]{48})$/447$stderr.puts "[*] NETNTLMv1 HASH must be exactly 48 bytes of hexadecimal"448exit449end450if not srvchal451$stderr.puts "[*] Server challenge must be provided with this type"452exit453end454if not srvchal =~ /^([a-fA-F0-9]{16})$/455$stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal"456exit457end458File.open(list,"rb") do |password_list|459password_list.each_line do |line|460password = line.gsub("\r\n",'').gsub("\n",'')461for permutedpw in permute_pw(password)462puts permutedpw463argntlm = { :ntlm_hash => CRYPT::ntlm_hash(permutedpw),464:challenge => [ srvchal ].pack("H*") }465calculatedhash = CRYPT::ntlm_response(argntlm).unpack("H*")[0].upcase466if calculatedhash == hash.upcase467puts "[*] Correct password found : #{permutedpw}"468exit469end470end471end472end473puts "[*] No password found"474exit475when HASH_MODE476if not srvchal477$stderr.puts "[*] Server challenge must be provided with this type"478exit479end480if not srvchal =~ /^([a-fA-F0-9]{16})$/481$stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal"482exit483end484argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass),485:challenge => [ srvchal ].pack("H*") }486calculatedhash = CRYPT::ntlm_response(argntlm).unpack("H*")[0].upcase487puts "[*] The NETNTLMv1 hash for #{pass} is : #{calculatedhash}"488exit489when PASS_MODE490if not hash =~ /^([a-fA-F0-9]{48})$/491$stderr.puts "[*] NETNTLMv1 HASH must be exactly 48 bytes of hexadecimal"492exit493end494if not srvchal495$stderr.puts "[*] Server challenge must be provided with this type"496exit497end498if not srvchal =~ /^([a-fA-F0-9]{16})$/499$stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal"500exit501end502for permutedpw in permute_pw(pass)503argntlm = { :ntlm_hash => CRYPT::ntlm_hash(permutedpw),504:challenge => [ srvchal ].pack("H*") }505506calculatedhash = CRYPT::ntlm_response(argntlm).unpack("H*")[0].upcase507if hash.upcase == calculatedhash508puts "[*] Correct password provided : #{permutedpw}"509exit510end511end512puts "[*] Incorrect password provided : #{pass}"513exit514end515when "NETNTLM2_SESSION"516case mode517when BRUTE_MODE518if not hash =~ /^([a-fA-F0-9]{48})$/519$stderr.puts "[*] NETNTLM2_SESSION HASH must be exactly 48 bytes of hexadecimal"520exit521end522if not srvchal523$stderr.puts "[*] Server challenge must be provided with this type"524exit525end526if not srvchal =~ /^([a-fA-F0-9]{16})$/527$stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal"528exit529end530if not clichal531$stderr.puts "[*] Client challenge must be provided with this type"532exit533end534if not clichal =~ /^([a-fA-F0-9]{16})$/535$stderr.puts "[*] Client challenge must be exactly 16 bytes of hexadecimal"536exit537end538539File.open(list,"rb") do |password_list|540password_list.each_line do |line|541password = line.gsub("\r\n",'').gsub("\n",'')542for permutedpw in permute_pw(password)543puts permutedpw544argntlm = { :ntlm_hash => CRYPT::ntlm_hash(permutedpw),545:challenge => [ srvchal ].pack("H*") }546optntlm = { :client_challenge => [ clichal ].pack("H*")}547548calculatedhash = CRYPT::ntlm2_session(argntlm,optntlm).join[24,24].unpack("H*")[0].upcase549550if calculatedhash == hash.upcase551puts "[*] Correct password found : #{permutedpw}"552exit553end554end555end556end557puts "[*] No password found"558exit559when HASH_MODE560if not srvchal561$stderr.puts "[*] Server challenge must be provided with this type"562exit563end564if not srvchal =~ /^([a-fA-F0-9]{16})$/565$stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal"566exit567end568if not clichal569$stderr.puts "[*] Client challenge must be provided with this type"570exit571end572if not clichal =~ /^([a-fA-F0-9]{16})$/573$stderr.puts "[*] Client challenge must be exactly 16 bytes of hexadecimal"574exit575end576argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass),577:challenge => [ srvchal ].pack("H*") }578optntlm = { :client_challenge => [ clichal ].pack("H*")}579580calculatedhash = CRYPT::ntlm2_session(argntlm,optntlm).join[24,24].unpack("H*")[0].upcase581puts "[*] The NETNTLM2_SESSION hash for #{pass} is : #{calculatedhash}"582exit583when PASS_MODE584if not hash =~ /^([a-fA-F0-9]{48})$/585$stderr.puts "[*] NETNTLM2_SESSION HASH must be exactly 48 bytes of hexadecimal"586exit587end588if not srvchal589$stderr.puts "[*] Server challenge must be provided with this type"590exit591end592if not srvchal =~ /^([a-fA-F0-9]{16})$/593$stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal"594exit595end596if not clichal597$stderr.puts "[*] Client challenge must be provided with this type"598exit599end600if not clichal =~ /^([a-fA-F0-9]{16})$/601$stderr.puts "[*] Client challenge must be exactly 16 bytes of hexadecimal"602exit603end604for permutedpw in permute_pw(pass)605argntlm = { :ntlm_hash => CRYPT::ntlm_hash(permutedpw),606:challenge => [ srvchal ].pack("H*") }607optntlm = { :client_challenge => [ clichal ].pack("H*")}608609calculatedhash = CRYPT::ntlm2_session(argntlm,optntlm).join[24,24].unpack("H*")[0].upcase610611if hash.upcase == calculatedhash612puts "[*] Correct password provided : #{permutedpw}"613exit614end615end616puts "[*] Incorrect password provided : #{pass}"617exit618end619when "NETLMv2"620case mode621when BRUTE_MODE622if not hash =~ /^([a-fA-F0-9]{32})$/623$stderr.puts "[*] NETLMv2 HASH must be exactly 32 bytes of hexadecimal"624exit625end626if not srvchal627$stderr.puts "[*] Server challenge must be provided with this type"628exit629end630if not srvchal =~ /^([a-fA-F0-9]{16})$/631$stderr.puts "[*] Server challenge mus be exactly 16 bytes of hexadecimal"632exit633end634if not clichal635$stderr.puts "[*] Client challenge must be provided with this type"636exit637end638if not clichal =~ /^([a-fA-F0-9]{16})$/639$stderr.puts "[*] Client challenge must be exactly 16 bytes of hexadecimal"640exit641end642if not user643$stderr.puts "[*] User name must be provided with this type"644exit645end646if not domain647$stderr.puts "[*] Domain name must be provided with this type"648exit649end650651File.open(list,"rb") do |password_list|652password_list.each_line do |line|653password = line.gsub("\r\n",'').gsub("\n",'')654puts password655arglm = { :ntlmv2_hash => CRYPT::ntlmv2_hash(user,password, domain),656:challenge => [ srvchal ].pack("H*") }657optlm = { :client_challenge => [ clichal ].pack("H*")}658calculatedhash = CRYPT::lmv2_response(arglm, optlm).unpack("H*")[0].upcase659if calculatedhash.slice(0,32) == hash.upcase660puts "[*] Correct password found : #{password}"661exit662end663end664end665puts "[*] No password found"666exit667when HASH_MODE668if not srvchal669$stderr.puts "[*] Server challenge must be provided with this type"670exit671end672if not srvchal =~ /^([a-fA-F0-9]{16})$/673$stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal"674exit675end676if not clichal677$stderr.puts "[*] Client challenge must be provided with this type"678exit679end680if not clichal =~ /^([a-fA-F0-9]{16})$/681$stderr.puts "[*] Client challenge must be exactly 16 bytes of hexadecimal"682exit683end684if not user685$stderr.puts "[*] User name must be provided with this type"686exit687end688if not domain689$stderr.puts "[*] Domain name must be provided with this type"690exit691end692693arglm = { :ntlmv2_hash => CRYPT::ntlmv2_hash(user,pass, domain),694:challenge => [ srvchal ].pack("H*") }695optlm = { :client_challenge => [ clichal ].pack("H*")}696calculatedhash = CRYPT::lmv2_response(arglm, optlm).unpack("H*")[0].upcase697698puts "[*] The NETLMv2 hash for #{pass} is : #{calculatedhash.slice(0,32)}"699exit700when PASS_MODE701if not hash =~ /^([a-fA-F0-9]{32})$/702$stderr.puts "[*] NETLMv2 HASH must be exactly 32 bytes of hexadecimal"703exit704end705if not srvchal706$stderr.puts "[*] Server challenge must be provided with this type"707exit708end709if not srvchal =~ /^([a-fA-F0-9]{16})$/710$stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal"711exit712end713if not clichal714$stderr.puts "[*] Client challenge must be provided with this type"715exit716end717if not clichal =~ /^([a-fA-F0-9]{16})$/718$stderr.puts "[*] Client challenge must be exactly 16 bytes of hexadecimal"719exit720end721if not user722$stderr.puts "[*] User name must be provided with this type"723exit724end725if not domain726$stderr.puts "[*] Domain name must be provided with this type"727exit728end729arglm = { :ntlmv2_hash => CRYPT::ntlmv2_hash(user,pass, domain),730:challenge => [ srvchal ].pack("H*") }731optlm = { :client_challenge => [ clichal ].pack("H*")}732calculatedhash = CRYPT::lmv2_response(arglm, optlm).unpack("H*")[0].upcase733if hash.upcase == calculatedhash.slice(0,32)734puts "[*] Correct password provided : #{pass}"735exit736else737puts "[*] Incorrect password provided : #{pass}"738exit739end740end741742when "NETNTLMv2"743case mode744when BRUTE_MODE745if not hash =~ /^([a-fA-F0-9]{32})$/746$stderr.puts "[*] NETNTLMv2 HASH must be exactly 32 bytes of hexadecimal"747exit748end749if not srvchal750$stderr.puts "[*] Server challenge must be provided with this type"751exit752end753if not srvchal =~ /^([a-fA-F0-9]{16})$/754$stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal"755exit756end757if not clichal758$stderr.puts "[*] Client challenge must be provided with this type"759exit760end761if not clichal =~ /^([a-fA-F0-9]{17,})$/762$stderr.puts "[*] Client challenge must be bigger then 16 bytes of hexadecimal"763exit764end765if not user766$stderr.puts "[*] User name must be provided with this type"767exit768end769if not domain770$stderr.puts "[*] Domain name must be provided with this type"771exit772end773774File.open(list,"rb") do |password_list|775password_list.each_line do |line|776password = line.gsub("\r\n",'').gsub("\n",'')777for permutedpw in permute_pw(password)778puts permutedpw779argntlm = { :ntlmv2_hash => CRYPT::ntlmv2_hash(user, permutedpw, domain),780:challenge => [ srvchal ].pack("H*") }781optntlm = { :nt_client_challenge => [ clichal ].pack("H*")}782calculatedhash = CRYPT::ntlmv2_response(argntlm,optntlm).unpack("H*")[0].upcase783784if calculatedhash.slice(0,32) == hash.upcase785puts "[*] Correct password found : #{password}"786exit787end788end789end790end791puts "[*] No password found"792exit793when HASH_MODE794if not srvchal795$stderr.puts "[*] Server challenge must be provided with this type"796exit797end798if not srvchal =~ /^([a-fA-F0-9]{16})$/799$stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal"800exit801end802if not clichal803$stderr.puts "[*] Client challenge must be provided with this type"804exit805end806if not clichal =~ /^([a-fA-F0-9]{17,})$/807$stderr.puts "[*] Client challenge must be bigger then 16 bytes of hexadecimal"808exit809end810if not user811$stderr.puts "[*] User name must be provided with this type"812exit813end814if not domain815$stderr.puts "[*] Domain name must be provided with this type"816exit817end818819argntlm = { :ntlmv2_hash => CRYPT::ntlmv2_hash(user, pass, domain),820:challenge => [ srvchal ].pack("H*") }821optntlm = { :nt_client_challenge => [ clichal ].pack("H*")}822calculatedhash = CRYPT::ntlmv2_response(argntlm,optntlm).unpack("H*")[0].upcase823824puts "[*] The NETNTLMv2 hash for #{pass} is : #{calculatedhash.slice(0,32)}"825exit826when PASS_MODE827if not hash =~ /^([a-fA-F0-9]{32})$/828$stderr.puts "[*] NETNTLMv2 HASH must be exactly 32 bytes of hexadecimal"829exit830end831if not srvchal832$stderr.puts "[*] Server challenge must be provided with this type"833exit834end835if not srvchal =~ /^([a-fA-F0-9]{16})$/836$stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal"837exit838end839if not clichal840$stderr.puts "[*] Client challenge must be provided with this type"841exit842end843if not clichal =~ /^([a-fA-F0-9]{17,})$/844$stderr.puts "[*] Client challenge must be bigger then 16 bytes of hexadecimal"845exit846end847if not user848$stderr.puts "[*] User name must be provided with this type"849exit850end851if not domain852$stderr.puts "[*] Domain name must be provided with this type"853exit854end855856for permutedpw in permute_pw(password)857argntlm = { :ntlmv2_hash => CRYPT::ntlmv2_hash(user, permutedpw, domain),858:challenge => [ srvchal ].pack("H*") }859optntlm = { :nt_client_challenge => [ clichal ].pack("H*")}860calculatedhash = CRYPT::ntlmv2_response(argntlm,optntlm).unpack("H*")[0].upcase861862if hash.upcase == calculatedhash.slice(0,32)863puts "[*] Correct password provided : #{permutedpw}"864exit865end866end867puts "[*] Incorrect password provided : #{pass}"868exit869end870else871$stderr.puts "type must be of type : HALFLM/LM/NTLM/HALFNETLMv1/NETLMv1/NETNTLMv1/NETNTLM2_SESSION/NETLMv2/NETNTLMv2"872exit873end874875876