He obtenido algunos hashes utilizando crackmapexec y descargando del proceso LSA. Los hashes están en esta forma (los datos a continuación son falsos):
adm_name:c6f132a235209036744ba5d303bd5d9b:SOME.ORGANISATION.COM:ORGANISATION:::
Las utilidades de identificación de hash en Kali no reconocen el hash tal como está, pero dan algo de salida si se modifica el hash.
Para la herramienta hash-identifier
input:
c6f132a235209036744ba5d303bd5d9b
Resultados:
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
Para la herramienta hashid
input:
adm_name:c6f132a235209036744ba5d303bd5d9b
Salidas:
[+] Domain Cached Credentials
[+] Domain Cached Credentials 2
john
acepta los hashes tal como están, pero informa:
Warning: detected hash type "LM", but the string is also recognized as "NT"
Use the "--format=NT" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "HAVAL-128-4"
Use the "--format=HAVAL-128-4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "lotus5"
Use the "--format=lotus5" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "MD2"
Use the "--format=MD2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mdc2"
Use the "--format=mdc2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash"
Use the "--format=mscash" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "mscash2"
Use the "--format=mscash2" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD4"
Use the "--format=Raw-MD4" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5"
Use the "--format=Raw-MD5" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5u"
Use the "--format=Raw-MD5u" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "ripemd-128"
Use the "--format=ripemd-128" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "Snefru-128"
Use the "--format=Snefru-128" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "NT-old"
Use the "--format=NT-old" option to force loading these as that type instead
hashcat
intentará resquebrajarse (utilizando el indicador -m 1000 para los tipos de hash NTLM) si el formato es solo el resumen (como en el ejemplo de entrada hash-identifier
anterior.)
Supongo que no se pueden usar en un ataque "pasar el hash", ya que el resumen parece ser el tipo de credencial del hash de NT en caché (MD4 sin sal). enlace
Además de revelar los nombres de usuario, ¿de qué sirven estos hashes de esta forma a un atacante? Cualquier orientación sería genial!