Fatal编程技术网
  • hash/
  • Hash 是否可以将NetMTLMv2哈希转换为NTLM哈希?

Hash 是否可以将NetMTLMv2哈希转换为NTLM哈希?

hash

Hash 是否可以将NetMTLMv2哈希转换为NTLM哈希?,hash,type-conversion,ntlm,Hash,Type Conversion,Ntlm,有没有办法将NetNTLMv2转换为ntlm哈希? 例如,123的ntlm值为 3DBDE697D71690A769204BEB12283678 计算机“PC”中用户“try”的相同密码,该计算机的私有ip地址为192.168.73.130 NetNTLMv2值为 try::PC:d158262017948de9:91642a8388d64d40f6c31b694e79363e:010100000000000058b2da67cbe0d001c575cfa48d38bec50000000002

有没有办法将NetNTLMv2转换为ntlm哈希? 例如,123的ntlm值为

3DBDE697D71690A769204BEB12283678
计算机“PC”中用户“try”的相同密码,该计算机的私有ip地址为192.168.73.130 NetNTLMv2值为

try::PC:d158262017948de9:91642a8388d64d40f6c31b694e79363e:010100000000000058b2da67cbe0d001c575cfa48d38bec50000000002001600450047004900540049004d002d00500043003100340001001600450047004900540049004d002d00500043003100340004001600650067006900740069006d002d00500043003100340003001600650067006900740069006d002d0050004300310034000700080058b2da67cbe0d0010600040002000000080030003000000000000000000000000030000065d85a4000a167cdbbf6eff657941f52bc9ee2745e11f10c61bb24db541165800a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e0031002e00310030003700000000000000000000000000
我们可以在不知道任何凭据的情况下将此NetNTLMv2转换为NTLM(
3DBDE697D71690A769204BEB12283678
)吗?

没有答案:)但这没问题,因为我做了一些研究并找到了答案。目前还没有办法将NetNTLMv2转换为NTLM。实际上,NTLM哈希是生成NetNTLMv2的第一个密钥。我决定解释一下它是如何工作的

要计算和比较NTLMv2,应首先计算密码的NTLM值,在本例中,该值为
123
。为了演示它,我将使用python 2.7。开始之前,您应该导入这些模块
hashlib、binascii、hmac

使用python计算的
123
的NTLM值如下:

_ntlm = hashlib.new("md4", "123".encode("utf-16-le")).digest()
ntlm = binascii.hexlify(_ntlm)

firstHMAC = hmac.new("3dbde697d71690a769204beb12283678".decode("hex"),"54005200590050004300".decode("hex"),hashlib.md5).hexdigest()
firstHMAC ==> 2381ca3f5e9c4534722cd511f6a4c983

try::PC:d158262017948de9:91642a8388d64d40f6c31b694e79363e:010100000000000058b2da67cbe0d001c575cfa48d38bec50000000002001600450047004900540049004d002d00500043003100340001001600450047004900540049004d002d00500043003100340004001600650067006900740069006d002d00500043003100340003001600650067006900740069006d002d0050004300310034000700080058b2da67cbe0d0010600040002000000080030003000000000000000000000000030000065d85a4000a167cdbbf6eff657941f52bc9ee2745e11f10c61bb24db541165800a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e0031002e00310030003700000000000000000000000000 

firstHMAC = "2381ca3f5e9c4534722cd511f6a4c983"
type2Challange = "d158262017948de9010100000000000058b2da67cbe0d001c575cfa48d38bec50000000002001600450047004900540049004d002d00500043003100340001001600450047004900540049004d002d00500043003100340004001600650067006900740069006d002d00500043003100340003001600650067006900740069006d002d0050004300310034000700080058b2da67cbe0d0010600040002000000080030003000000000000000000000000030000065d85a4000a167cdbbf6eff657941f52bc9ee2745e11f10c61bb24db541165800a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e0031002e00310030003700000000000000000000000000"
ntlmv2 = hmac.new(firstHMAC.decode("hex"),type2Challange.decode("hex"),hashlib.md5).hexdigest()
ntlmv2 ==> 91642a8388d64d40f6c31b694e79363e
结果为3dbde697d71690a769204beb12283678
3dbde697d71690a769204beb12283678
,该值将用作第一次HMAC_MD5计算的键

要做到这一点,我们应该连接用户名和域名。如果您不在域上工作,您将使用您的计算机名。在这种情况下,我的用户名是
试试
,我的计算机名是
PC
。 当我们连接is时,它将变成
tryPC
。然后将该值转换为小尾端格式的unicode大写。我们将使用NTLM of
123
作为一个键来生成此值的HMAC_MD5哈希

"tryPC"==> "TRYPC" ==> '54005200590050004300' (UTF-16-le in hexadecimal)
我们用pyhton计算,如下所示:

"tryPC".upper().encode("utf-16-le").encode("hex")
然后,我们使用键3dbde697d71690a769204beb12283678计算HMAC_MD5(540052005900050004300)

在python中,其计算如下:

_ntlm = hashlib.new("md4", "123".encode("utf-16-le")).digest()
ntlm = binascii.hexlify(_ntlm)

firstHMAC = hmac.new("3dbde697d71690a769204beb12283678".decode("hex"),"54005200590050004300".decode("hex"),hashlib.md5).hexdigest()
firstHMAC ==> 2381ca3f5e9c4534722cd511f6a4c983

try::PC:d158262017948de9:91642a8388d64d40f6c31b694e79363e:010100000000000058b2da67cbe0d001c575cfa48d38bec50000000002001600450047004900540049004d002d00500043003100340001001600450047004900540049004d002d00500043003100340004001600650067006900740069006d002d00500043003100340003001600650067006900740069006d002d0050004300310034000700080058b2da67cbe0d0010600040002000000080030003000000000000000000000000030000065d85a4000a167cdbbf6eff657941f52bc9ee2745e11f10c61bb24db541165800a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e0031002e00310030003700000000000000000000000000 

firstHMAC = "2381ca3f5e9c4534722cd511f6a4c983"
type2Challange = "d158262017948de9010100000000000058b2da67cbe0d001c575cfa48d38bec50000000002001600450047004900540049004d002d00500043003100340001001600450047004900540049004d002d00500043003100340004001600650067006900740069006d002d00500043003100340003001600650067006900740069006d002d0050004300310034000700080058b2da67cbe0d0010600040002000000080030003000000000000000000000000030000065d85a4000a167cdbbf6eff657941f52bc9ee2745e11f10c61bb24db541165800a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e0031002e00310030003700000000000000000000000000"
ntlmv2 = hmac.new(firstHMAC.decode("hex"),type2Challange.decode("hex"),hashlib.md5).hexdigest()
ntlmv2 ==> 91642a8388d64d40f6c31b694e79363e
之后,我们将使用firstHMAC作为键来计算Type2 challange的HMAC_MD5值

Type2 challange与服务器challange和blob相结合

NetNTLMv2的网络响应如下:

_ntlm = hashlib.new("md4", "123".encode("utf-16-le")).digest()
ntlm = binascii.hexlify(_ntlm)

firstHMAC = hmac.new("3dbde697d71690a769204beb12283678".decode("hex"),"54005200590050004300".decode("hex"),hashlib.md5).hexdigest()
firstHMAC ==> 2381ca3f5e9c4534722cd511f6a4c983

try::PC:d158262017948de9:91642a8388d64d40f6c31b694e79363e:010100000000000058b2da67cbe0d001c575cfa48d38bec50000000002001600450047004900540049004d002d00500043003100340001001600450047004900540049004d002d00500043003100340004001600650067006900740069006d002d00500043003100340003001600650067006900740069006d002d0050004300310034000700080058b2da67cbe0d0010600040002000000080030003000000000000000000000000030000065d85a4000a167cdbbf6eff657941f52bc9ee2745e11f10c61bb24db541165800a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e0031002e00310030003700000000000000000000000000 

firstHMAC = "2381ca3f5e9c4534722cd511f6a4c983"
type2Challange = "d158262017948de9010100000000000058b2da67cbe0d001c575cfa48d38bec50000000002001600450047004900540049004d002d00500043003100340001001600450047004900540049004d002d00500043003100340004001600650067006900740069006d002d00500043003100340003001600650067006900740069006d002d0050004300310034000700080058b2da67cbe0d0010600040002000000080030003000000000000000000000000030000065d85a4000a167cdbbf6eff657941f52bc9ee2745e11f10c61bb24db541165800a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e0031002e00310030003700000000000000000000000000"
ntlmv2 = hmac.new(firstHMAC.decode("hex"),type2Challange.decode("hex"),hashlib.md5).hexdigest()
ntlmv2 ==> 91642a8388d64d40f6c31b694e79363e
当我们根据
拆分此响应时:
索引3是服务器challange,即
d158262017948de9
 以“01010000…”开头的索引5表示blob值。Blob值还包括Blob符号、保留字段、时间戳、随机客户端nonce和目标信息。我不提供这个斑点的细节

要计算NTLMv2,我们应该将服务器challange和blob连接起来,以使用
firstHMAC
作为键来计算其HMAC_MD5值

在Python中,我们这样做:

_ntlm = hashlib.new("md4", "123".encode("utf-16-le")).digest()
ntlm = binascii.hexlify(_ntlm)

firstHMAC = hmac.new("3dbde697d71690a769204beb12283678".decode("hex"),"54005200590050004300".decode("hex"),hashlib.md5).hexdigest()
firstHMAC ==> 2381ca3f5e9c4534722cd511f6a4c983

try::PC:d158262017948de9:91642a8388d64d40f6c31b694e79363e:010100000000000058b2da67cbe0d001c575cfa48d38bec50000000002001600450047004900540049004d002d00500043003100340001001600450047004900540049004d002d00500043003100340004001600650067006900740069006d002d00500043003100340003001600650067006900740069006d002d0050004300310034000700080058b2da67cbe0d0010600040002000000080030003000000000000000000000000030000065d85a4000a167cdbbf6eff657941f52bc9ee2745e11f10c61bb24db541165800a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e0031002e00310030003700000000000000000000000000 

firstHMAC = "2381ca3f5e9c4534722cd511f6a4c983"
type2Challange = "d158262017948de9010100000000000058b2da67cbe0d001c575cfa48d38bec50000000002001600450047004900540049004d002d00500043003100340001001600450047004900540049004d002d00500043003100340004001600650067006900740069006d002d00500043003100340003001600650067006900740069006d002d0050004300310034000700080058b2da67cbe0d0010600040002000000080030003000000000000000000000000030000065d85a4000a167cdbbf6eff657941f52bc9ee2745e11f10c61bb24db541165800a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e0031002e00310030003700000000000000000000000000"
ntlmv2 = hmac.new(firstHMAC.decode("hex"),type2Challange.decode("hex"),hashlib.md5).hexdigest()
ntlmv2 ==> 91642a8388d64d40f6c31b694e79363e
若该值等于NetNTLMv2响应的第四个索引,则将对您进行验证。在这种情况下,第四个索引等于91642a8388d64d40f6c31b694e79363e

根据服务器challange和blob值,您将始终获得不同的NTLMv2值,并且只有在拥有正确密码的情况下才能计算此值

换句话说,我们可以用NTLM生产NetNTLMv2。但是,我们无法将NetNTLMv2转换回NTLM,因为[cryptographic]哈希函数是单向函数