Skip to content

fix: normalize ntlm hash output for compatibility with external parsers#319

Merged
l50 merged 2 commits into
mainfrom
fix/loot-report-strip-ntlm-lm-prefix
May 15, 2026
Merged

fix: normalize ntlm hash output for compatibility with external parsers#319
l50 merged 2 commits into
mainfrom
fix/loot-report-strip-ntlm-lm-prefix

Conversation

@l50
Copy link
Copy Markdown
Contributor

@l50 l50 commented May 15, 2026

Key Changes:

  • Normalized NTLM hash output to exclude LM portion, ensuring strict 32-hex NT compatibility
  • Added report_hash_value function to handle hash output normalization logic
  • Updated loot JSON serialization to use normalized hash values
  • Introduced comprehensive tests for hash normalization behavior

Added:

  • NTLM hash normalization logic - Implemented report_hash_value to strip LM portion from NTLM LM:NT pairs and return only the NT hash for JSON output
  • Unit tests for hash normalization - Added tests to ensure correct handling of NTLM, Kerberos, and AES hash values in report_filter.rs

Changed:

  • Loot JSON formatting - Updated print_loot_json to use the new report_hash_value function when serializing hash_value fields, ensuring only the NT portion is reported for NTLM hashes

Removed:

  • Documentation comments for unused code - Cleaned up outdated comments related to system accounts in report_filter.rs

l50 added 2 commits May 15, 2026 09:34
@l50
feat: normalize ntlm hash values in loot json output
a39beac 
**Added:**

- Added `report_hash_value` function to output only bare NT hash for NTLM `LM:NT` pairs, ensuring compatibility with external scoreboards expecting strict 32-hex NT hashes
- Added tests for `report_hash_value` to cover NTLM pairs, bare NT, Kerberos blobs, and non-NTLM hashes

**Changed:**

- Updated loot JSON output to use `report_hash_value` for NTLM hashes, stripping LM part when appropriate
@l50
Merge branch 'main' into fix/loot-report-strip-ntlm-lm-prefix
a5218e1
@codecov
Copy link
Copy Markdown

codecov Bot commented May 15, 2026

Codecov Report

❌ Patch coverage is 97.05882% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 78.81%. Comparing base (ef9b34c) to head (a5218e1).

Files with missing lines Patch % Lines
ares-cli/src/ops/loot/format/json.rs 0.00% 1 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #319   +/-   ##
=======================================
  Coverage   78.81%   78.81%           
=======================================
  Files         439      439           
  Lines      124461   124494   +33     
=======================================
+ Hits        98092    98124   +32     
- Misses      26369    26370    +1
Files with missing lines Coverage Δ
ares-cli/src/ops/loot/format/report_filter.rs 99.38% <100.00%> (+0.15%) ⬆️
ares-cli/src/ops/loot/format/json.rs 38.33% <0.00%> (ø)

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@l50 l50 merged commit 0eb1c74 into main May 15, 2026
12 checks passed
@l50 l50 deleted the fix/loot-report-strip-ntlm-lm-prefix branch May 15, 2026 16:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@l50