Skip to content
This repository

Parses ntlmssp netlm[v2] hashes out of a pcap file for use with a password cracker.

branch: master

Fetching latest commit…

Octocat-spinner-32-eaf2f5

Cannot retrieve the latest commit at this time

Octocat-spinner-32 README
Octocat-spinner-32 ntlmssp.py
README
This script can pull ntlmssp hashes with the challenge/response from a pcap.
Requires scapy

It's pretty slow, and I'm not entirely sure if it gets the correct server challenge yet. (update: i've successfully cracked hashes from this script, implying it has all that is necessary)
UPDATE: I got a 350% speedup on a 1700 packet file when using pypy
It's also terribly written, all my type checking and return checking is in all the 
wrong places. Essentially it's a dirty hack that *should* get the job done

My old method, seen here (http://psychomari0.wordpress.com/2012/04/04/pcaptontlmssp/) 
doesn't seem to work becuase the username is unicode and the -z to show the username is null terminated

USAGE:
python ntlmssp.py <outfile.pcap>

!!IMPORTANT!!
You MUST run:
    tshark -r <file>.pcap 'ntlmssp.ntlmserverchallenge or ntlmssp.ntlmclientchallenge' -w <outfile.pcap>
before running this program, or it will take ages.

Becuase scapy doesn't have a state machine, like tcp.stream in wireshark/tshark, my method for finding the
server/client pair is kind of botched. I basically flip source and dest ip and ports and take the first packet
Something went wrong with that request. Please try again.