NTLMRawUnHide – A Python3 Script Designed To Parse Network Packet Capture Files And Extract NTLMv2 Hashes In A Crackable Format
NTLMRawUnhide.py is a Python3 script designed to parse community packet seize files and extract NTLMv2 hashes in a crackable structure. The resource was designed to extract NTLMv2 hashes from files created by native Home windows binaries like NETSH.EXE and PKTMON.EXE with no conversion.
The adhering to binary community packet seize formats are supported:
- *.pcap
- *.pcapng
- *.cap
- *.etl
Use
Utilization: NTLMRawUnhide.py -i [-o <outputfile>] [-f] [-h] [-q] [-v]
Most important selections:
-f, --follow Continually "comply with" (e.g. "study from")
input file for new information
-h, --assist
-i, --enter Binary packet facts input file
(.pcap, .pcapng, .cap, .etl, others?)
-o, --output Output file to document any discovered NTLM
hashes
-q, --peaceful Be a large amount additional silent and only output
observed NTLM hashes. --quiet will also
disable verbose, if specified.
-v, --verbose
Examples
Extract NTLMv2 hashes from illustrations/seize.pcap:
python3 NTLMRawUnhide.py -i illustrations/seize.pcap
Same, but with verbose output:
python3 NTLMRawUnhide.py -i examples/seize.pcap -v
Extract NTLMv2 hashes from examples/capture.pcap and carry on to check the file for new hashes (like tail -f):
python3 NTLMRawUnhide.py -i illustrations/capture.pcap -f
Extract NTLMv2 hashes from illustrations/seize.pcap and publish extracted hashes to /tmp/hashes.txt
python3 NTLMRawUnhide.py -i examples/capture.pcap -o /tmp/hashes.txt
Packet Seize Solutions
To develop a compatible packet capture file, any of the following methods can be made use of:
- Wireshark:
Established seize filter as "tcp port 445" Save as .pcapng
- tcpdump
tcpdump -i eth0 -w seize.pcap "port 445"
- NETSH.EXE
netsh.exe trace start off persistent=of course seize=yes TCP.AnyPort=445 tracefile=C:UsersPubliccapture.etl
netsh.exe trace stop
- PKTMON.EXE
pktmon.exe filter add SMB -p 445
:: List all filters
pktmon.exe filter record
:: Find id of the community adapter (illustration > Id: 9)
pktmon.exe comp list
:: pktmon.exe start --etw -p -c [Adapter ID]
pktmon.exe start --etw -p -c 9
:: Will make the file PktMon.etl in present listing
pktmon.exe halt
:: Cleanup
pktmon.exe filter clear away
References
The next URL was very helpful when developing this device: The NTLM Authentication Protocol and Safety Assist Company http://davenport.sourceforge.internet/ntlm.html
Creator : Mike Gualtieri
Website : https://www.mike-gualtieri.com
Twitter : https://twitter.com/mlgualtieri
GitHub : https://github.com/mlgualtieri/NTLMRawUnhide
Produce up: https://www.mike-gualtieri.com/posts/reside-off-the-land-and-crack-the-ntlmssp-protocol
