PRIMARY CATEGORY β WINDOWS CREDENTIALS
Hashcat Modes
| HASH | ENCRYPTION TYPE | HASHCAT MODE |
|---|---|---|
| NTLM | RC4-HMAC | 1000 |
| Net-NTLMv2 | HMAC-MD5 | 5600 |
| DCC2 | PBKDF2-HMAC-SHA1 | 2100 |
| AES128 | AES128-CTS-HMAC-SHA1-96 | 28800 |
| AES256 | AES256-CTS-HMAC-SHA1-96 | 28900 |
NT Hashes
Hashcat
Hashcat Type β 1000
hashcat --force -O --user --hash-type 1000 <OUTPUT_FILE>.hash <WORDLIST>hashcat --force -O --user --hash-type 1000 <OUTPUT_FILE>.hash <WORDLIST> --showNet-NTLMv2 Response
Hashcat
Hashcat Type 5600
hashcat --force -0 --attack-mode 0 --hash-type 5600 <output_file>.hash <wordlist>hashcat --force -0 --attack-mode 0 --hash-type 5600 <output_file>.hash <wordlist> --showKerberos EKeys
| HASH | ENCRYPTION TYPE | KERBEROS ETYPE | HASHCAT MODE |
|---|---|---|---|
| Hash NTLM | RC4-HMAC | 23 | 1000 |
| AES128 | AES128-CTS-HMAC-SHA1-96 | 17 | 28800 |
| AES256 | AES256-CTS-HMAC-SHA1-96 | 18 | 28900 |
Hashcat
AES-128
Hashcat Type β 28800
The hash must have the following format in order to be able to crack it
$krb5db$17$<PRINCIPAL>$<REALM>$<AES-128_KEY>e.g.
$krb5db$17$test$TEST.LOCAL$1c41586d6c060071e08186ee214e725e
To crack this hash β
hashcat --force -O --attack-mode 0 --hash-type 28800 <AES128_HASH> <WORDLIST>AES-256
Hashcat Type β 28900
The hash must have the following format in order to be able to crack it
$krb5db$18$<PRINCIPAL>$<REALM>$<AES-256_KEY>e.g.
$krb5db$18$test$TEST.LOCAL$266b5a53a6d663c3f69174f3309acada8e467c097c7973699f86286a6cf1a6c7
To crack this hash β
hashcat --force -O --attack-mode 0 --hash-type 28900 <AES256_HASH> <WORDLIST>DCC2 Hashes
Domain Cached Credentials 2
Theory
It is stored within HKLM:\SECURITY\Cache when a client logs in with a domain user account on a domain-joined computer
This hash is the result of applying a PBKDF2-HMAC-SHA1 function on the concatenation of the NTLM Hash of the username and the user name itself
PBKDF2-HMAC-SHA1(
key = NTLM_hash + username_utf16le,
salt = username_lower_utf16le,
iterations = 10240,
key_length = 16 bytes
)$DCC2$10240#<USERNAME>#23d97555681813db79b2ade4b4a6ff25It is encrypted using the SYSTEMβs Bootkey as the symmetric key before being stored in the HKLM:\SECURITY\Cache hive
Hashcat
Hashcat Type β 2100
hashcat --force -O --attack-mode 0 --hash-type 2100 <HASH> <WORDLIST>hashcat --force -O --attack-mode 0 --hash-type 2100 <HASH> <WORDLIST> --showJohn the Ripper
JtR Format β mscash2
john --format=mscash2 --wordlist=<WORDLIST> <HASH>