So, with shuck.sh, I don't have to use crack.sh anymore?
Absolutely NOT! Shuck.sh cannot guarantee 100% results, but is dependent on data leaks from Have I Been Pwned. No brute force nor rainbow tables are used, unlike Crack.sh.
Shuck.sh can therefore guarantee a 100% result if, and only if, the resulting NT-hash has leaked in the past. The NetNTLMv1 challenges of computer accounts, with a complex password autogenerated by the Active Directory, are therefore not relevant because they are rarely present in the leaks...
Crack.sh remains a project for research purposes only, in order to demonstrate to the community that the use of the DES algorithm is no longer considered secure at all. Shuck.sh follows the same logic, and is only dedicated to saving time and relieving the computational load of Crack.sh by exploiting the Hash Shucking technique (less intensive calculations, more eco-responsible!).
My NetNTLMv1 challenges are secured with ESS/SSP: will I have potential results for free?
YES! Shuck.sh performs Hash Shucking with or without the presence of ESS/SSP and with any challenge value, all for free and with the same performance (in seconds)!
Crack.sh offers to process NetNTLMv1 without ESS/SSP with the explicit challenge 1122334455667788 via dedicated rainbow tables for free. However, if the challenge is different or if there is the presence of ESS/SSP, it becomes chargeable and longer.
I have customer's challenges from a security assessment. I don't want to submit them online, can I use Shuck.sh locally?
Yes of course! Shuck.sh is based on a single script available on the author's Github. Anyone can therefore use it locally after downloading the huge HIBP database and converting it into a usable format (detailled on GitHub).
The public online version of Shuck.sh is fully functional and integrates the latest HIBP database, without ever keeping track of jobs submitted by users, obviously.
Do you plan to process NetNTLMv2 hashes with Shuck.sh?
Also captured by tools like Responder, NetNTLMv2 are harder to process while using the same concepts as NetNTLMv1. Different cryptographic algorithms are used (HMAC-MD5 instead of DES). Thus, neither Shuck.sh nor Crack.sh are intended and able to deal with this type of jobs.
As a blue team, which algorithms are therefore to be favored in a Microsoft ecosystem?
Try to eradicate NetNTLMv1 as much as possible (with or without ESS/SSP). Favor NetNTLMv2 or, better, Kerberos negotiations.
But, in the end, what is the definition of "Hash Shucking"?
Password shucking is a method of stripping layers off an updated password hash, removing the benefits of its new password hashing algorithm and reverting it to its weaker algorithm. Password shucking can be used by an attacker against old rehashed passwords or pre-hash passwords, enabling them to strip away or "shuck" off the strong outer password hashing algorithm.
