shuck.sh

Shuck hash before trying to crack it

Menu

Skip to content
  • Home
  • Get Shucking
  • Generator
  • Converter
  • The Technology
  • FAQ
  • News
  • Contact

Converter

Converter

Through the converter, dissect an authentication token (NetNTLMv1 with or without ESS/SSP, MSCHAPv2, PPTP-VPN, NET(NT)LM, etc.) on the fly to generate other formats, and try to find the original NT-hash by providing the DES-keys (K1 and K2) obtained via the DES-KPA mode of Hashcat (14000).

DISSECT A TOKEN!
Authentication token:
If you have DES-keys: K1: K2:
Check instant result below Fill with sample
Input token:


Other formats for the same token:
:::::
:::::
$MSCHAPv2$$$
$NETLM$$
$NETNTLM$$
$99$
LMHASH:
NTHASH:


NTresp{CT1: CT2: CT3:} ESS/SSP?

Client challenge:


Server challenge (LMresp[0:16]+0pad):


Final challenge md5(clientChall+serverChall)[0:16]:
DES-ECB({K1,K2,K3}, FinalChallenge) === {CT1,CT2,CT3} (DES-KPA Attack)
K1: K2: K3:
PT1: PT2: PT3:
(NT-hash)

Note:
This Converter makes it possible to follow the inverse sequence to deduce a NT-hash.
The integrity and validity of the resulting NT-hash is checked automatically against the keys K1, K2 and K3, the challenge and NTresp (CT1, CT2 and CT3).

  • : Means that the entered or calculated value is valid.
  • : Means that the value is unknown or invalid (try to replace K1 by K2 and K2 by K1 if known).
This online module integrates the algorithms of the evilmog tools (ntlm-to-des) as well as the hashcat-utils (deskey_to_ntlm and ct3_to_ntlm) in order to simplify the manipulation of these values in a single place to obtain the right NT-hash.

Explanation:
To find the initial NT-hash corresponding to an authentication token of the NTLM protocol, the main problem is to recover the 3 DES keys K1, K2 and K3.

  1. The token can be split into 3 ciphertexts of 8 bytes each, called CT1, CT2 and CT3.
  2. The final challenge is also present in the token:
    • Either the challenge defined on the client side only is present in the token in the absence of ESS/SSP security;
    • Either the client challenge is present and the challenge server is located in the first 8 bytes of the LM-response completed with 0s when using ESS/SSP. In which case the final challenge corresponds to the first 8 bytes of the MD5 hash from the concatenation of the client challenge and server challenge.
  3. At this stage of the dissection, the following symmetric cipher formulas can be established where only the keys K1, K2 and K3 are unknown:
    DES-ECB(K1, FinalChallenge) === CT1
    DES-ECB(K2, FinalChallenge) === CT2
    DES-ECB(K3, FinalChallenge) === CT3
    We know the clear (CT1, CT2 and CT3) as well as the final challenge, so it is a DES-KPA attack (Known-Plaintext-Attack) which is necessary.
  4. The K3 key, derived by binary operations from the last two bytes of the NT-hash (PT3), turns out to be weaker than the others. Indeed, it is possible to brute-force it almost instantly by browsing all the possible PT3-candidates on 2 bytes (0x0000-0xFFFF).
  5. To obtain K1 and K2, a more time-consuming and resource-intensive DES-KPA attack is required. These keys can also be obtained almost instantly via the Hash-Shucking module, by searching among a selected subset of NT-hash-candidates (ending with known PT3).
  6. Once K1, K2 and K3 are known, the parts of the final NT-hash PT1, PT2 and PT3 can be derived via binary operations:
    arrayout.push((((arrayin[0] & 0xfe) | (arrayin[1] >> 7)) & 0xff));
    arrayout.push((((arrayin[1] << 1 & 0xFc) | (arrayin[2] >> 6)) & 0xff));
    arrayout.push((((arrayin[2] << 2 & 0xf8) | (arrayin[3] >> 5)) & 0xff));
    arrayout.push((((arrayin[3] << 3 & 0xF0) | (arrayin[4] >> 4)) & 0xff));
    arrayout.push((((arrayin[4] << 4 & 0xe0) | (arrayin[5] >> 3)) & 0xff));
    arrayout.push((((arrayin[5] << 5 & 0xc0) | (arrayin[6] >> 2)) & 0xff));
    arrayout.push((((arrayin[6] << 6 & 0x80) | (arrayin[7] >> 1)) & 0xff));
    
  7. Finally, the NT-hash can be reconstructed via the concatenation of PT1, PT2 and PT3.

How to obtain DES-keys K1 and K2?
3 main methods are possible:

  1. To obtain the DES-keys K1 and K2, the first method is to submit the authentication token to the Hash-Shucking module. If a collision with an NT-hash from the HaveIBeenPwned database is obtained, all key details are delivered (K1, K2, K3 and the corresponding NT-hash).
  2. The second method consists of submitting the token to the Crack.sh online service in an appropriate format (which may be chargeable), in order to obtain the NT-hash in return. This NT-hash in your possession, it can be entered in the Generator to retrieve all DES-keys K1, K2 and K3. This method is 100% guaranteed regardless of the complexity of the authentication token password.
  3. If the Hash-Shucking module does not give a result, and you don't want to use Crack.sh, a third method is possible by using the DES-KPA (DES Known Plaintext Attack) mode of Hashcat (14000). This method is 100% guaranteed regardless of the complexity of the authentication token password.

    Using this mode requires an input file (inputs.txt) consisting of two lines as follows:
    #CT1:finalChallenge
    #CT2:finalChallenge
    #Example:
    70C249F75FB6D2C0:C85086419358F950
    AC2C2D3808386CCA:C85086419358F950
    
    Then, it is possible to launch Hashcat to break the 2 DES keys K1 and K2 as follows (K3 is instantly brute-forced via the Converter):
    hashcat -m 14000 -a 3 inputs.txt --hex-charset -1 /usr/share/hashcat/charsets/DES_full.hcchr ?1?1?1?1?1?1?1?1
    
    This process can take several days, depending on the computing power (CPU, GPU, etc.) allocated to Hashcat. My tests with an NVidia RTX 3080 Ti / i7 12th Gen / 32GB RAM graphics card lasted a maximum of 15 days, so 7.5 days on average to obtain the two keys: K1 and K2.
    70C249F75FB6D2C0:C85086419358F950:$HEX[93D9F1C5274F55BB]
    AC2C2D3808386CCA:C85086419358F950:$HEX[B9E599C1BBDD47C5]
    #93D9F1C5274F55BB is K1 (or K2?)
    #B9E599C1BBDD47C5 is K2 (or K1?)
    
    Once the corresponding keys have been obtained, all you have to do is enter them in the Converter form in addition to the initial token, to have the corresponding NT-hash.

    Warning: Hashcat does not distinguish "K1" from "K2", so it is possible that they are reversed (K2 then K1). Try both combinations to produce candidate NT-hashes in the Converter.
Password complexity: These methods are intended to recover the NT-hash corresponding to an authentication token, but not to recover the plaintext. Thus these methods are efficient whatever the complexity of the initial password ("user account" or "computer account" in Active Directory), which remains unknown. But having the NT-hash is enough, especially with the Pass-the-Hash Attack.

Compatibility & Formats:
The output results are in various formats summarized in the following table with their tool's compatibility.

Token Format Type Shuck.sh
Crack.sh
HashCat
Description

login::domain:lmresp:ntresp:clientChall
*::*:[a-fA-F\d]{48}:[a-fA-F\d]{48}:[a-fA-F\d]{16}
Prefix: N/A / Delimiter: ":" / Hex / Optional login, domain, lmresp

NetNTLMv1-noESS/SSP Ready to be shucked freely! Incompatible format / requires conversion Yes, mode 5500 / 27000 or 14000 NET(NT)LM hashes captured with a random challenge without ESS/SSP.

login::domain:lmresp(serverChall+0padding):ntresp:clientChall
*::*:[a-fA-F\d]{16}[0]{32}:[a-fA-F\d]{48}:[a-fA-F\d]{16}
Prefix: N/A / Delimiter: ":" / Hex / Optional login, domain

NetNTLMv1-ESS/SSP Ready to be shucked freely! Incompatible format / requires conversion Yes, mode 5500 / 27000 or 14000 NET(NT)LM hashes captured with a random challenge with ESS/SSP (server challenge in LMresp with 0's padding).

(LM|NT)HASH:ntresp
(LM|NT)HASH:[a-fA-F\d]{48}
Prefix: (LM|NT)HASH / Delimiter: ":" / Hex

NET(NT)LM Ready to be shucked freely! FREE/$20-$200
Incompatible format / requires conversion NET(NT)LM with the 1122334455667788 challenge without ESS/SSP.

$NET(NT)?LM$challenge$ntresp
$NET(NT)?LM$[a-fA-F\d]{16}$[a-fA-F\d]{48}
Prefix: $NET(NT)?LM$ / Delimiter: "$" / Hex

NET(NT)LM Ready to be shucked freely! $20-$200
Incompatible format / requires conversion NET(NT)LM hashes captured with a random challenge.

$99$b64encode(hex2bin(challenge+{ntresp=CT1+CT2+PT3})
$99$[a-zA-Z\d\+/]{35}=
Prefix: $99$ / Delimiter: "$" / Base64

ChapCrack Ready to be shucked freely! $20-$200
Incompatible format / requires conversion PPTP VPN and WPA-Enterprise MSCHAPv2 authentication captures.

$MSCHAPv2$challenge$ntresp$(login)?
$MSCHAPv2$[a-fA-F\d]{16}$[a-fA-F\d]{48}$*
Prefix: $MSCHAPv2$ / Delimiter: "$" / Hex / Optional username

MSCHAPv2 Ready to be shucked freely! Incompatible format / requires conversion Incompatible format / requires conversion PPTP VPN and WPA-Enterprise MSCHAPv2 authentication captures.

How to convert formats?
To convert an authentication token from one format to another, simply submit it freely to the Hash-Shucking module or use the Converter to follow algorithm's dissection.

RECENT NEWS

Shuck.sh is alive, and ShuckNT is released on GitHub!

The hash shucker dedicated to the NetNTLMv1 (with or without ESS/SSP), PPTP VPN and WPA-Enterprise MSCHAPv2 algorithms is available online, as well as on-premise on GitHub since the begining of 2023!


The Crack.sh online service was unavailable for several weeks/months at the end of 2022

For several weeks / months during the last quarter of 2022, the services of the Crack.sh online platform were unavailable / under maintenance. Now the platform is fully functional since the beginning of 2023!

 

Pwned Passwords list version 8 released by HIBP !

Pwned Passwords are hundreds of millions of real world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they're at much greater risk of being used to take over other accounts. Version 8 was released by Troy Hunt in December 2021 and contains 847,223,402 leaks.




What the Shuck? Layered Hash Shucking

Conference by Sam Croley (Chik3nman) at DEFCON's Password Village on August 8, 2020 on the concept of " What the Shuck? Layered Hash Shucking".

Site Map

  • Home
  • Get Shucking
  • Generator
  • Converter
  • The Technology
  • FAQ
  • News
  • Contact

Contact

Feel free to report any comments, bugs or ideas for improvement regarding Shuck.sh or ShuckNT via GitHub or by contacting me directly.



100% Success NOT Guarantee
Shuck.sh cannot guarantee 100% results, unlike Crack.sh which guarantees that it will 100% produce a working key for jobs submitted. The processing carried out by Shuck.sh is based on the use of the databases provided by HaveIBeenPwned, and is therefore dependent on the data leaks recorded in these databases at a given time. Shuck.sh aims to maximize the time to obtain an NT-hash from a DES-based authentication token, without claiming to be exhaustive. To gain completeness, it is recommended to turn to the excellent Crack.sh service.

Disclaimer
Any actions and or activities related to the material contained within this Website is solely your responsibility. The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors and Shuck.sh will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.
This site contains materials that can be potentially badly used. If you do not fully understand something on this site, then GO OUT OF HERE! Refer to the laws in your province/country before accessing, using, or in any other way utilizing these materials. These materials are for educational and research purposes only. Do not attempt to violate the law with anything contained here. If this is your intention, then LEAVE NOW! Neither administration of this server, the authors of this material, or anyone else affiliated in any way, is going to accept responsibility for your actions.

© Copyright 2023+ ycam | shuck.sh is a free service developed and maintained by Yann CAM, Independent CyberSecurity Consultant, and is provided for research purposes only.