So, you pillaged a domain controllers hashes…

So you’ve managed to find your way to a domain controller, perhaps used metasploits meterpreter, perhaps got system, migrated to lsass.exe and perhaps were able to use incognito to smart_hashdump and nab all the password hashes.  Well, you can hand those off to john the ripper and it will happily crack the LM portion of what you’ve got – but you’ll end up with a bunch of uppercase passwords.

Enter – a dandy little perl script that will take the uppercase password and use it as a dictionary to crack the NTLM password for you. Only trouble is that since it was written, the awesome guys  at openwall who develop john the ripper have changed the output format of cracked password files. The lm2ntcrack input format was written for a ~2009 version of JtR, so to get it properly working someone had to go and make a tiny tweak in the script where it analyzes the syntax/order of the input file.

So I did it! First time, actually, that I’ve done something like this. And it appears to work! – at least it works on the ntlm hashes I have from a demo network.


Anyhow, here’s my updated copy of the script –


Save that as a .pl file (it’s a .txt so it doesn’t get run on the site).

Feedback welcome!

Leave a Reply

Your email address will not be published. Required fields are marked *