# NTLM, NTLMv2

Windows New Technology LAN Manager (NTLM) is a suite of security protocols.

### Hash Formats <a href="#hash-formats" id="hash-formats"></a>

The NTLM hash format is a bit comfused, but it looks like the following.\
When cracking, we can copy them as they are and paste it.

```shellscript
# NTLM
b4b9b02e6f09a9bd760f388b67351e2b

# NTLMv2 (NetNTLMv2)
admin::EXAMPLE:aaaaaaaaaaaaaaaa:05e616169cf91bd88952bc3ef021dbaf:010100000000000080fc3d82a538d90182f1dba634ba98dd000000000100100053006b005400410052006e00520064000300100053006b005400410052006e0052006400020010006700480068007500670042006200470004001000670048006800750067004200620047000700080080fc3d82a538d901060004000200000008003000300000000000000000000000003000007c8dad06f879f804f9ee43a11aeaf5bf40609db4020697af76cd06f80d81241b0a0010000000000000000000000000000000000009001a0063006900660073002f00310030002e0032002e0034002e0033000000000000000000
```

### Decrypt <a href="#decrypt" id="decrypt"></a>

There are online cracking tools sucy as [CrackStation](https://crackstation.net/) available.

Using **John TheRipper**, it might work without specyfing the hash format by detecting automatically, so try the following command.

```shellscript
john --wordlist=wordlist.txt hash.txt
```

#### NTLM <a href="#ntlm" id="ntlm"></a>

```shellscript
john --format=nt --wordlist=wordlist.txt hash.txt

hashcat -m 1000 -a 0 hash.txt wordlist.txt
```

#### NTLMv2 <a href="#ntlmv2" id="ntlmv2"></a>

```shellscript
john --format=netntlmv2 --wordlist=wordlist.txt hash.txt

hashcat -m 5600 -a 0 hash.txt wordlist.txt
```

### Pass The Hash <a href="#pass-the-hash" id="pass-the-hash"></a>

Also we can use NTLM hashes to login Windows system via some protocol such as WinRM.