Uninformed: Informative Information for the Uninformed

Vol 3» 2006.Jan

Attacking the first part

Precomputing tables for NTLM has just been declared pretty much impossible with todays computing resources. The problem is pre-computing every possible hash value (and then, of course storing those values even if computation was possible). By applying a trick to remove the challenge from the equation however, precomputing NTLM hashes becomes almost as easy as the creation of LM tables. By writing a rogue CIFS server that hands out the same static challenge to every client that tries to connect to it, the problem has static values all over the place once again, and hashtable precomputation becomes possible.

The following screenshot depicts a proof of concept implementation that accepts an incoming CIFS connection, goes through the protocol negotiation phase with the connecting client, sends out the static challenge, and disconnects the client after receiving username and NTLM hash from it. The server also logs some more information that the client conveniently sends along.

IceDragon wincatch # bin/wincatch
This is Alpha stage code from nologin.org
Distribution in any form is denied

Username: Testuser
Primary Domain: BARRIERICE
Native OS: Windows 2002 Service Pack 2 2600
Long Password Hash:

That's a Windows XP machine connecting to the rogue server running on Linux. The client is connecting from IP address The username is ``Testuser'', the name of the host is ``BarrierIce'', and the password hash got captured too of course.