Starting with the release of Hydra v4.1, the SMBNT module was broken. Whoever modified the module to use MD4 from openssl rather than libdes failed to notice that openssl's MD4Update function requires a string's length in bytes, not bits. This completely broke normal password checking. However, this should not have affected the passing-the-hash ability of the module.
The following patch should fix this issue:
While figuring out what was broken in the module, I made several additional modifications to the code. Here they are, in no particular order:
THC.org has released v3.0 of Hydra. Unfortunately, they broke my
parallel patch when they applied it. Below is a link to a patch which
attempts to fix some of the bugs they introduced to the code. The patch
also modifies how the SMBNT module works. A user can now control whether
the local workstation accounts are checked or if the workstation being
tested should check its domain controller.
Let me know if there are any issues with this patch.
I make no claims that any of this code will work for anyone, including myself. I am not some 31337 c0der, just a lame PERL script kiddie who is trying to learn some C. As with most free code, if this breaks, you can keep both pieces. Please let me know if any bugs crawl out or if these mods are actually useful.
This code allows Hydra to directly test NTLM hashes against a Windows host. This may be useful for an auditor who has acquired a sam._ or pwdump file and would like to quickly determine which are valid entries. This module can also be used to test SMB passwords against devices that do not allow clear-text LanMan passwords.
The "-m 'METHOD'" option is required for this module. The following are valid methods: L, LH, D, DH, B, BH and M (in quotes).
Be careful of mass domain account lockout with this. For example, assume you are checking several accounts against many domain workstations. If you are not using the 'L' options and these accounts do not exist locally on the workstations, each workstation will in turn check their respective domain controller. This could cause a bunch of lockouts. Of course, it'd look like the workstations, not you, were doing it. ;)
**FYI, this code is unable to test accounts on default XP hosts which are not part of a domain and do not have normal file sharing enabled. Default XP does not allow shares and returns STATUS_LOGON_FAILED for both valid and invalid credentials. XP with simple sharing enabled returns SUCCESS for both valid and invalid credentials. If anyone knows a way to test in these configurations...
Hash Example 1: Full pwdump check
hydra -C test.pwdump server smbnt -m 'LH'
Hash Example 2: Individual user check
hydra -l foo -P test.pwdump server smbnt -m 'LH'
Hash Example 3: Individual user/pass check
hydra -l foo -p 1066:26390A40CF5AD25A4830DADF5E5D5E23:4209547164BF4A6740BF437D1482C58F::: server smbnt -m 'LH'
**Patch is against a clean Hydra 2.4 for SMB NTLM Password/HASH support only
The purpose of this patch is to add functionality to the Hydra core to allow
the scanning multiple concurrent hosts. Currently, Hydra performs parallel
logins to a single host. Now a user can execute parallel logins to parallel
hosts. This greatly increases the speed at which one can lock accounts. ;)
Example: Check for usable entries in pwdump file
hydra -C test.pwdump -M windows_hosts.txt -T 8 smbnt -m 'LH'
This example will test each user listed in the test.pwdump file along with that
user's respective NTLM hash against each host in windows_hosts.txt. The '-T 8'
option causes Hydra to maintain 8 parallel scans until the server list is
This patch also includes:
Reading servers from text file
Using the '-M FILE' option, a user can feed Hydra a list of servers to scan. This
can be used for scanning multiple concurrent (with -T) or sequential (default) servers.
Displaying current login attempt
The '-X' option will display current information about each logon attempt, such
as: username, password, attempt number and server.
Example '-X' output
New pair: host: "192.168.0.100" login "foo" - pass "bar" (1 of 1 completed)
**Patch is against a clean Hydra 2.4 and includes SMB NTLM Password/HASH patch
Added the ability to use '-l' option to specify a username if the Cisco device
being tested uses AAA. The code is also reworked a bit so that it keeps sending
the 'ena' string rather than starting a new connection for each password check.
This is significantly faster.