NTLM
I use NTLM database with hashes to check compromised Windows AD passwords. It works well for English passwords, but if there are characters from different languages, it does not work correctly. I will explain with an example. There is a password "kuddüs198485". It is present in the database by hash 81b18336e12676fc38dad6277e2b43bc. But in Windows it is under hash 1d1ec1ceba98e91df2ed534cdf8f447f and this hash is not in the database. Windows uses the algorithm MD4(UTF-16LE (password)). I understand that you use a different algorithm. I also made a demo example which also shows that the correct hash is 1d1ec1ceba98e91df2ed534cdf8f447f.
string ntlmHashUtf16Le = GetNtlmHash("kuddüs198485", Encoding.Unicode);
static string GetNtlmHash(string password, Encoding encoding)
{
byte[] passwordBytes = encoding.GetBytes(password);
var md4 = new MD4Digest();
md4.BlockUpdate(passwordBytes, 0, passwordBytes.Length);
byte[] hashBytes = new byte[md4.GetDigestSize()];
md4.DoFinal(hashBytes, 0);
return BitConverter.ToString(hashBytes).Replace("-", "").ToLower();
}
Could you explain what algorithm you use? If another algorithm is used, is it possible to provide a database according to the MD4(UTF-16LE (password)) algorithm?
Aliaksandr Valenta
shared this idea
That doesn't appear to be the correct NTLM hash, try here: https://codebeautify.org/ntlm-hash-generator
-
Hash 71EC1234D30EE9556B956406A69EE76F is not in the database. But the password kuddüs198485 is compromised. I believe that it came to you via hash 81b18336e12676fc38dad6277e2b43bc
-
There’s something different about your encoding, I’m getting 71EC1234D30EE9556B956406A69EE76F
-
I used your code (https://github.com/HaveIBeenPwned/PwnedPasswordsAzureFunction/blob/main/Shared/HaveIBeenPwned.PwnedPasswords.Shared/Hash.cs) to get the hash and it gives me the same result 1d1ec1ceba98e91df2ed534cdf8f447f
string ntlmHashHIBP = HashExtensions.CreateNTLMHash(password);
Console.WriteLine($"HIBP: {ntlmHashHIBP}");