SMB, NTLM, & Google: SecDSM January MiniCTF Solution

SecDSM meets every third Thursday of the month at The Forge.

SecDSM has a mini-CTF challenge for the attendees to complete during their monthly meetups.

This month was a forensics challenge. The challenge site is still up so feel free to download the pcap and follow along in Wireshark.

Opening up the pcap and just looking through it, you can see that this is traffic from the user connecting to an SMB share and maybe doing other stuff. Full disclosure, I don't (or didn't, I know more now) know much about the inner workings of SMB or how to even begin to crack an SMB password using a pcap. Enter Google. I'm fairly certain the exact terms I typed in were "NTLM SMBv2 password cracking". Anyway, I found this handy article by shellgam3 with step-by-step instructions detailing exactly what I needed to do. You should read the article for more details on the steps I take here.

First, I'm going to filter down Wireshark to show me only the packets I need by filtering using "ntlmssp"

Let's begin by looking packet #15 and taking note of a few things: NTLM Response, User name, and Domain name.

NTLM Response (Copied as hex stream):


User Name:

Domain Name:

Move to packet #14 and get the NTLM Server Challenge (Copied as value)

Putting this all together to create the NTLM hash, we end up with:


Notice that the spot where the Domain Name should go (between the 2nd and 3rd colons) is blank because Domain Name is NULL.

The next step is to run the hash through hashcat using a wordlist, but I didn't have a wordlist and the wordlist I tried (randomly from the internet) didn't work. That's when "This is a forensics challenge" clicked for me. There must be something else in the pcap to tell me what wordlist to use. So let's clear the 'ntlmssp' filter and take a look. Scrolling down the pcap, we see mention of a file called being created. In Wireshark, we can easily export files that are seen in the traffic.
File > Export Objects > SMB
Now that we have the password list we need (after unzipping it), we can use it for hashcat. See the final result below.


#Winning or Nah.

Very exciting to be the first one to solve the challenge and pick up a nice Palo Alto pull over in the process. However, that excitement was short lived because moments later there was another tweet.

Some people just want to watch the world burn. Back to work we go.

Looking through the same pcap, we really need to pay attention to what we're seeing in the traffic. What is the user doing? If we filter on the 'smb2' traffic and begin going through the packets, we see 'SMB2_FIND_ID_FULL_DIRECTORY_INFO Pattern: *'. A quick Google search will tell you that this command will list all of the files in a directory and their associated file ids. Looking at the Find Response, we noticed a familiar name -- 00passwordlist.

Let's convert that hex to ascii to get a better idea of what we're seeing.

eÓ€À.XHÎ;ÓHÎ;Óù.n‘cÓù.n‘cÓ..`I'{‘cÓšOý‘cÓI'{‘cÓI'{‘cÓ€À@Recycleh؛45dÓ§–¦dÓÆÉç¡dÓÆÉç¡dÓ "€À.DS_Storepà‡dÓ<‚T¿<‚T¿<‚T¿€Àfbi_files_ZV9ixÿpíldÓ<‚T¿<‚T¿<‚T¿$€Àzapruder_film_dXN9xÁübdÓ<‚T¿<‚T¿<‚T¿$€Àufo_documents_Ym9ux‡¦dÓ<‚T¿<‚T¿<‚T¿"
€Àcia_missions_Z3tmx¦ÕdÓšX@GgÓ¦ÕdÓ¦ÕdÓr  $€À00passwordlist.zippRcšdÓ<‚T¿<‚T¿<‚T¿	€Ànsa_toolz_dXRfˆßŸo¹dÓ<‚T¿<‚T¿<‚T¿2€Àbitcoin_private_keys_ZmxhN%±\eÓ<‚T¿<‚T¿<‚T¿.€Àdirt_on_zoomequipd_YWxz

This is the point I got to before the first people got it. The rest is their solution

Now we can see the filenames and that they are follow by an underscore and 4 characters:

If you put the files in alphabetical order and then combine the trailing 4 characters you get a long string.


I put this in a file and used the command line to base64 decode the string to find the flag.

$ base64 -D -i  base64hash.txt 


Wireshark (
HashCat (


Capturing And Cracking NTLMv2 Hashes On The LAN by shellgam3

Antoinette Stevens

Antoinette Stevens

Writing about tech and security.

comments powered by Disqus