Cybersecurity · Network Hash Capture and Cracking

Network Hash Capture and Cracking

Capture an NTLMv2 hash with Responder on a segmented LAN and crack it with Hashcat.

View this project on GitHub

Overview

This lab demonstrates how Responder captures NTLMv2 authentication over the network, and how Hashcat can be used to attempt password recovery from the captured hash.

Environment: Windows 10 target and attacker tooling on a segmented lab LAN (to avoid production impact).

Step 1 — Start Responder (Listening)

Launch Responder on the attack host (e.g., interface eth0) to poison LLMNR/NetBIOS and await authentication attempts.

Responder listening (setup step 1)
Responder initialized and listening.
Responder listening (setup step 2)
Services enabled for capture.

Step 2 — Trigger & Capture NTLMv2 Hash

From the Windows target, attempt to access a nonexistent host (e.g., \\server01\share). Responder poisons the broadcast resolution and intercepts the authentication to capture the NTLMv2 hash.

Triggering authentication to nonexistent server
Responder captures challenge/response
Captured NTLMv2 hash displayed
Confirming captured hash on disk

Step 3 — Crack with Hashcat

Copy the captured NTLMv2 hash into a text file and run Hashcat with a wordlist to attempt recovery of the plaintext password.

Hashcat: preparing input hash file
Hashcat: command setup
Hashcat: cracking in progress
Hashcat: candidates tested
Hashcat: session status
Hashcat: recovered credential
Hashcat: final output verification

Back to Home