From df819a860d2b3cac3b9ae5a55f9d4e54311706e5 Mon Sep 17 00:00:00 2001
From: noraj <alexandre.zanni@europe.com>
Date: Wed, 15 Dec 2021 17:03:27 +0100
Subject: [PATCH] NetNTLM (vanilla + NT)

fix #92
---
 data/prototypes.json | 45 +++++++++++++++++++++++++++++++++++++++-----
 docs/CHANGELOG.md    |  9 +++++++++
 2 files changed, 49 insertions(+), 5 deletions(-)

diff --git a/data/prototypes.json b/data/prototypes.json
index 795f6ae..2cd0d8a 100644
--- a/data/prototypes.json
+++ b/data/prototypes.json
@@ -2352,24 +2352,59 @@
         ]
     },
     {
-        "regex": "^[^\\\\\\/:*?\"<>|]{1,20}[:]{2,3}([^\\\\\\/:*?\"<>|]{1,20})?:[a-f0-9]{48}:[a-f0-9]{48}:[a-f0-9]{16}$",
+        "regex": "^[^\\/:*?\"<>|]{0,60}::[^\\/:*?\"<>|]{0,45}:[a-f0-9]{0,48}:[a-f0-9]{48}:[a-f0-9]{16}$",
         "modes": [
             {
-                "john": "netntlm",
+                "john": "netntlm / netntlm-naive",
                 "hashcat": 5500,
                 "extended": false,
-                "name": "NetNTLMv1-VANILLA / NetNTLMv1+ESS"
+                "name": "NetNTLMv1 / NetNTLMv1+ESS (vanilla)",
+                "samples": [
+                    "u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c",
+                    "CORP\\Administrator:::25B2B477CE101D83648BB087CE7A1C217F51C7FC64C0EBB1:C8BD0C1630A9ECF7A95F494A8F0B2CB4A3F25B1225514304:1122334455667788",
+                    "DOMAIN\\User:::c70e4fb229437ef300000000000000000000000000000000:abf7762caf2b1bbfc5cfc1f46665249f049e0af72ae5b5a9:24ca92fdab441aa4",
+                    "ESS:::4765f360625700b000000000000000000000000000000000:81f5ecd8a77fe819f7f6689a08a27ac705fc2e1bb00cecb2:c75c20bff9baa71f"
+                ]
+            },
+            {
+                "john": "netntlm / netntlm-naive",
+                "hashcat": 27000,
+                "extended": false,
+                "name": "NetNTLMv1 / NetNTLMv1+ESS (NT)",
+                "samples": [
+                    "::5V4T:ada06359242920a500000000000000000000000000000000:0556d5297b5daa70eaffde82ef99293a3f3bb59b7c9704ea:9c23f6c094853920"
+                ]
             }
         ]
     },
     {
-        "regex": "^([^\\\\\\/:*?\"<>|]{1,20}\\\\)?[^\\\\\\/:*?\"<>|]{1,20}[:]{2,3}([^\\\\\\/:*?\"<>|]{1,20}:)?[^\\\\\\/:*?\"<>|]{1,20}:[a-f0-9]{32}:[a-f0-9]+$",
+        "regex": "^[^\\/:*?\"<>|]{0,60}::[^\\/:*?\"<>|]{0,45}:[a-f0-9]{16}:[a-f0-9]{32}:[a-f0-9]{2,1024}$",
         "modes": [
             {
                 "john": "netntlmv2",
                 "hashcat": 5600,
                 "extended": false,
-                "name": "NetNTLMv2"
+                "name": "NetNTLMv2 (vanilla)",
+                "samples": [
+                    "admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030",
+                    "ntlmv2test::WORKGROUP:1122334455667788:07659A550D5E9D02996DFD95C87EC1D5:0101000000000000006CF6385B74CA01B3610B02D99732DD000000000200120057004F0052004B00470052004F00550050000100200044004100540041002E00420049004E0043002D0053004500430055005200490000000000",
+                    "USER1::Domain:1122334455667788:5E4AB1BF243DCA304A00ADEF78DC38DF:0101000000000000BB50305495AACA01338BC7B090A62856000000000200120057004F0052004B00470052004F00550050000000000000000000",
+                    "TESTWORKGROUP\\NTlmv2:::1122334455667788:07659A550D5E9D02996DFD95C87EC1D5:0101000000000000006CF6385B74CA01B3610B02D99732DD000000000200120057004F0052004B00470052004F00550050000100200044004100540041002E00420049004E0043002D0053004500430055005200490000000000",
+                    "NTlmv2::TESTWORKGROUP:1122334455667788:07659A550D5E9D02996DFD95C87EC1D5:0101000000000000006CF6385B74CA01B3610B02D99732DD000000000200120057004F0052004B00470052004F00550050000100200044004100540041002E00420049004E0043002D0053004500430055005200490000000000",
+                    "TestUser::W2K3ADWIN7:1122334455667788:989B96DC6EAB529F72FCBA852C0D5719:01010000000000002EC51CEC91AACA0124576A744F198BDD000000000200120057004F0052004B00470052004F00550050000000000000000000",
+                    "user::W2K3ADWIN7:1122334455667788:5BD1F32D8AFB4FB0DD0B77D7DE2FF7A9:0101000000000000309F56FE91AACA011B66A7051FA48148000000000200120057004F0052004B00470052004F00550050000000000000000000",
+                    "W2K3ADWIN7\\user1:::1122334455667788:027EF88334DAA460144BDB678D4F988D:010100000000000092809B1192AACA01E01B519CB0248776000000000200120057004F0052004B00470052004F00550050000000000000000000",
+                    "W2K3ADWIN7\\TEST_USER:::1122334455667788:A06EC5ED9F6DAFDCA90E316AF415BA71:010100000000000036D3A13292AACA01D2CD95757A0836F9000000000200120057004F0052004B00470052004F00550050000000000000000000"
+                ]
+            },
+            {
+                "john": "netntlmv2",
+                "hashcat": 27100,
+                "extended": false,
+                "name": "NetNTLMv2 (NT)",
+                "samples": [
+                    "0UL5G37JOI0SX::6VB1IS0KA74:ebe1afa18b7fbfa6:aab8bf8675658dd2a939458a1077ba08:010100000000000031c8aa092510945398b9f7b7dde1a9fb00000000f7876f2b04b700"
+                ]
             }
         ]
     },
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 657f596..43213c2 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -21,6 +21,14 @@
     - SNMPv3 HMAC-SHA384-256
     - SNMPv3 HMAC-SHA512-384
   - Ruby on Rails Restful Auth (one round, no sitekey) [#91][#91]
+  - NetNTLM (NT) [#92][#92]
+    - NetNTLMv1 / NetNTLMv1+ESS (NT)
+    - NetNTLMv2 (NT)
+- Enhancements:
+  - NetNTLM (vanilla)
+    - Better regexp
+    - Better description
+    - Add samples
 - Chore:
   - MFA required for gem release
   - Better publishing documentation
@@ -33,6 +41,7 @@
 [#89]:https://github.com/noraj/haiti/issues/89
 [#88]:https://github.com/noraj/haiti/issues/88
 [#91]:https://github.com/noraj/haiti/issues/91
+[#92]:https://github.com/noraj/haiti/issues/92
 
 ## [1.2.2]