Ntlm-hash-decrypter -
If you are looking for such a tool for security auditing, be aware of the distinction:
Commonly Used Tools:
Using a single high-end GPU (RTX 4090) with Hashcat:
| Password complexity | Time to crack |
|---------------------|----------------|
| password123 (dictionary) | < 1 second |
| P@ssw0rd (common + rules) | < 1 second |
| 8 random lowercase | ~2 hours |
| 8 random alphanumeric | ~2 weeks |
| 10 random full ASCII | ~200 years |
| 12+ random full ASCII | millions of years | ntlm-hash-decrypter
Thus, strong passwords are effectively "undecryptable."
Basic usage:
john --format=nt --wordlist=rockyou.txt hash.txt
You guess a password candidate → hash it (MD4) → compare to target hash. If matches, you found the password. If you are looking for such a tool
Take a wordlist (e.g., rockyou.txt, SecLists) of millions of real passwords. Hash each one and compare.
Example wordlist snippet:
password
123456
admin
letmein
trustno1
Command with Hashcat:
hashcat -m 1000 -a 0 ntlm_hash.txt rockyou.txt
| Feature | NTLMv1 | NTLMv2 | |---------|--------|--------| | Hash input | MD4(password) | MD4(password) | | Network auth | DES-based challenge/response | HMAC-MD5 of challenge + timestamp | | Storage in SAM | Same (MD4) | Same (MD4) | | Vulnerability | Extremely weak, vulnerable to pass-the-hash | Stronger, but hash still crackable offline |
Crucially: The hash stored in the Windows SAM database or NTDS.dit is always the unsalted MD4 for both versions. Salting only applies to the network challenge response, not the stored hash.
ntlm-hash-decrypter -H 8846f7eaee8fb117ad06bdd830b7586c -w rockyou.txt
ntlm-hash-decrypter -f hashes.txt --online --rainbow
Real tools use these methods: