{"id":18063222,"url":"https://github.com/yanncam/shucknt","last_synced_at":"2026-03-05T02:04:28.486Z","repository":{"id":93583611,"uuid":"593941716","full_name":"yanncam/ShuckNT","owner":"yanncam","description":"ShuckNT is the script of Shuck.sh online service for on-premise use. It is design to dowgrade, convert, dissect and shuck authentication token based on Data Encryption Standard (DES).","archived":false,"fork":false,"pushed_at":"2024-10-18T10:45:49.000Z","size":137,"stargazers_count":74,"open_issues_count":1,"forks_count":11,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-14T15:06:59.850Z","etag":null,"topics":["authentication","challenge","des","hibp","mschap","netntlm","netntlmv1","nt-hash","ntlm"],"latest_commit_sha":null,"homepage":"https://shuck.sh","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yanncam.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-27T07:52:47.000Z","updated_at":"2025-06-30T14:37:41.000Z","dependencies_parsed_at":null,"dependency_job_id":"24ef3783-c704-4f68-a4f0-1b75eba43a93","html_url":"https://github.com/yanncam/ShuckNT","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/yanncam/ShuckNT","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yanncam%2FShuckNT","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yanncam%2FShuckNT/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yanncam%2FShuckNT/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yanncam%2FShuckNT/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yanncam","download_url":"https://codeload.github.com/yanncam/ShuckNT/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yanncam%2FShuckNT/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30106178,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-05T01:39:18.192Z","status":"online","status_checked_at":"2026-03-05T02:00:06.710Z","response_time":93,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","challenge","des","hibp","mschap","netntlm","netntlmv1","nt-hash","ntlm"],"created_at":"2024-10-31T05:09:50.813Z","updated_at":"2026-03-05T02:04:28.464Z","avatar_url":"https://github.com/yanncam.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n \u003cimg src=\"https://shuck.sh/images/shucksh-192x192.png\" alt=\"Shuck.sh\"/\u003e\n\u003c/p\u003e\n\n# :closed_lock_with_key: ShuckNT : Shuck hash before trying to crack it | [Shuck.sh](https://shuck.sh)'s script\n\n**ShuckNT** is the script of [Shuck.sh](https://shuck.sh) online service for on-premise use ([try it online!](https://shuck.sh/get-shucking.php)). It is design to dowgrade, convert, dissect and shuck authentication token based on [Data Encryption Standard (DES)](https://en.wikipedia.org/wiki/Data_Encryption_Standard).\n\nAlgorithms / formats supported :\n- MSCHAPv2\n- NET(NT)LM\n- (LM|NT)HASH\n- PPTP-VPN `$99$`\n- All with any challenge value!\n\n**ShuckNT** rely on [hash shucking](https://www.youtube.com/watch?v=OQD3qDYMyYQ\u0026ab_channel=PasswordVillage) principle to optimize challenge-response cracking and exploitability.\n\n\u003e [Password shucking](https://www.scottbrady91.com/authentication/beware-of-password-shucking) is a method of stripping layers off an updated password hash, removing the benefits of its new password hashing algorithm and reverting it to its weaker algorithm. Password shucking can be used by an attacker against old rehashed passwords or pre-hash passwords, enabling them to strip away or \"shuck\" off the strong outer password hashing algorithm.\n\nFrom a list of input tokens, **ShuckNT** provides :\n- The NT-hash instantly ([pass-the-hash](https://en.wikipedia.org/wiki/Pass_the_hash) ready) through a smart-research in the [HaveIBeenPwned](https://haveibeenpwned.com/) latest database (if present);\n- The [Crack.Sh](https://crack.sh/) ready-to-use optimized token, to pay less or nothing if NT-hash not found in HIBP-DB;\n- Several converted formats to try to crack them via other tools ([hashcat](https://hashcat.net/), jtr, CloudCracker, etc.) :\n - **Hashcat mode 5500**: to crack NetNTLMv1 to plaintext (unpredictable result, depend on wordlists, masks, rules...);\n - **Hashcat mode 27000**: to shuck NetNTLMv1 to NT-hash (unpredictable result / depend on NT-wordlists...);\n - **Hashcat mode 14000**: to shuck NetNTLMv1 to DES-keys then NT-hash (100% result / time needed);\n- All the details of the dissection of the challenge-response (PT1/2/3, K1/2/3, CT1/2/3, HIBP occurences/candidates, LMresp, NTresp, challenges, etc.).\n\n## :mag: How it works?\n\nBehind [Shuck.sh](https://shuck.sh)'s script **ShuckNT** is simply an efficient and optimized [binary-search](https://en.wikipedia.org/wiki/Binary_search_algorithm) for [DES](https://en.wikipedia.org/wiki/Data_Encryption_Standard)-keys collisions from a subset of NT-hashes candidate, whose last [two bytes are known](https://hashcat.net/forum/thread-5832.html), in custom-reversed-binary [HIBP](https://haveibeenpwned.com/)'s database.\n\nDuring a security assessment (limited in time), if you capture ~100 [NetNTLMv1](https://crack.sh/netntlm/) (with or without ESS) via a tool such as [Responder](https://github.com/lgandx/Responder), the search for the corresponding NT-Hashes (if leaked on [HIBP](https://haveibeenpwned.com/)) only takes a few seconds via [Shuck.sh](https://shuck.sh)/**ShuckNT** (~10s).\n\n[Shuck.sh](https://shuck.sh)'s script **ShuckNT** takes care of simplifying by converting the cryptographic algorithm to a weaker form (without ESS if possible, in a free format for [Crack.Sh](https://crack.sh/) or directly in NT-Hash format if leaked on [HIBP](https://haveibeenpwned.com/)). Thus a NetNTLMv1-ESS/SSP, PPTP VPN or MSCHAPv2 challenge (not-free and time-consuming on [Crack.Sh](https://crack.sh/)) can potentially be shucked instantly for free!\n\nThe initial idea of [Shuck.sh](https://shuck.sh)/ShuckNT was born from a desire to save time during security assessments for customers, not to rely on a third-party online service whose availability is not necessarily continuous and to be able to be locally autonomous.\n\n## :hammer: Installation of ShuckNT / Preparing the HIBP database\n\nThe installation process consists of:\n\n- Get the **ShuckNT** project;\n- Prepare HaveIBeenPwned database (one time only, takes several minutes) (these steps are to be carried out under a Unix/Linux environment):\n - **Download** the latest version of the [HaveIBeenPwned database of NT-hashes ordered by hashes](https://haveibeenpwned.com/Passwords) (several GB) ([Mirror link](https://data.verifiedjoseph.com/dataset/pwned-passwords-version-8) or via torrent);\n - **Extract** this database via 7zip;\n - **Reverse** all the hashes of this database via ShuckNT script directly;\n - **Sort** all reversed-hashes;\n - **Convert** this new database into a binary format via ShuckNT script directly (or via the [HIBP_PasswordList_Slimmer](https://github.com/JoshuaMart/HIBP_PasswordList_Slimmer/) of my friend [@JoshuaMart](https://github.com/JoshuaMart) :));\n- Enjoy **ShuckNT**!\n\nInstallation commands:\n```\n# Install dependencies\napt install p7zip-full php git\n\n# Get ShuckNT tool\ngit clone https://github.com/yanncam/ShuckNT\ncd ShuckNT\n\n# Prepare HaveIBeenPwned database (one time only, takes several minutes)\n## Download latest HIBP-DB (can take severals minutes...)\nwget https://downloads.pwnedpasswords.com/passwords/pwned-passwords-ntlm-ordered-by-hash-v8.7z\n## Extract HIBP-DB (can take severals minutes...)\n7z e pwned-passwords-ntlm-ordered-by-hash-v8.7z\n## Reverse all hashes (can take severals minutes...)\nphp shucknt.php -r pwned-passwords-ntlm-ordered-by-hash-v8.txt -t pwned-passwords-ntlm-ordered-by-hash-v8.txt-reversed\n## Sort all reversed-hashes (can take severals minutes...)\nsort pwned-passwords-ntlm-ordered-by-hash-v8.txt-reversed -o pwned-passwords-ntlm-ordered-by-hash-v8.txt-reversed-sorted\n## Convert to binary format (can take severals minutes...)\nphp shucknt.php -b pwned-passwords-ntlm-ordered-by-hash-v8.txt-reversed-sorted -t pwned-passwords-ntlm-reversed-ordered-by-hash-v8.bin\n## Free space to keep only pwned-passwords-ntlm-reversed-ordered-by-hash-v8.bin\nrm -f pwned-passwords-ntlm-ordered-by-hash-v8.7z\nrm -f pwned-passwords-ntlm-ordered-by-hash-v8.txt\nrm -f pwned-passwords-ntlm-ordered-by-hash-v8.txt-reversed\nrm -f pwned-passwords-ntlm-ordered-by-hash-v8.txt-reversed-sorted\n\n# Enjoy ShuckNT via commandline, or web http://[HOST]/shucknt.php\nphp shucknt.php -h\n```\n\n_The generation of the database in the format expected by ShuckNT is to be done under a Unix/Linux system._\n\n_The use of ShuckNT with a valid database has been tested under Windows/Linux with PHP7/8+._\n\n_Please note that ShuckNT use the PHP-OpenSSL extension with the DES-ECB algorithm. So for modern PHP version with OpenSSL3, [enable the legacy provider](https://www.practicalnetworking.net/practical-tls/openssl-3-and-legacy-providers/)._\n\nChecksums for each steps :\n\n```\n$ sha1sum pwned-passwords-ntlm-*\n225a993a908e3d73ffa68859c4f128e17359358e pwned-passwords-ntlm-ordered-by-hash-v8.7z\n4b6c4728c21f64d6a58c7b63d98dcf342c068407 pwned-passwords-ntlm-ordered-by-hash-v8.txt\n88094c4a332ecfac9a15c23ba886194d1810b0b2 pwned-passwords-ntlm-ordered-by-hash-v8.txt-reversed\nd5486dfbf960f36ff0e1cf313a1b80db5cd4137f pwned-passwords-ntlm-ordered-by-hash-v8.txt-reversed-sorted\n31a5c1b605cca5bcf71196c70f291c05aa3fe86c pwned-passwords-ntlm-reversed-ordered-by-hash-v8.bin\n\n$ sha256sum pwned-passwords-ntlm-*\nea83d536387e6b149f2e362bf7dfbf521523812611359f47620fd44dae9770ee pwned-passwords-ntlm-ordered-by-hash-v8.7z\n916cfd1772d24f2fe99aa5f37d4a465359c7b6f7d39f45ffbf27deca697b7116 pwned-passwords-ntlm-ordered-by-hash-v8.txt\n76f9e101801dfc44489cad4edec5f14d634c2b4676bb9ffbc7e9968c9a5356a5 pwned-passwords-ntlm-ordered-by-hash-v8.txt-reversed\n6ee13a35ed88e8073be088a20560cb9fefcc6d08e599241244eaee01dc053a44 pwned-passwords-ntlm-ordered-by-hash-v8.txt-reversed-sorted\nac2f6bf681fbe636b94f3ce3f2b594ef3d0af7671375478db1153874e8a5d873 pwned-passwords-ntlm-reversed-ordered-by-hash-v8.bin\n```\n\n## :fire: Demonstration / Example / How to use?\n\nShuckNT is a standalone-PHP script without any dependencies. It can be used in **CLI command-line** or through a **Web-Browser**.\n\n### CLI command-line standalone script\n\nHelp, arguments and syntax:\n\n```\n$ php shucknt.php -h\n __ _ _ __ _____\n/ _\\ |__ _ _ ___| | __ /\\ \\ \\/__ \\\n\\ \\| '_ \\| | | |/ __| |/ // \\/ / / /\\/\n_\\ \\ | | | |_| | (__| \u003c/ /\\ / / /\n\\__/_| |_|\\__,_|\\___|_|\\_\\_\\ \\/ \\/ v1.0\nDES-based authentication token shucker (https://shuck.sh)\n@author : ycam | @asafety.fr / @yann.cam\n\nShuckNT is design to dowgrade, convert, dissect and shuck authentication token based on Data Encryption Standard (DES).\nAlgorithms / formats supported :\n - NetNTLMv1(-ESS/SSP)\n - MSCHAPv2\n - NET(NT)LM\n - (LM|NT)HASH\n - PPTP-VPN $99$\n - All with any challenge value!\n\nShuckNT rely on \"hash shucking\" principle to optimize challenge-response cracking and exploitability.\n\nFrom a list of input tokens, ShuckNT provides :\n- The NT-hash instantly (pass-the-hash ready) through a smart-research in the HaveIBeenPwned latest database (if present);\n- The Crack.Sh ready-to-use optimized token, to pay less or nothing if NT-hash not found in HIBP-DB;\n- Several converted formats to try to crack them via other tools (hashcat, jtr, CloudCracker, etc.) :\n - Hashcat mode 5500 : to crack NetNTLMv1 to plaintext (unpredictable result, depend on wordlists, masks, rules...);\n - Hashcat mode 27000: to shuck NetNTLMv1 to NT-hash (unpredictable result / depend on NT-wordlists...);\n - Hashcat mode 14000: to shuck NetNTLMv1 to DES-keys then NT-hash (100% result / time needed);\n- All the details of the dissection of the challenge-response (PT1/2/3, K1/2/3, CT1/2/3, HIBP occurences/candidates, LMresp, NTresp, challenges, etc.).\n\nUse '-h' to print help.\n\nusage: php shucknt.php [-h] [-f tokens.txt] [-i 'tokenValue'] [-w wordlist.bin] [-o json|stdout|web] [-v]\n [-r input_wordlist.txt] [-b input_wordlist_reversed_sorted.txt] [-r output_wordlist] [-j]\n\nArguments details:\n\n -h Print this help\n -f tokens.txt Input tokens file, one per line.\n -i 'tokenValue' Inline input token from stdin.\n -w wordlist.bin Specific binary-reversed-sorted-wordlist to use.\n -o json|stdout|web Commandline output in json, stdout or web format.\n -v Verbosity for stdout output format only.\n -r input_wordlist.txt Input wordlist file to be reversed.\n -b input_wordlist.txt Input reversed-sorted-wordlist file to be binarized.\n -r output_wordlist Output file for reversal or binarization.\n -j Do not display header (for json output).\n\nThese are common ShuckNT commands used in various situations:\n\n # Shuck tokens from an input file to stdout with verbosity:\n php shucknt.php -f tokens.txt -w pwned-passwords-ntlm-reversed-ordered-by-hash-v8.bin -v\n\n # Shuck token from stdin to json output:\n php shucknt.php -i '$99$1a7F1qr2HihoXfs/56u5XMdpDZ83N6hW/HI=' -w pwned-passwords-ntlm-reversed-ordered-by-hash-v8.bin -o json -j\n\n # Shuck token from stdin to light stdout (use default wordlist defined as constant in script):\n php shucknt.php -i 'ycam::ad:DEADC0DEDEADC0DE00000000000000000000000000000000:70C249F75FB6D2C0AC2C2D3808386CCAB1514A2095C582ED:1122334455667788'\n\n # Reverse HIBPDB to output file:\n php shucknt.php -r pwned-passwords-ntlm-ordered-by-hash-v8.txt -t pwned-passwords-ntlm-ordered-by-hash-v8.txt-reversed\n\n # Binarize HIBPDB already reversed and sorted to output file:\n php shucknt.php -b pwned-passwords-ntlm-ordered-by-hash-v8.txt-reversed-sorted -t pwned-passwords-ntlm-reversed-ordered-by-hash-v8.bin\n```\n\nShuck instantly an authentication token **NetNTLMv1 with ESS/SSP** for its corresponding NT-hash, from stdin (with default HIBP-DB) and verbose output:\n```\n$ php shucknt.php -i 'ycam::ad:DEADC0DEDEADC0DE00000000000000000000000000000000:70C249F75FB6D2C0AC2C2D3808386CCAB1514A2095C582ED:1122334455667788' -v\n[...]\n1 hashes-challenges analyzed in 0 seconds, with 1 NT-Hash instantly broken for pass-the-hash and 0 that can be broken via crack.sh for free.\n\n[INPUT] ycam::ad:DEADC0DEDEADC0DE00000000000000000000000000000000:70C249F75FB6D2C0AC2C2D3808386CCAB1514A2095C582ED:1122334455667788\n [USERNAME] ycam\n [DOMAIN] ad\n [LMRESP] DEADC0DEDEADC0DE00000000000000000000000000000000\n [NTRESP] 70C249F75FB6D2C0AC2C2D3808386CCAB1514A2095C582ED\n [CT1] 70C249F75FB6D2C0\n [CT2] AC2C2D3808386CCA\n [CT3] B1514A2095C582ED\n [ESS] YES\n [CLIENTCHALL] 1122334455667788\n [SERVERCHALL] DEADC0DEDEADC0DE\n [CHALLENGE] C85086419358F950\n [NTHASH-SHUCKED] 93B3C62269D55DB9CA660BBB91E2BD0B\n [HIBP-CANDIDATES] 12778\n [HIBP-OCCURENCE] 15\n [PT1] 93B3C62269D55D\n [PT2] B9CA660BBB91E2\n [PT3] BD0B\n [K1] 93D9F1C5274F55BB\n [K2] B9E599C1BBDD47C5\n [K3] BD85C10101010101\n [CRACK.SH-TOKEN] $NETLM$C85086419358F950$70C249F75FB6D2C0AC2C2D3808386CCAB1514A2095C582ED (20-300$)\n [FORMAT-NETNTLMV1-NO-ESS] ycam::ad::70C249F75FB6D2C0AC2C2D3808386CCAB1514A2095C582ED:C85086419358F950\n [FORMAT-MSCHAPV2] $MSCHAPv2$C85086419358F950$70C249F75FB6D2C0AC2C2D3808386CCAB1514A2095C582ED$\n [FORMAT-NET(NT)LM] $NETLM$C85086419358F950$70C249F75FB6D2C0AC2C2D3808386CCAB1514A2095C582ED\n [FORMAT-PPTP] $99$yFCGQZNY+VBwwkn3X7bSwKwsLTgIOGzKvQs=\n```\n\nShuck instantly many authentication tokens from supported formats for their corresponding NT-hashes, from an input file (with specified HIBP-DB) and simple output:\n```\n$ php shucknt.php -f tokens-samples.txt -w pwned-passwords-ntlm-reversed-ordered-by-hash-v8.bin\n[...]\n10 hashes-challenges analyzed in 3 seconds, with 8 NT-Hash instantly broken for pass-the-hash and 1 that can be broken via crack.sh for free.\n\n[INPUT] $99$1a7F1qr2HihoXfs/56u5XMdpDZ83N6hW/HI=\n [NTHASH-SHUCKED] DE26CCE0356891A4A020E7C4957AFC72\n\n[INPUT] LMHASH:2B56DAEB658F9FE977BD3B61E7976684388EF712DB95C6F8\n [NTHASH-SHUCKED] C780C78872A102256E946B3AD238F661\n\n[INPUT] NTHASH:D4ACBAA3CD626E2A074D76C7491D332F8FB8989968E88736\n [NTHASH-SHUCKED] C22B315C040AE6E0EFEE3518D830362B\n\n[INPUT] ycam::ad:DEADC0DEDEADC0DE00000000000000000000000000000000:70C249F75FB6D2C0AC2C2D3808386CCAB1514A2095C582ED:1122334455667788\n [NTHASH-SHUCKED] 93B3C62269D55DB9CA660BBB91E2BD0B\n\n[INPUT] $NETNTLM$4803CB182E23B79A$BA4DA703C6A056727CC7B62FFA065970D5D400F18D02C6D1\n [NTHASH-SHUCKED] 8E2FDD50C6FB5D0E22E2455394D98D2A\n\n[INPUT] user::domain.tld:727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595:727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595:1122334455667788\n [NTHASH-SHUCKED] 8846F7EAEE8FB117AD06BDD830B7586C\n\n[INPUT] $MSCHAPv2$1337133713371337$F93A1DB1C044133F52582EFDA5C31667EBBE6F8F2814E539$root\n [NTHASH-SHUCKED] 209C6174DA490CAEB422F3FA5A7AE634\n\n[INPUT] $NETLM$FE2CFD84F6C7DEF8$852074A98A9B2AF70D59D449AD0F9B898B4A9455C7B90CE7\n [NTHASH-SHUCKED] 0A42BC909E226C6F8FFCBAA6AB0DA43D\n\n[INPUT] $99$ESIzRFVmd4i8671kB52wcm9qK5VdJR7lJKU=\n [CRACK.SH-TOKEN] NTHASH:BCEBBD64079DB0726F6A2B955D251EE57D6DD8A109D77A0D (0$)\n\n[INPUT] x::x:FEC7A34F78C17A9700000000000000000000000000000000:E875F0A28BD7729D071D7DF05272B0FB4549AE926FE36255:1122334455667788\n [CRACK.SH-TOKEN] $NETLM$1A6A5C911D8A4DF2$E875F0A28BD7729D071D7DF05272B0FB4549AE926FE36255 (20-300$)\n```\n\nShuck tokens with JSON output only:\n```\n$ php shucknt.php -f tokens-samples.txt -o json -j\n[...]\n {\n \"type\": \"NetNTLMv1 (ESS\\/SSP)\",\n \"description\": \"NetNTLMv1 (ESS\\/SSP) type with C85086419358F950 as challenge\",\n \"token\": \"ycam::ad:DEADC0DEDEADC0DE00000000000000000000000000000000:70C249F75FB6D2C0AC2C2D3808386CCAB1514A2095C582ED:1122334455667788\",\n \"user\": \"ycam\",\n \"domain\": \"ad\",\n \"lmresp\": \"DEADC0DEDEADC0DE00000000000000000000000000000000\",\n \"ntresp\": \"70C249F75FB6D2C0AC2C2D3808386CCAB1514A2095C582ED\",\n \"ct1\": \"70C249F75FB6D2C0\",\n \"ct2\": \"AC2C2D3808386CCA\",\n \"ct3\": \"B1514A2095C582ED\",\n \"ess\": true,\n \"clientchallenge\": \"1122334455667788\",\n \"serverchallenge\": \"DEADC0DEDEADC0DE\",\n \"challenge\": \"C85086419358F950\",\n \"deskeys\": {\n \"k1\": \"93D9F1C5274F55BB\",\n \"k2\": \"B9E599C1BBDD47C5\",\n \"k3\": \"BD85C10101010101\"\n },\n \"nthash\": \"93B3C62269D55DB9CA660BBB91E2BD0B\",\n \"pt1\": \"93B3C62269D55D\",\n \"pt2\": \"B9CA660BBB91E2\",\n \"pt3\": \"BD0B\",\n \"reversePt3\": \"B0DB\",\n \"HIBPcountCandidates\": 12778,\n \"HIBPoccurence\": 15,\n \"crackshToken\": \"$NETLM$C85086419358F950$70C249F75FB6D2C0AC2C2D3808386CCAB1514A2095C582ED (20-300$)\",\n \"h4m14000\": \"echo \\\"70C249F75FB6D2C0:C85086419358F950\\\"\u003e14000.hash;echo \\\"AC2C2D3808386CCA:C85086419358F950\\\"\u003e\u003e14000.hash;hashcat -m 14000 -a 3 -1 charsets\\/DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1\",\n \"h4m5500\": \"echo \\\"ycam::ad::70C249F75FB6D2C0AC2C2D3808386CCAB1514A2095C582ED:C85086419358F950\\\"\u003e5500.hash;hashcat -m 5500 -a 3 5500.hash ?a?a?a?a?a --increment\",\n \"h4m27000\": \"echo \\\"ycam::ad::70C249F75FB6D2C0AC2C2D3808386CCAB1514A2095C582ED:C85086419358F950\\\"\u003e27000.hash;hashcat -m 27000 -a 0 27000.hash nthash-wordlist.txt\"\n }\n[...]\n```\n\n### Web-Browser standalone script\n\nHost **ShuckNT** on a web server (Apache, Nginx, etc.) supporting PHP 7/8+:\n\n\u003cp align=\"center\"\u003e\n \u003cimg src=\"https://shuck.sh/images/shucknt.png\" alt=\"ShuckNTweb\"/\u003e\n\u003c/p\u003e\n\n## :toolbox: To go deeper...\n\nThe online service [Shuck.sh](https://shuck.sh), which implements the **ShuckNT** tool, provides many [details](https://shuck.sh/#tech) and an [FAQ](https://shuck.sh/#faq).\n\nA dynamic and on-the-fly [Generator](https://shuck.sh/generator.php) is present online, allowing from a clear text password or an NT-hash to observe mechanisms of the authentication token generation algorithm (NetNTLMv1(-ESS/SSP), MSCHAPv2, PPTP-VPN, etc.).\n\nFinally, a dynamic and on-the-fly [Converter](https://shuck.sh/converter.php) is also present online, which allows from an authentication token (NetNTLMv1(-ESS/SSP), MSCHAPv2, PPTP-VPN, etc.) to show in detail its dissection, and even to obtain the corresponding NT-hash if DES keys K1 and K2 are provided (after [DES-KPA attack](https://hashcat.net/forum/thread-5832.html) for example).\n\n## :beers: Credits\n\n- Thanks to [Crack.sh](https://crack.sh) for their excellent online service, which remains essential!\n- Thanks also to Troy Hunt of [HaveIBeenPwned](https://haveibeenpwned.com/) for continually raising awareness about password leaks.\n- Thanks to the entire [Hashcat](https://hashcat.net/) community, for their exciting research, tools and techniques!\n- Thanks to zarbibi, for the help when binary ops gave me a headache.\n- GreetZ to all the Le££e team :)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyanncam%2Fshucknt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyanncam%2Fshucknt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyanncam%2Fshucknt/lists"}