Skip to content

Fix LM:NTLM hash parsing causing ADWS bind failure#2

Open
NathanielSlw wants to merge 1 commit intomverschu:mainfrom
NathanielSlw:fix/ntlm-lm-hash-format
Open

Fix LM:NTLM hash parsing causing ADWS bind failure#2
NathanielSlw wants to merge 1 commit intomverschu:mainfrom
NathanielSlw:fix/ntlm-lm-hash-format

Conversation

@NathanielSlw
Copy link
Copy Markdown

@NathanielSlw NathanielSlw commented Mar 15, 2026

Fix: NTLM Hash Authentication with LM:NTLM Format

🐛 Problem

When using NTLM hash authentication in the standard impacket format LM:NTLM, the tool throws an error:

ERROR:adwsdomaindump.adws_wrapper:ADWS bind failed: non-hexadecimal number found in fromhex() arg at position 32

Reproducible with:

  • HTB Box : Forest
adwsdomaindump --user "htb.local\administrator" --password "aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6" -n "<IP>" "FOREST.htb.local"

🔍 Root Cause

The bind() method in adws_wrapper.py doesn't split the LM:NTLM format before passing it to NTLMAuth. When _fix_hashes() in ms_nns.py tries to convert the full string using bytes.fromhex(), it fails at position 32 where the : separator exists (which is not a valid hex character).

✅ Solution

Split the LM:NTLM format before passing to NTLMAuth, and send only the NT hash (second part) to the authentication class.

Change in adws_wrapper.py - bind() method:

# Detect and split LM:NTLM format
hashes = None
password = self.password
if password and ':' in password and len(password.split(':')) == 2:
    lm_hash, nt_hash = password.split(':')
    hashes = nt_hash  # Only NT hash is needed
    password = None

# Create NTLM auth with split hash
auth = NTLMAuth(password=password, hashes=hashes)

🧪 Testing

Before fix: Error at position 32 (colon separator)

After fix: Authentication succeeds with LM:NTLM format

adwsdomaindump --user "htb.local\administrator" --password "aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6" -n "<IP>" "FOREST.htb.local"

adwsdomaindump --user "htb.local\administrator" --password ":32693b11e6aa90eb43d32c72a07ceea6" -n "<IP>" "FOREST.htb.local"

# ✅ Works correctly now

📋 Technical Details

The LM:NTLM format contains:

  • LM Hash (first 32 chars): Deprecated, often aad3b435b51404eeaad3b435b51404ee
  • NT Hash (last 32 chars): The actual NTLM v2 hash used for authentication

Only the NT Hash is required for modern NTLM authentication. The LM hash remains for backward compatibility but is not used in current Windows environments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@NathanielSlw