reddit hackernews mail facebook facebook linkedin


Dowgrade, convert, dissect and shuck authentication token based on Data Encryption Standard.

Behind's script ShuckNT is simply an efficient and optimized binary-search for DES-keys collisions from a subset of NT-hashes candidate, whose last two bytes are known, in custom-reversed-binary HIBP's database.

During a security assessment (limited in time), if you capture ~100 NetNTLMv1 (with or without ESS) via a tool such as Responder, the search for the corresponding NT-Hashes (if leaked on HIBP) only takes a few seconds via (~10s).'s script ShuckNT takes care of simplifying by converting the cryptographic algorithm to a weaker form (without ESS if possible, in a free format for Crack.Sh or directly in NT-Hash format if leaked on HIBP). Thus a NetNTLMv1-ESS/SSP, PPTP VPN or MSCHAPv2 challenge (not-free and time-consuming on Crack.Sh) can potentially be shucked instantly for free!

The initial idea of was born from a desire to save time during security assessments for customers, not to rely on a third-party online service whose availability is not necessarily continuous and to be able to be locally autonomous.

Algorithms / formats supported :
- PPTP-VPN $99$
- All with any challenge value!

ShuckNT rely on hash shucking principle to optimize challenge-response cracking and exploitability.