Offensive Security Rants & Threat Actor Roleplay

Who ya gonna call? -m 27100!

25 August 2023


You have been tasked with performing a network penetration test. After reading the SoW and kicking off the test, you start with everyone’s favorite tool, Responder and quickly capture several NetNTLMv2 hashes, some of which you assume are to privileged accounts. However, after a night of attempting to crack the hashes, you have exhausted your password cracking resources, shed a tear, and are about to move on, ultimately giving up on a quick and easy way to domain administrator (also for this scenario, let’s just assume you are not able to relay the hash or perform any other dark magic hacking with it).

Well, what if I told you that you might not have to ‘crack’ this hash the traditional way in order to use it? Instead, if you’re lucky you can convert the NetNTLMv2 hash you’ve captured to an NT hash and use it for pass-the-hash evilness on the network, securing your way to one of those privileged accounts you have been eyeing.

Hashcat Saves the Day (maybe)

A few years ago I discovered Hashcat mode 27100 from this tweet and haven’t seen any discussion of it since other than a brief mention from mpgn last year.

So, what does Hashcat 27100 do? The simple explanation is that it allows you to input NetNTLMv2 hashes captured from Responder and run them against a wordlist of NT hashes. Hashcat will work its magic and attempt to find a match between the NetNTLMv2 hash you’ve obtained and ultimately output the matching NT hash.

Even though Hashcat isn’t providing you with the plaintext password, the NT hash would allow you to perform pass-the-hash attacks and potentially provide you with some sweet sweet access that you would’ve missed out on before.

If this all sounds good to you and you’re wondering how to create your own NT hashes wordlist, I would recommend the following resources:


Let’s take the following NetNTLMv2 hash provided on Hashcat’s example hashes page:


Additionally, I have created a wordlist containing several NT hashes:


The following screenshot demonstrates Hashcat being ran, note that a match is found with the NT hash B4B9B02E6F09A9BD760F388B67351E2B:



Benchmarks were conducted using a GeForce RTX 4090 on Windows 11 running the latest drivers at the time of writing this post:

Command ran: hashcat -m 5600 --benchmark


Command ran: hashcat -m 27100 --benchmark


From our benchmark tests, we can see that using mode 27100 with Hashcat was over 4x faster than using mode 5600 in recovering the hash.

Creating Your Own Wordlists

Since mode 27100 appears to be much faster than cracking a NetNTLMv2 hash to plaintext, I wrote a simple Go script which will take a plaintext wordlist and convert it to NT hashes. Please note that I have not done the math for how much time this could save you, it’s very likely it won’t save you any.

Go Script

package main

import (


func ntowfv1(password string) []byte {
	utf16Password := unicodeToUtf16(password)
	hash := md4.New()
	return hash.Sum(nil)

func unicodeToUtf16(s string) []byte {
	utf16 := make([]uint16, len(s))
	for i, c := range s {
		utf16[i] = uint16(c)
	result := make([]byte, len(utf16)*2)
	for i, c := range utf16 {
		result[i*2] = byte(c)
		result[i*2+1] = byte(c >> 8)
	return result

func main() {
	if len(os.Args) != 2 {
		fmt.Println("Usage: go run main.go password_file.txt")

	passwordFilePath := os.Args[1]
	passwordFile, err := os.Open(passwordFilePath)
	if err != nil {
		fmt.Printf("Error opening password file: %v\n", err)
	defer passwordFile.Close()

	scanner := bufio.NewScanner(passwordFile)
	for scanner.Scan() {
		password := strings.TrimSpace(scanner.Text())
		ntlmHash := ntowfv1(password)
		fmt.Printf("%x\n", ntlmHash)

	if err := scanner.Err(); err != nil {
		fmt.Printf("Error reading password file: %v\n", err)