Overhaul ntlm.py for Spec-Aligned Hash Extraction

[StrongWind1]

Resolves #22

What Changed

NTLM_AUTH_to_hashcat_formats() — replaces NTLM_AUTH_to_hashcat_format(). Returns list[tuple[str, str]] with all crackable hashes from a single Type 3 message. Addresses issues 1–4 from the tracking issue.

NTLM_AUTH_CreateChallenge() — removed NTLMSSP_AV_TIME from AV_PAIRS, added disable_ntlmv2 parameter, added SEAL/ALWAYS_SIGN echo, added ESS/LM_KEY exclusivity enforcement. Addresses issues 5–8.

Configuration — renamed ntlm_challange → ntlm_challenge, replaced ntlm_ess with ntlm_disable_ess (inverted polarity), added ntlm_disable_ntlmv2. Challenge parser now supports hex:/ascii: prefixes with backward-compatible auto-detection. Addresses issue 9.

_compute_dummy_lm_responses() — new helper that pre-computes the two known dummy LM responses per challenge for filtering.

NTLM_report_auth() — updated to iterate over all returned hashes and write each as a separate database entry.

Documentation — ~500 lines added: module-level docstring with handshake diagram, NumPy-style function docstrings, inline spec references, hashcat format token layouts.

Output

No change to hashcat format strings — the same mode 5500 and 5600 lines are produced, now with additional LMv2 companion hashes captured and bad entries filtered out. All output is directly consumable by modes 5500, 5600, 27000, and 27100.

[StrongWind1]

This is a WiP. I confirmed this code works for Vista, Windows 10, and Server 2022 with all LmCompatibilityLevel set from 0 to 5. I will be doing more testing on all Windows OS before asking to merge.

I am trying to test with XP but it is failing due to smb.py not supporting it. See #24
I want to ensure this PR has feature parity with everything from Responder.

[StrongWind1]

cleaned up the code further. more testing still needed

[StrongWind1]

Hello @MatrixEditor, This PR is ready for a review. There is some additional work on the SMB server side of things but NTLM is done and compliant.

Key improvements in the PR include:

• Correct NTLM Versioning: Now uses payload length as the sole, reliable discriminator between NTLMv1 and NTLMv2.
• Multi-Hash Extraction: The new NTLM_AUTH_to_hashcat_formats() correctly extracts both the NTLMv2 hash and its LMv2 companion from a single AUTHENTICATE_MESSAGE.
• Intelligent Filtering: Actively filters out "dummy" hashes and duplicates to reduce capture noise.
• Maximized LMv2 Capture: By omitting MsvAvTimestamp from the challenge, modern Windows clients will now correctly send the LMv2 response.
• Configuration Overhaul: Added disable_ntlmv2 and inverted disable_ess for more explicit control over protocol negotiation.

The changes have been tested with smbclient across its various NTLMSSP options and all tests are passing. All captured hashes with smbclient crack with hashcat.

[MatrixEditor]

Hi, @StrongWind1 ,

thank you so much for reworking the NTLM core of Dementor. I will get back to the review as soon as possible, so a new version can be finalized.

[StrongWind1]

Hi @MatrixEditor ,

Please see this comment for a clearer overview of the changes and improvements in this PR, along with the reasoning behind them.

#22 (comment)

[MatrixEditor]

Hi @StrongWind1,

I've finished the review - only minimal comments, nothing huge. If you want to apply additional changes before merging this request, please so let me know.

[StrongWind1]

Let me know if you any other comments!

[MatrixEditor]

LGTM! Will be merged if you have no further additions.

[StrongWind1]

No further additions for now! Go ahead and merge.