[deviate_X]

I'd be interested to know, how easy is it to actually break the hash of the password-code

[voltagex_]

https://hashcat.net/hashcat/ should do it, although NTLMv2 isn't explicitly mentioned.

If your password is common (see something like https://github.com/danielmiessler/SecLists/tree/master/Passw...) or <10 ASCII characters, it shouldn't take too long.

[zaroth]

When it's NTLM, extremely easy. I know NTLMv1 cracks at around 25 billion attempts per second on a high-end GPU, which is MD4 based. NTMLv2 is MD5 based with a longer key, so it's slower, I'm not sure how much slower, but I'll guess 1 order of magnitude. Still, far too fast for a password hash.

[1] - http://thepasswordproject.com/oclhashcat_benchmarking

[pdkl95]

Given that far too many passwords can be found with a dictionary attack, it probably only takes seconds for an attacker with "several modern video cards"[1] of hashing power.

[1] https://www.youtube.com/watch?v=7U-RbOKanYs

[marcosdumay]

Why would you need to? The hash is enough to give you access to any NTLM service.

[dagaci]

What NTLM service would you be able to access for example?

[marcosdumay]

Wait, what?

NTLM is a generic authentication layer. You use it to get single sign-on for your web APIs.