Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 May 2015 10:39:24 -0500
From: Mathieu Laprise <mathlaprise@...il.com>
To: john-dev@...ts.openwall.com
Subject: Re: Johnny: 1.5.2 Hash type suggestion/guessing, using
 --show=types (was: displaying full meta information about hashes with --show=types)

Aleksey said:

> The patch was pulled into bleeding-jumbo branch (default). So pull the
> new version and try to run it against some files. You'll see the
> output, the format is described above. Skeleton of parser in Perl is
> in attach.
>
I played with the latest bleeding-jumbo branch and show=types and now I
understand the output and the format you described. Thanks. Is it our goal
to call the perl script in Johnny or is it just to help me write a C++
function ?

Files in PWDUMP format need special handling: per line list show only
> lm and nt, lm for 3rd field and nt for 4th field. IIRC Johnny shows lm
> and nt on separate lines. When you read the file with hashes, you may
> need to remember if line is in PWDUMP format. I am sure you'll find a
> way to connect everything correctly.
>
I didn't work yet with that kind of file. I've only used /etc/shadow files
in john yet. I've made some research on Google about LM ,NT password hashes
and pwdumping of SAM to understand what you are talking about. I found this
sample that I send to john --show=types
Input:
Administrator:500:207277225E983B147AC464727886BD82:90BBDB25BC6556610DAA4F03900FBE9
The website where I found it said it has LM and NT(not sure if it's true,
the Windows things is really new to me and I seriously lack files to test
for now :( ).
Output :
Administrator:207277225E983B147AC464727886BD82:500:::::LM:0:0:1:$LM$207277225e983b14:$LM$7ac464727886bd82:0:
Output parser:
valid format LM (disabled 0, dynamic 0)
orig: 207277225E983B147AC464727886BD82
2 parts:
  $LM$207277225e983b14
  $LM$7ac464727886bd82

Is this normal that the 4th field 90BBDB25BC6556610DAA4F03900FBE9 seems to
be ignored ? I thought it was supposed to be the NT one?

Are the field "2 parts:" from last example's parser important for Johnny or
is it only the orig: XXXXXXXXx thing that is important ?

BTW did you try some non-trivial cracking with john and with Johnny?
>
I don't have a lot of password samples, I found this
http://openwall.info/wiki/john/sample-hashes and a few other examples on
internet but If you have interesting samples that you use, please share it.
Also, I didn't play a lot with modes wordlist, rules, charset, single crack
etc.. I played with them but it's not clear to me yet which options I'd
choose in a real attack. Most of the time I use default mode.

[ CONTENT OF TYPE text/html SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ