Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 14 May 2015 10:39:24 -0500
From: Mathieu Laprise <mathlaprise@...il.com>
To: john-dev@...ts.openwall.com
Subject: Re: Johnny: 1.5.2 Hash type suggestion/guessing, using
 --show=types (was: displaying full meta information about hashes with --show=types)

Aleksey said:

> The patch was pulled into bleeding-jumbo branch (default). So pull the
> new version and try to run it against some files. You'll see the
> output, the format is described above. Skeleton of parser in Perl is
> in attach.
>
I played with the latest bleeding-jumbo branch and show=types and now I
understand the output and the format you described. Thanks. Is it our goal
to call the perl script in Johnny or is it just to help me write a C++
function ?

Files in PWDUMP format need special handling: per line list show only
> lm and nt, lm for 3rd field and nt for 4th field. IIRC Johnny shows lm
> and nt on separate lines. When you read the file with hashes, you may
> need to remember if line is in PWDUMP format. I am sure you'll find a
> way to connect everything correctly.
>
I didn't work yet with that kind of file. I've only used /etc/shadow files
in john yet. I've made some research on Google about LM ,NT password hashes
and pwdumping of SAM to understand what you are talking about. I found this
sample that I send to john --show=types
Input:
Administrator:500:207277225E983B147AC464727886BD82:90BBDB25BC6556610DAA4F03900FBE9
The website where I found it said it has LM and NT(not sure if it's true,
the Windows things is really new to me and I seriously lack files to test
for now :( ).
Output :
Administrator:207277225E983B147AC464727886BD82:500:::::LM:0:0:1:$LM$207277225e983b14:$LM$7ac464727886bd82:0:
Output parser:
valid format LM (disabled 0, dynamic 0)
orig: 207277225E983B147AC464727886BD82
2 parts:
  $LM$207277225e983b14
  $LM$7ac464727886bd82

Is this normal that the 4th field 90BBDB25BC6556610DAA4F03900FBE9 seems to
be ignored ? I thought it was supposed to be the NT one?

Are the field "2 parts:" from last example's parser important for Johnny or
is it only the orig: XXXXXXXXx thing that is important ?

BTW did you try some non-trivial cracking with john and with Johnny?
>
I don't have a lot of password samples, I found this
http://openwall.info/wiki/john/sample-hashes and a few other examples on
internet but If you have interesting samples that you use, please share it.
Also, I didn't play a lot with modes wordlist, rules, charset, single crack
etc.. I played with them but it's not clear to me yet which options I'd
choose in a real attack. Most of the time I use default mode.

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.