Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 15 May 2005 04:07:03 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: LANMAN and NT Hash ?s...basic

On Fri, May 13, 2005 at 03:24:32PM -0700, Whom Ever wrote:
> I'm sorry for asking a noob question but I have a sam
> file that I ran 
> GetHashes.exe (SamInside) on and I'm not sure how to
> get JtR to work on the 
> NT hash (really XP hash) part.  It autodetects the
> LANMAN portion and goes to 
> work, I tried the --format option but none of the
> other options loaded any 
> passwords.  JtR can crack NT hashes, right?

As it has correctly been pointed out, you need to apply the
contributed patch to get support for the MD4-based NT hashes.
The official JtR supports only DES-based NTLM hashes.

> And XP uses NT hashes too?

Yes.

> Example from john.pot (not a working one...I modified
> some data):
> User:57Q7T4R23E@...07:14806rd271e60f5re2549d67eb6ef6b1:::
> 
> Now, the NT hash is after the 1007: right?

Yes, perhaps, however this does not look exactly like the pwdump-style
format that JtR expects:

Administrator:500:73CC402BD3E791756C3D3B817E02809D:C7E2622D76D3F001CF08B0753646BBCC:Built-in account for administering the computer/domain::

Notice that the two hashes (NTLM/DES and NT/MD4, respectively) are in
the third and fourth field.  While you also have what might be the NT
hash in the fourth field, you have the preceding two fields set in an
unusual way.

> It's my understanding with 2k and XP that if you use a
> password longer than 14 
> characters nulls are entered in the LANMAN portion so
> in that case you have 
> to use the NT hash portion, right?

I am not sure of that.  It could be more complicated than that
(registry settings involved, etc.)  I'd rather have someone more
knowledgeable in Windows comment on this.  Simon?

> Also, if JtR does do NT hash, wouldn't a module to get
> the LANMAN and then try 
> the 2^n letter case combinations to run against the NT
> hash be fairly easy to 
> add.  I'm probably way off base here or this already exists!

No, this is a perfectly reasonable question.

There're two reasons why JtR doesn't do this already:

1. It does not yet officially support NT hashes.

2. This does not fit in well within the generic framework of JtR.
It'd have to first crack NTLM hashes, then apply that knowledge to NT
hashes.  I might implement this at some point, but it'd be some added
complexity for the now-generic code specific to the NTLM+NT hash case.

Having that said, you can use the following procedure for now:

0. In params.h, increase RULE_RANGES_MAX from 8 to at least 14 and
re-compile.  (I probably need to change this default.)

1. Crack your NTLM hashes.

2. In john.conf, rename the old "[List.Rules:Wordlist]" section, e.g.
to "[List.Rules:Disabled]" (or comment it out).

3. Create this section anew:

[List.Rules:Wordlist]
:
lMT[*0]T[*1]T[*2]T[*3]T[*4]T[*5]T[*6]T[*7]T[*8]T[*9]T[*A]T[*B]T[*C]T[*D]Q

4. Crack your NT hashes with these invocations of John:

john -show pwfile | cut -d: -f2 > ntlm.lst
john -w=ntlm.lst -rules pwfile

Don't forget to revert your wordlist rules back when you're done with
this step (or just do it in another directory, where you'd keep this
edited john.conf).

This is untested, but it should work. ;-)

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ