Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 24 May 2005 03:15:28 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: LANMAN and NT Hash ?s...basic

On Mon, May 23, 2005 at 03:49:05PM -0700, Whom Ever wrote:
> That sounds like a great idea!

You must be referring to this proposal of mine:

> > On Sun, May 15, 2005 at 02:47:31PM +0200, Simon Marechal wrote:
> > > I think so, the lmhash should be aad3b435b51404eeaad3b435b51404ee.
> > 
> > Oh, right now John does not load LM hashes with that value and reports
> > them as "NO PASSWORD" with "--show".  Perhaps I should enhance it to
> > also look at the NTLM hash field and only report the "NO PASSWORD" if
> > both LM and NTLM hashes correspond to an empty password.  If the LM
> > hash is that of an empty string, but the NTLM hash is not, report that
> > the password is longer than 14 characters instead.  This is something
> > to get back to after John 1.7.

Please do leave an adequate amount of context in your responses.
We're not alone on this mailing list, and there will also be people
browsing the archives.

> Is that "no password"
> output in 1.6.38 because I don't remember seeing that.

Oh, I was wrong about it.  That's what I get for not working on that
code for years.  There's a check for the "NO PASSWORD*********************"
string in place of the LM hash, but no check for the empty password
hash.  John is only checking the second half of the LM hash for the
value of AAD3B435B51404EE to deduce that the password is no more than
7 characters long.  When given the empty password hash (with both
halves of AAD3B435B51404EE), John does load the first half for
cracking, unless this hash is already found in john.pot, and cracks it
almost instantly.  Then "john --show" reports an empty string in place
of the password, just like it does for empty Unix passwords.

> Also, have you noticed some pwdump files show just a
> bunch of * for the LM and NT hash...I'm uncertain as
> to the meaning for that...any ideas?

No, I've only seen the "NO PASSWORD*********************" thing.  But
Windows is really not my territory.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.