Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 11 Mar 2006 08:07:29 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: does john crack xp passwords correctly?

On Sat, Mar 11, 2006 at 04:46:04AM +0000, hadzijj qwerty wrote:
> In the meantime I found another thing that I'd like to ask about. You wrote 
> about letter "M" that john didn't check if it's lower or upper-case. So 
> when it will finish looking for the first 7 chars of my password will their 
> case be unknown as well?

Yes.  The case of characters is unimportant for determining whether a
given Windows password is weak or not.

However, if you're cracking those passwords for another purpose, you may
apply the unofficial NTLM hashes support patch to John, then have it
guess the proper case of characters in passwords it would have cracked
based on LM hashes.

JtR 1.7 includes the following hack in the default john.conf:

# Case toggler for cracking MD4-based NTLM hashes (with the contributed
# patch), given already cracked DES-based LM hashes.
# Rename this section to [List.Rules:Wordlist] to activate it.
[List.Rules:NT]
l
lMT[*0]T[*1]T[*2]T[*3]T[*4]T[*5]T[*6]T[*7]T[*8]T[*9]T[*A]T[*B]T[*C]T[*D]Q

So you need to rename the section as the comment says, then run:

john -show pwfile | cut -d: -f2- > cracked
john -w=cracked -rules -format=nt pwfile

The "-format=nt" requires an NTLM-patched build of John.

> >> I have a version 1.6.39 under debian unstable.
> >
> >The output above does not match that of version 1.6.39, so that's not
> >what you're using.
> 
> $ dpkg -l | grep john
> ii  john                       1.6-39                         active 
> password cracking tool
> 
> It looks that my debian would like to argue with you :)

No, everything is in agreement now.  You've been using version 1.6-39 of
the Debian package (which is Debian's 39th revision of the package of
John 1.6), not John version 1.6.39.  Those two are entirely different
versions.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.