Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 29 Apr 2006 18:15:20 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re:  I can't see the passwords - beginner's question - sorry

On Sat, Apr 29, 2006 at 11:24:23PM +1200, Allan Agnew wrote:
>   (By the way, I've changed the numbers slightly)
>   First I ran pwdump2 as follows:
>    C:\PROGRA~1\pwdump2>pwdump2
>   Administrator:500:aad3b435b52315aaeda4a567b51404ea:aee991ef578fc36c2612f28e41f43b64:::

I am guessing that before your "changing the numbers" this had
"aad3b435b51404eeaad3b435b51404ee" as the LM hash (the third field).
This corresponds to an empty password.  The same applies to the
remaining 9 lines.

> Loaded 10 password hashes with no different salts (NT LM DES [32/32 BS])
>                  (SUPPORT_388945a0)
[...]
>                  (Administrator)
> guesses: 10  time: 0:00:00:00 100% (2)  c/s: 1689K  trying: 12345 - MUSTANG

Here John has correctly cracked the empty passwords for the LM hashes.

>   C:\PROGRA~1\john171w\john1701\run>john-386 --show pwdlist.txt
> Administrator::500:aee991ef578fc36c2612f28e41f43b64:::
[...]
> 10 password hashes cracked, 0 left

And here it has correctly displayed the cracked empty passwords (that's
why there's nothing between the colons).

The real question is why your system is storing LM hashes of empty
strings rather than of your actual passwords.  I am aware of two
possible reasons: the real passwords might be longer than 14 characters
and/or you might have LM hash support disabled.  (I think this is
controlled by some registry setting, but I am not familiar with Windows.
Maybe someone else will explain this in greater detail.)

Either way, the NTLM hashes (found in the fourth field of the pwdump2
output) should be valid.  You should be able to crack those if you
download a "jumbo patched" build of John (please see the "contributed
resources" list on the John the Ripper homepage).  You would use the
"--format=nt" command-line option to force John to crack or display
passwords for the NTLM rather than the LM hashes.

Please note that NTLM hashes are not nearly as weak as LM ones are - so
you might get a smaller percentage of passwords cracked than is typical
for most Windows systems (those which have valid LM hashes as well).

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.