Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 29 Apr 2006 18:15:20 +0400
From: Solar Designer <>
Subject: Re:  I can't see the passwords - beginner's question - sorry

On Sat, Apr 29, 2006 at 11:24:23PM +1200, Allan Agnew wrote:
>   (By the way, I've changed the numbers slightly)
>   First I ran pwdump2 as follows:
>    C:\PROGRA~1\pwdump2>pwdump2
>   Administrator:500:aad3b435b52315aaeda4a567b51404ea:aee991ef578fc36c2612f28e41f43b64:::

I am guessing that before your "changing the numbers" this had
"aad3b435b51404eeaad3b435b51404ee" as the LM hash (the third field).
This corresponds to an empty password.  The same applies to the
remaining 9 lines.

> Loaded 10 password hashes with no different salts (NT LM DES [32/32 BS])
>                  (SUPPORT_388945a0)
>                  (Administrator)
> guesses: 10  time: 0:00:00:00 100% (2)  c/s: 1689K  trying: 12345 - MUSTANG

Here John has correctly cracked the empty passwords for the LM hashes.

>   C:\PROGRA~1\john171w\john1701\run>john-386 --show pwdlist.txt
> Administrator::500:aee991ef578fc36c2612f28e41f43b64:::
> 10 password hashes cracked, 0 left

And here it has correctly displayed the cracked empty passwords (that's
why there's nothing between the colons).

The real question is why your system is storing LM hashes of empty
strings rather than of your actual passwords.  I am aware of two
possible reasons: the real passwords might be longer than 14 characters
and/or you might have LM hash support disabled.  (I think this is
controlled by some registry setting, but I am not familiar with Windows.
Maybe someone else will explain this in greater detail.)

Either way, the NTLM hashes (found in the fourth field of the pwdump2
output) should be valid.  You should be able to crack those if you
download a "jumbo patched" build of John (please see the "contributed
resources" list on the John the Ripper homepage).  You would use the
"--format=nt" command-line option to force John to crack or display
passwords for the NTLM rather than the LM hashes.

Please note that NTLM hashes are not nearly as weak as LM ones are - so
you might get a smaller percentage of passwords cracked than is typical
for most Windows systems (those which have valid LM hashes as well).

Alexander Peslyak <solar at>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598 - bringing security into open computing environments

Was I helpful?  Please give your feedback here:

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ