Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 3 May 2006 08:21:07 +0200
From: "thomas springer" <thomas.springer@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: JtR & NTLMv2 passwords

one should notice here that ms (and lazy admins?) are usually doing a bad
job and fail to disable the fallback from NTLMv2 to the old NTLM (can be
done with a registry-setting).

If you use an "active attack" (i usually prefer an EMail with an embedded
&lt;img src=file:///mypc/webbug.gif&gt;) with something like
smbrelay.exelistening on my machine, you will succeed in sniffing
"crackable"
NTLM-Hashes from the wire almost everywhere.

tom

On 5/2/06, rembrandt@...erlin.de <rembrandt@...erlin.de> wrote:
>
>
> > On Tue, May 02, 2006 at 02:18:13PM +0200, Guillaume Arcas wrote:
> >> I'm a bit confused about the ability of JtR to crack Windows passwords
> >> that use
> >> NTLMv2 format.
> >
> > This question itself is confusing.
> >
> > My (limited) understanding is that NTLMv2 is a revision of the NTLM
> > authentication protocol as described, for example, here:
> >
> >       http://davenport.sourceforge.net/ntlm.html
> >
> > However, even when NTLMv2 is in use, the underlying password hashes
> > that are stored on Windows systems are plain NTLM, not NTLMv2 (there's
> > no such thing as an NTLMv2 password hash; instead, there are NTLMv2
> > challenge responses).
> >
> > JtR supports LM and NTLM hashes (the latter with the contributed patch)
> > that are stored on Windows systems.
> >
> > JtR does not support sniffed NTLM protocol challenge/response pairs.
>
> That is correct but there are sniffers.
> Attackers could DoS a special Port at a e.g. Domaincontroler to make it
> (and all Clients) fall back to NTLMv1 but since 2000 NTLMv2 is the default
> (if you don`t force them to fall back :)).
>
> With NTLMv2 they simply corrected a misstake wich leads to an easy to
> build up Codebook (aka "Rainbowbook") (~80GB) for NTLMv1.
>
> Supporting NTLMv2 would be neat indeed because Bruteforc eis the only way
> to crack this stuff (as far as I know).
>
>
> Rembrandt
>
>
> --
> To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
> to the automated confirmation request that will be sent to you.
>
>


--
thomas.springer@...il.com
[nach mir der synflood.]

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ