Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 8 Jun 2006 23:02:40 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: NTLM Character Limitation

On Wed, Jun 07, 2006 at 07:17:20AM -0700, Welty, Timothy wrote:
> I'm trying to crack a set of NTLM password hashes using John 1.7.2
> patched with john-ntlm-v03.diff.gz.  All the passwords are known to be
> 14 characters long and are composed of a known character set.

What is your reason for cracking the NTLM hashes instead of much weaker
LM hashes?  Are LM hashes of the same passwords not available?

What is that known character set, precisely - or at least how many
different characters are there?

> I defined a custom incremental mode in my john.conf per below:
> 
> [Incremental:TIM]
> File = $JOHN/all.chr
> MinLen = 14
> MaxLen = 14
> CharCount = 95
[...]
> MaxLen = 14 exceeds the compile-time limit of 8
[...]
> I understand cracking the longer passwords will be difficult, but I need
> to say I tried.  Is there a way around this problem?

Well, you can do several things:

1. Crack LM hashes of the same passwords instead of the NTLM hashes.
Then you do not need to go beyond MaxLen = 7.

2. Use cracking modes other than "incremental".  If some of your
passwords are based on dictionary words with little other information,
you will get them cracked.

Obviously, you'll run "single crack" mode and password.lst with rules
first - John does that by default (with no options given).  Then you can
proceed with a larger wordlist and possibly with a larger ruleset.

Since NTLM hashes are saltless and are quite quick to compute, you may
use a huge wordlist and a lot of wordlist rules.

You can also use the [List.External:Keyboard] mode.  You'd set
minlength and maxlength to 14 (your known length) within this mode's
init() function.

If your known character set is small enough (e.g., digits only), you can
define an external mode that will search the password space exhaustively.
You can modify the existing [List.External:LanMan] sample for that.

3. Modify the compile-time CHARSET_* settings in params.h, rebuild John,
generate a new .chr file, and use "incremental mode".  Please refer to
this older posting for how to do that and for some reasons to not do it:

	http://article.gmane.org/gmane.comp.security.openwall.john.user/11

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ