Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 8 Jul 2006 06:57:21 +0400
From: Solar Designer <>
Subject: Re: uppercase only from john --show

On Fri, Jul 07, 2006 at 08:15:49AM -0400, Jason Briggaman wrote:
> I retrieved the passwords from my domain controller using pwdump 6. When I
> issue "john --show passwordfile.txt", all of the passwords are in uppercase.

This is as intended.

> Is there a way that I can display them in their true case?

It's not just a matter of "displaying" them in the right case.

Windows NT/2000/XP/2003/... systems store two types of password hashes -
DES-based LM (LanMan) hashes and MD4-based NTLM hashes.  LM hashes
process input passwords as case insensitive and are much quicker to
crack (for several reasons).  John the Ripper supports them out of the
box.  NTLM hashes process the original case-sensitive passwords and are
slower to crack.  John the Ripper does not currently support them
officially, but there is a contributed patch to add that support, and
there are unofficial builds of John the Ripper with the patch applied.
Download links for these can be found on John the Ripper homepage.

In PWDUMP output files, the third field on each line is the LM hash and
the fourth one is the NTLM hash.  In some cases, LM hashes may be
unavailable - or LM hashes of empty strings (rather than of actual
passwords) may be substituted in their place.  In particular, the use
of LM hashes may be disabled with a registry setting or simply by
picking passwords (or passphrases) of 15 characters or more.

Now, there can be three possible scenarios:

1. You're auditing your passwords for the purpose of detecting weak ones
and LM hashes are available.  In that case, you might not actually need
to bother cracking NTLM hashes of the same passwords.

2. You only have NTLM hashes.  In that case, you need a build of JtR
with the contributed patch applied.  You also need to pass the
"--format=NT" option when you invoke JtR to crack your NTLM hashes and
also when you invoke it to display the results (that is, you use
"--format=NT" along with "--show").

3. You have hashes of both types, yet you want to have your cracked
passwords displayed in their true case.  In that case, you can either
use the approach described above or you can be smarter (and likely get
more passwords cracked).  The instructions below apply to JtR 1.7.x:

Start by cracking your LM hashes.  At this point, you have your cracked
passwords, less the case of characters.

In john.conf (or john.ini if you're running on Windows), rename the old
[List.Rules:Wordlist] section to [List.Rules:Disabled] to deactivate it.
Rename the [List.Rules:NT] section to [List.Rules:Wordlist].

Crack your NTLM hashes almost instantly by invoking a build of JtR with
the contributed patch applied as:

	john -show pwfile | cut -d: -f2 > cracked
	john -w=cracked -rules -format=nt pwfile

The "cut" command requires that you either do this on a Unix system or
you have Cygwin installed on your Windows system.

Don't forget to revert your wordlist rules back when you're done with
this step.

To display your final cracked passwords, use:

	john -show -format=nt pwfile

One known problem with this approach is that it'll fail for passwords
containing colons.

Yes, this is more complicated than it should be.  I might integrate
this functionality into JtR eventually.

Alexander Peslyak <solar at>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598 - bringing security into open computing environments

Was I helpful?  Please give your feedback here:

To unsubscribe, e-mail and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ