Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 8 Jul 2006 10:28:31 -0400
From: "Jason Briggaman" <brignasty@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: uppercase only from john --show

That worked great! Thank you!

On 7/7/06, Solar Designer <solar@...nwall.com> wrote:
> On Fri, Jul 07, 2006 at 08:15:49AM -0400, Jason Briggaman wrote:
> > I retrieved the passwords from my domain controller using pwdump 6. When I
> > issue "john --show passwordfile.txt", all of the passwords are in
> uppercase.
>
> This is as intended.
>
> > Is there a way that I can display them in their true case?
>
> It's not just a matter of "displaying" them in the right case.
>
> Windows NT/2000/XP/2003/... systems store two types of password hashes -
> DES-based LM (LanMan) hashes and MD4-based NTLM hashes.  LM hashes
> process input passwords as case insensitive and are much quicker to
> crack (for several reasons).  John the Ripper supports them out of the
> box.  NTLM hashes process the original case-sensitive passwords and are
> slower to crack.  John the Ripper does not currently support them
> officially, but there is a contributed patch to add that support, and
> there are unofficial builds of John the Ripper with the patch applied.
> Download links for these can be found on John the Ripper homepage.
>
> In PWDUMP output files, the third field on each line is the LM hash and
> the fourth one is the NTLM hash.  In some cases, LM hashes may be
> unavailable - or LM hashes of empty strings (rather than of actual
> passwords) may be substituted in their place.  In particular, the use
> of LM hashes may be disabled with a registry setting or simply by
> picking passwords (or passphrases) of 15 characters or more.
>
> Now, there can be three possible scenarios:
>
> 1. You're auditing your passwords for the purpose of detecting weak ones
> and LM hashes are available.  In that case, you might not actually need
> to bother cracking NTLM hashes of the same passwords.
>
> 2. You only have NTLM hashes.  In that case, you need a build of JtR
> with the contributed patch applied.  You also need to pass the
> "--format=NT" option when you invoke JtR to crack your NTLM hashes and
> also when you invoke it to display the results (that is, you use
> "--format=NT" along with "--show").
>
> 3. You have hashes of both types, yet you want to have your cracked
> passwords displayed in their true case.  In that case, you can either
> use the approach described above or you can be smarter (and likely get
> more passwords cracked).  The instructions below apply to JtR 1.7.x:
>
> Start by cracking your LM hashes.  At this point, you have your cracked
> passwords, less the case of characters.
>
> In john.conf (or john.ini if you're running on Windows), rename the old
> [List.Rules:Wordlist] section to [List.Rules:Disabled] to deactivate it.
> Rename the [List.Rules:NT] section to [List.Rules:Wordlist].
>
> Crack your NTLM hashes almost instantly by invoking a build of JtR with
> the contributed patch applied as:
>
> 	john -show pwfile | cut -d: -f2 > cracked
> 	john -w=cracked -rules -format=nt pwfile
>
> The "cut" command requires that you either do this on a Unix system or
> you have Cygwin installed on your Windows system.
>
> Don't forget to revert your wordlist rules back when you're done with
> this step.
>
> To display your final cracked passwords, use:
>
> 	john -show -format=nt pwfile
>
> One known problem with this approach is that it'll fail for passwords
> containing colons.
>
> Yes, this is more complicated than it should be.  I might integrate
> this functionality into JtR eventually.
>
> --
> Alexander Peslyak <solar at openwall.com>
> GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
> http://www.openwall.com - bringing security into open computing environments
>
> Was I helpful?  Please give your feedback here: http://rate.affero.net/solar
>
> --
> To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
> to the automated confirmation request that will be sent to you.
>
>

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ