Date: Sat, 8 Jul 2006 10:28:31 -0400 From: "Jason Briggaman" <brignasty@...il.com> To: john-users@...ts.openwall.com Subject: Re: uppercase only from john --show That worked great! Thank you! On 7/7/06, Solar Designer <solar@...nwall.com> wrote: > On Fri, Jul 07, 2006 at 08:15:49AM -0400, Jason Briggaman wrote: > > I retrieved the passwords from my domain controller using pwdump 6. When I > > issue "john --show passwordfile.txt", all of the passwords are in > uppercase. > > This is as intended. > > > Is there a way that I can display them in their true case? > > It's not just a matter of "displaying" them in the right case. > > Windows NT/2000/XP/2003/... systems store two types of password hashes - > DES-based LM (LanMan) hashes and MD4-based NTLM hashes. LM hashes > process input passwords as case insensitive and are much quicker to > crack (for several reasons). John the Ripper supports them out of the > box. NTLM hashes process the original case-sensitive passwords and are > slower to crack. John the Ripper does not currently support them > officially, but there is a contributed patch to add that support, and > there are unofficial builds of John the Ripper with the patch applied. > Download links for these can be found on John the Ripper homepage. > > In PWDUMP output files, the third field on each line is the LM hash and > the fourth one is the NTLM hash. In some cases, LM hashes may be > unavailable - or LM hashes of empty strings (rather than of actual > passwords) may be substituted in their place. In particular, the use > of LM hashes may be disabled with a registry setting or simply by > picking passwords (or passphrases) of 15 characters or more. > > Now, there can be three possible scenarios: > > 1. You're auditing your passwords for the purpose of detecting weak ones > and LM hashes are available. In that case, you might not actually need > to bother cracking NTLM hashes of the same passwords. > > 2. You only have NTLM hashes. In that case, you need a build of JtR > with the contributed patch applied. You also need to pass the > "--format=NT" option when you invoke JtR to crack your NTLM hashes and > also when you invoke it to display the results (that is, you use > "--format=NT" along with "--show"). > > 3. You have hashes of both types, yet you want to have your cracked > passwords displayed in their true case. In that case, you can either > use the approach described above or you can be smarter (and likely get > more passwords cracked). The instructions below apply to JtR 1.7.x: > > Start by cracking your LM hashes. At this point, you have your cracked > passwords, less the case of characters. > > In john.conf (or john.ini if you're running on Windows), rename the old > [List.Rules:Wordlist] section to [List.Rules:Disabled] to deactivate it. > Rename the [List.Rules:NT] section to [List.Rules:Wordlist]. > > Crack your NTLM hashes almost instantly by invoking a build of JtR with > the contributed patch applied as: > > john -show pwfile | cut -d: -f2 > cracked > john -w=cracked -rules -format=nt pwfile > > The "cut" command requires that you either do this on a Unix system or > you have Cygwin installed on your Windows system. > > Don't forget to revert your wordlist rules back when you're done with > this step. > > To display your final cracked passwords, use: > > john -show -format=nt pwfile > > One known problem with this approach is that it'll fail for passwords > containing colons. > > Yes, this is more complicated than it should be. I might integrate > this functionality into JtR eventually. > > -- > Alexander Peslyak <solar at openwall.com> > GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598 > http://www.openwall.com - bringing security into open computing environments > > Was I helpful? Please give your feedback here: http://rate.affero.net/solar > > -- > To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply > to the automated confirmation request that will be sent to you. > > -- To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply to the automated confirmation request that will be sent to you.
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux - Powered by OpenVZ