Date: Wed, 07 Mar 2007 12:03:42 +0100 From: Antares <antares@....ch> To: john-users@...ts.openwall.com Subject: Re: LM an NTLM combination It all worked great so far! Thanks again. For me it remains a small uncertainty in understanding the work of john (in the word list mode, with the altered rule set, as described in the reference which you mentioned.): Let's assume an empty john directory, which NTLM patch applied, confile adjustet to NT world list rules, and a word list with the capitalized case insensitive passwords from a LM hash run. I would (naively) expect that John would run one word by another (from word list) applying the (new) rule set, hence finding the right case for each password. That leads me to the assumption that John would find "all" possible combinations during the first run. My first run found i.e. 1459 guesses (in 1 min, 10s) Invoking the very same command again (using by bash history) found another 65 guesses (in 1 min, 11s) How is that possible? Times are almost the same, by coincident? kind regards antares btw. i don't want to bother you ;) if you have no time for this, let me know, i'll post it then to the list... Solar Designer schrieb: > On Sun, Mar 04, 2007 at 03:00:58PM +0100, Antares wrote: > >> My Question is, how can I make the best use of the already known LM >> passwords. Do I need to make a wordlist out of the pot file on the >> windows box and specify special rules in order to try only "case >> combinations"? >> > > Frank has already provided an answer (thanks!) but I wanted to post a > more recent reference for JtR 1.7.x: > > http://www.openwall.com/lists/john-users/2006/07/08/2 > > >> Or would john take into account (or disregard completely) available LM >> passwords in a pot file, if invoked with --format=NT ? >> > > Unfortunately, John disregards the already cracked LM hashes when you > invoke it to crack your NTLM hashes, unless you follow the procedure > outlined in the posting referenced above. > > >> Or is maybe my expectation wrong, that it is less time consuming to >> first crack the LM hashes and then use this input to crack the NTLM >> hashes, instead of starting directly on the NTLM hashes? >> > > Your expectation is correct. This is the way to go when hashes of both > types are available. > > -- To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply to the automated confirmation request that will be sent to you.
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux - Powered by OpenVZ