Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 07 Mar 2007 12:03:42 +0100
From: Antares <antares@....ch>
To: john-users@...ts.openwall.com
Subject: Re: LM an NTLM combination

It all worked great so far! Thanks again.
For me it remains a small uncertainty in understanding the work of john 
(in the word list mode, with the altered rule set, as described in the 
reference which you mentioned.):
Let's assume an empty john directory, which NTLM patch applied, confile 
adjustet to NT world list rules, and a word list with the capitalized 
case insensitive passwords from a LM hash run.
I would (naively) expect that John would run one word by another (from 
word list)  applying  the  (new) rule set, hence finding the right case 
for each password.
That leads me to the assumption that John would find "all" possible 
combinations during the first run.

My first run found i.e. 1459 guesses (in 1 min, 10s)
Invoking the very same command again (using by bash history) found 
another 65 guesses (in 1 min, 11s)

How is that possible? Times are almost the same, by coincident?

kind regards
antares


btw. i don't want to bother you ;) if you have no time for this, let me 
know, i'll post it then to the list...


Solar Designer schrieb:
> On Sun, Mar 04, 2007 at 03:00:58PM +0100, Antares wrote:
>   
>> My Question is, how can I make the best use of the already known LM
>> passwords. Do I need to make a wordlist out of the pot file on the
>> windows box and specify special rules in order to try only "case
>> combinations"?
>>     
>
> Frank has already provided an answer (thanks!) but I wanted to post a
> more recent reference for JtR 1.7.x:
>
> 	http://www.openwall.com/lists/john-users/2006/07/08/2
>
>   
>> Or would john take into account (or disregard completely) available LM
>> passwords in a pot file, if invoked with --format=NT ?
>>     
>
> Unfortunately, John disregards the already cracked LM hashes when you
> invoke it to crack your NTLM hashes, unless you follow the procedure
> outlined in the posting referenced above.
>
>   
>> Or is maybe my expectation wrong, that it is less time consuming to
>> first crack the LM hashes and then use this input to crack the NTLM
>> hashes, instead of starting directly on the NTLM hashes?
>>     
>
> Your expectation is correct.  This is the way to go when hashes of both
> types are available.
>
>   


-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ