Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 31 May 2007 14:25:05 -0500
From: jmk <>
Subject: Re: LM/NTLMv1 challenge/response cracking

On Sun, 2007-05-27 at 14:19 +0400, Solar Designer wrote:

Thanks for the feedback!

I've made the following changes:

* Removed "-lssl" from Makefile
* Replaced md4.c/h files with updated versions. However, I carried over
the mdfour() function from the previous version.
* Removed copyright and placed formats in the public domain
* Changed FORMAT_NAMEs to your suggestions.

Updated patch against clean

Updated patch against 1.7.2 w/ john-1.7.2-all-3.diff:

In case anyone is interested, the following are some general notes
regarding my use of this patch...

* Capture the LM/NTLM challenge/response exchange. I've posted[1] a
modification to Samba to assist with this effort.

* Use RainbowCrack to lookup first 7 characters of the password using
the LM response hash (half LM response tables).

* Use JtR to crack the remaining characters. I've found the following
type of john.conf file to be useful. For example, if the password found
via RainbowCrack was "TEST!@... I'd create the following config: 

File = /usr/share/john/lanman.chr
MinLen = 1
MaxLen = 7
CharCount = 69

void filter()
	word[13] = word[6];
	word[12] = word[5];
	word[11] = word[4];
	word[10] = word[3];
	word[9] = word[2];
	word[8] = word[1];
	word[7] = word[0];
	word[6] = "#";
	word[5] = "@";
	word[4] = "!";
	word[3] = "T";
	word[2] = "S";
	word[1] = "E";
	word[0] = "T";

* Determine the correct character case using the NTLM response and a
custom john.conf word list, such as:

Some random thoughts... I've written a simple Perl script to automate
this task. I've also hacked a command-line parameter option into JtR to
accept john.conf files other than the system-wide default, which this
script utilizes. I don't know if it's in the future plans, but having
easily accessible functionality built into JtR (case toggle, setting a
seed password, custom configuration files specified on the command-line,
etc) might be useful. Just a thought...



To unsubscribe, e-mail and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ