Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 18 Aug 2007 18:50:13 -0800
From: bdk <bdk@...rdmason.com>
To:  john-users@...ts.openwall.com
Subject: 4 hashes per user, which ones to use?

I've read most of the posts in 2007 and can't find one that addresses my
question.

I've booted my server (normally running win2k3) with EBCD and have used
the EBCD to discover the hash values for 3 users. During this process it
gave me a 'Crypted NT Password', 'Crypted LM Password', 'MD4 Hash' and a
'LANMAN Hash'. In trying to understand which does what and what JTR is
capable of cracking right now I've come to some level of confusion.

Is the 'Crypted LM Password' referred to as LANMAN also? (LM == LanMan?)

The 3 users that I gained the 4 hashes for each, all of the 'Crypted NT
PW' and 'Crypted LM PW' start with "01 00 01 00".  Are the 'Crypted'
entries the challenge portion?

I've reconstructed what EBCD gave me for both the Crypted NT & LM hashes
for each user using
http://www.openwall.com/lists/john-users/2005/09/01/9 as a guide:

[User]:[Crypted NT PW]:[Crypted LM PW]

Administrator:01000100377add...:010001001e295f...:::
User1:01 0001008ec826...:01000100f9f8be...:::
User2:01 000100f9daf1...:0100010022941a...:::

I've compiled john 1.7.0.2 using linux-x86-mmx and ran "john --test":
<..snip..>
Benchmarking: NT LM DES [64/64 BS MMX]... DONE
Raw:    7148K c/s real, 7162K c/s virtual

Does this mean that this version of JTR has NT/LM support and I don't
need the "Windows NT/2000/XP/2003 NTLM (MD4) hash support for 1.7.2+, by
Alain Espinosa"?

I then started JTR:

me@... ./john hash_list
Loaded 6 password hashes with no different salts (NT LM DES [64/64 BS MMX])
<Any key>
guesses: 0  time: 0:09:10:05 (3)  c/s: 40015K  trying: E#MDFHV - E#MDWA%

I did try the example referenced on
http://www.openwall.com/lists/john-users/2005/09/01/9 and my install of
JTR found the password instantly. So I know that my install of JTR does
find windows passwords, but to what extent and which kind I'm not clear
about.

Ultimately I'm in need to know if I'm using the right pair of hashes.
Should I be using the MD4 & LANMAN hashes instead? Do I need to patch
1.7.0.2 with the NTLM (MD4) hash support patch? I imagine yes if I
should be using the MD4 & LANMA hash, but I don't know if those are the
ones I should be using.

If someone can lead me to the correct syntax of the 4 hashes I have, I
would greatly appreciate it. I'm not necessarily looking for spelled out
answers, but if someone can point me to the right manual I can RTFM. :)

Thanks.

-bdk

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ