Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 12 May 2009 10:25:17 -0500
From: jmk <jmk@...fus.net>
To: john-users@...ts.openwall.com
Subject: Re: Cracking Metasploit SMB stuff...

On Fri, 2009-04-24 at 15:44 -0300, nahuel.grisolia@...il.com wrote:
> Hey list, i'm trying to crack this:
> 
> Captured 192.168.2.138:1597 DOMAIN\user
> LMHASH:8885a28be8a72ca650bd65069ca4a3f4a5de1c918778d28f
> NTHASH:3a948718e031f88063d9925152ab2b5e010100000000000005f1c89ff1c4c901a5de1c918778d28f00000000020000000000000000000000
> OS:Windows 2002 Service Pack 3 2600 LM:Windows 2002
> 5.1
> 
> i dont know which format should i use this time... i've already read all the
> _fmt.c but with no luck... any ideas? i know the cleartext password, if it
> can help tell me... thanx a lot.

Nahuel,

I'm a bit rusty on this, but here goes... 

What you have there should be a LMv2 and a NTLMv2 challenge/response.
The John "NETLMv2" format can perform a brute-force crack against the
LMv2 set. The first 16 bytes of your "LMHASH" value should be the client
response and the next 8 are its challenge. You will also need the server
challenge issued by Metasploit, which I'm assuming was 1122334455667788.
The format of the file should then be as follows:

USERNAME::DOMAIN:SERVER CHALLENGE:LMv2 RESPONSE:CLIENT CHALLENGE

Using your data, you have:

user::DOMAIN:1122334455667788:8885a28be8a72ca650bd65069ca4a3f4:a5de1c918778d28f

Joe


-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ