Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Fri, 18 Dec 2009 15:19:28 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: JTR and format NTLM

On Fri, Dec 18, 2009 at 06:52:19AM -0500, madfran wrote:
> From two different ways I always arrive at the same result.

What two different ways, specifically?

> Administrator:500:AAD3B435B51404EEAAD3B435B51404EE:
> A82FF8E15A18E4E73399D231E9B32157F:::

This has LM hash of an empty string (which usually indicates that LM
hashes are disabled).  Then, instead of the NTLM hash, which would
normally be represented with 32 hex digits, you have some other string
of 33 hex digits.  My guess is that it has to do with your "two
different ways" - e.g., maybe you used some program that obfuscates
password hashes that it dumps, maybe for use with some specific tool or
online service.

I suggest that you try pwdump6:

http://xxx.foofus.net/~fizzgig/pwdump/
http://www.openwall.com/passwords/microsoft-windows-nt-2000-xp-2003-vista#pwdump

Please don't forget to let the list know how you obtained this broken
NTLM hash, and what approach you ended up using instead.

Alexander

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ