Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Fri, 12 Feb 2010 10:17:02 -0600
From: jmk <jmk@...fus.net>
To: john-users@...ts.openwall.com
Subject: NTLMv2 Challenge/Response Cracking

Hi,

I've posted a patch against John 1.7.3.4 (w/ Jumbo 2 applied) for NTLMv2
challenge/response cracking:

http://www.foofus.net/jmk/smbchallenge.html
http://www.foofus.net/jmk/tools/jtr/john-1.7.3.4-jumbo-2-netntlmv2.diff

The NTLMv2 challenge/response communication occurs during network-based
user authentication. This exchange can be extracted from network
captures or by directing a user/system to authenticate to a service
which logs it (the above link also contains a patch against Samba to
dump these exchanges).

The Jumbo-2 patch currently contains support for LMv1, NTLMv1, and LMv2
challenge/response. I originally assumed that a LMv2 response would
always be sent along with a NTLMv2 exchange, so I never bothered with
NTLMv2. However, I've now found that Windows 7 likes to zero out the
LMv2 fields, so NTLMv2 is necessary.

Please let me know if there are any issues with the patch.

Thanks,
Joe

-- 
jmk <jmk@...fus.net>
Foofus Networks

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ