Openwall GNU/*/Linux 3.0 - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 10 Sep 2010 08:20:07 +0200
From: "Magnum, P.I." <rawsmooth@...dband.net>
To: john-users@...ts.openwall.com
Subject: Re: Attacking Windows-ALT chars in LM Hashes

On 09/09/2010 10:02 PM, Solar Designer wrote:
>> 2) I could certainly modify dumbforce/or knownforce mode to target a
>> limited range of the most commonly used ALT + normal characters. I
>> guess my biggest question then is what numerical values do the ALT
>> characters correspond to? aka is ALT-0142 represented as a character
>> with value 142 in Windows, or is it encoded some other way?
>
> Apparently, these 8-bit character codes are passed into LM hashes as-is
> (assuming that those hashes are produced at all).

Well, they are first converted from [in this case] cp1252 to utf-16le.

JtR however, cheats when doing this conversion: it just puts a 0x00 
between each char. This works for most of the charset when converting 
from iso-8859-1 to utf-16le, but will fail on anything else. Thus, 
without rewriting JtR you will never ever crack a LM password containing 
a character whose utf-16le msb is not 0x00. There is no workaround.

In this case of ALT-0xxx keyboard codes, I guess this all means that if 
the character is the same position in iso-8859-1 as in cp1252, it will 
work, otherwise it will not.

This is a complex matter. I think I got it right, anyway this is the 
gist of it.

cheers
magnum

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ