john-users - Re: NTLM challenge/response cracking (again...)

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 11 Nov 2011 23:16:57 +0100
From: rootkit rootkit <rootkit77@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: NTLM challenge/response cracking (again...)

On Fri, Nov 11, 2011 at 6:29 PM, magnum <john.magnum@...hmail.com> wrote:

>> Information on this topic are very difficult to find. At the beginning
>> I was thinking about generating rainbow tables for each different
>> CHALLENGE, but that would be really too much.
>
> It would miss the whole point of rainbow tables. In short, if you do not
> already have the tables, cracking with JtR will be quicker.

True. At the time I didn't know john could crack it (or better, I
didn't know I needed the jumbo patch).

>> However there's something I don't understand: does the NETLM cracking
>> work only if the challenge is 1122334455667788? Would it work for any
>> challenge?
>
> JtR works for any challenge. That particular challenge stems from some
> old public attacks where the challenge was forced to this value, thereby
> making the salt (challenge) "worthless".

That was more or less my guess, thanks for confirming.

> And, because of this, I'm
> pretty sure there are rainbow tables for that very challenge.

Yes, I have seen some around.

> Like Solar said, post some example hashes. It should work if you do it
> right - at least if you run JtR version 1.7.7-jumbo-5 or newer. Earlier
> versions had a variety of shortcomings and was also substantially slower
> for these hashes.

Done in the other post.
Thanks for your answer magnum.