Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 14 Jan 2014 13:35:27 -0500
From: Rich Rumble <richrumble@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Cracking MSChap v2

On Tue, Jan 14, 2014 at 9:15 AM, Rob Fuller <jd.mubix@...il.com> wrote:
> @Rich I completely agree about WCE and Mimikatz, both are amazing tools and
> clear text is great. However, both tools require coded execution and
> administrator / SYSTEM access on a machine to do this. Gaining NetNTLMv1
> hashes are MUCH easier to achieve using tools like Responder or other
> WPAD/NBNS/LLMNR tools.
Well getting a mini-dump of the lsass.exe does require higher priv's,
but that mini-dump can be copied anywhere and then you can run mimi on
it later, it can be separate machines in that sense. Prior to the
latest Alpha version of Mimi it did require it to be locally run like
WCE does still. I bet someone could carve this out of a hibernation
file too, that might be fun :)

> @magnum those are amazing speeds, are you saying that JtR jumbo already
> does NetNTLMv1 => NTLM via DES hack/bypass/brute (not sure what the right
> word is)
JtR brute forces it the "traditional way", using the challenge. JtR
takes the input candidate "pass1234", then uses the challenge to hash
the input word. If the hashes then match, you get the plain-text, if
not then move on to "passw0rd" etc.... This challenge is not very
"expensive" since you know the challenge and the hash is very quick,
so there are only a few extra operations in addition to the hashing.
Passing the hash could be done after the plain-text is found, but that
takes away the main point of passing the hash. I think someone could
write something to do what the script on that blog does + what
cloudcracker does, but the need and usefulness beyond pass-the-hash is
probably very small. l0pht, Cain&Able, HashCat, they use the
"traditional method" of bruteforcing a challenge and response.
> Finally, I totally agree the JtR is a "weak password finder". It's the same
> answer I got from hashcat team (think it was Atom but it was a while ago I
> ask (just re-asked in their channel yesterday as well). But honestly I have
> no where else to go to ask for this. The JtR and Hashcat teams would be the
> only people who could accomplish a feat like this for the public security
> community.
I agree, these guys could code that, but it's a dubious endeavor to
release, as I can only see pass-the-hash as the use case. That's not
to say it's not a good use case, it's something administrators should
worry about, just needs someone to do it I guess. (I probably would if
I could:)
-rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.