Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 16 Apr 2015 20:38:15 +0200
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: Re: NTLM proxy auth

On 2015-04-16 13:49, Micha Borrmann wrote:
> I've captured authentication data to a proxy with NTLM authentication, like
> 
> GET /dummy HTTP/1.0
> Host: www.dummy.net
> Proxy-Authorization: NTLM TlRMTVNTUAABAAA...AAAAAAA=

> I have the data in pcap (or txt) file. How I can convert it to use it
> with JtR? I've tried https://github.com/psychomario/ntlmsspparse but
> with it only one value could be extracted but there are more in my data.
> I've tried to use several pcap files for each data stream, but it
> doesn't help. Any hints?

Off the top of my head, you should Base64-decode the strings (eg.
TlRMT...LmWHfQAQAAAAA=) and then encode them to hex instead. At that
point you may see similarities with sample NTLM hashes or test vectors,
I can't remember the details. Either it will be usable as-is or you'd
need just a little manual editing.

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.