Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 17 Apr 2015 00:05:25 +0200
From: Micha Borrmann <johnusers@...rmann.syss.de>
To: john-users@...ts.openwall.com
Subject: Re: NTLM proxy auth



Am 16.04.2015 um 23:13 schrieb JJ Gray:
> On 16/04/2015 12:49, Micha Borrmann wrote:
>> Hello,
>>
>> I've captured authentication data to a proxy with NTLM authentication, like
>>
>> GET /dummy HTTP/1.0
>> Host: www.dummy.net
>> Proxy-Authorization: NTLM TlRMTVNTUAABAAA...AAAAAAA=
> [..]
>> I have the data in pcap (or txt) file. How I can convert it to use it
>> with JtR? 
> 
> You have a couple of options: convert the values from Base64 to Hex or
> fire the pcap into Ettercap -r and it should convert it to the
> "standard" hex format (I tend to do that for a multiple users). Then
> it's simply looking at what the JtR format is for that particular
> version of NETLM. Personally, with each new revision of JtR I just run
> something like:
> 
> C:\CLI Tools\John>john.exe --list=format-all-details >
> jtr_hash_formats.txt and use that text file as a reference since I can't
> remember all of the hash formats, or you could do this on the fly with
> something like:
> 
> C:\CLI Tools\John>john.exe --list=format-all-details | grep -E "Format
> label|Example ciphertext" | grep -A 1 'netnt'
> Format label                         netntlmv2
> Example ciphertext
> USER1::Domain:1122334455667788:5E4AB1BF243DCA304A00ADEF78DC38DF:0101000000000000BB50305495AACA01338BC7B090A6285600000000020
> 0120057004F0052004B00470052004F00550050000000000000000000
> Format label                         netntlm
> Example ciphertext
> $NETNTLM$1122334455667788$BFCCAF26128EC95F9999C9792F49434267A1D9B0EF89BFFB
> Format label                         netntlm-naive
> Example ciphertext
> User:::lm-hash:35B62750E1B9B3205C50D6BA351092C12A1B9B3CDC65D44A:1122334455667788
> 
> Or a combination thereof.

thanks for the hints. I manually created the hashfile and it seems there
is a bug in JtR: I know one password but JtR was not able to recover it.
But with another tool (oclHashcat), it was possible to recover it (and
to confirm, that my hash was extracted correctly).

Micha

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.