Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 02 Aug 2012 22:49:32 +0400
From: Alexander Cherepanov <>
Subject: Re: mscash2 / hmac-md5 ambiguity

On 2012-07-26 02:42, Alexander Cherepanov wrote:
>> It is a good goal to try to remove some of these issue, and CERTAINLY to
>> have the 'default' representation be the most often seen ITW. I currently
>> think we have the wrong 32 byte hex 'default'. It picks LM. That is
>> due to
>> it being LM in the core JtR. But in the wild is NTLM
> Isn't NTLM usually found in pwdump format (i.e. in other field than
> other types of hashes)?

OTOH LM hashes are also usually found in pwdump format so having LM as 
default while reading non-pwdump-like files seems strange.

Therefore I would expect something like this for 32 byte hex:
- if file is in pwdump format:
   - if LM hash is non-trivial take it;
   - if LM hash is trivial (i.e. disabled) take NTLM hash;
- if file format is login:hash accept it as raw-md5 or something.

Alexander Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.