Date: Thu, 02 Aug 2012 22:49:32 +0400 From: Alexander Cherepanov <cherepan@...me.ru> To: john-dev@...ts.openwall.com Subject: Re: mscash2 / hmac-md5 ambiguity On 2012-07-26 02:42, Alexander Cherepanov wrote: >> It is a good goal to try to remove some of these issue, and CERTAINLY to >> have the 'default' representation be the most often seen ITW. I currently >> think we have the wrong 32 byte hex 'default'. It picks LM. That is >> due to >> it being LM in the core JtR. But in the wild is NTLM > > Isn't NTLM usually found in pwdump format (i.e. in other field than > other types of hashes)? OTOH LM hashes are also usually found in pwdump format so having LM as default while reading non-pwdump-like files seems strange. Therefore I would expect something like this for 32 byte hex: - if file is in pwdump format: - if LM hash is non-trivial take it; - if LM hash is trivial (i.e. disabled) take NTLM hash; - if file format is login:hash accept it as raw-md5 or something. -- Alexander Cherepanov
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.