Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 31 Jan 2013 07:29:05 +0100
From: atom <atom@...hcat.net>
To: john-dev@...ts.openwall.com
Subject: Re: NetNTLMv1

I never looked at NetNTLM before but yesterday some guy on hashcat
forum asked for implementation into hashcat.

This weakness was obvious to me. I was wondering why its not implemented in JtR.

You're right so far, the weakness is the third DES part. Its keyspace
is just 2^16. All you need is to Brute-Force this keyspace on CPU,
which is very fast. It takes only a few ms with OpenSSL DES on a
single core. But once you found it, you know the last 16 bit of the
MD4.

Now you running your candidates against the MD4, but you compare only
these last 2 bytes first. If they dont match, there is no need to
calculate the three DES parts, its completly eleminated. Only if it
matches you need to calculate it but chances for this is 2^16.

The speedup is so high that you an directly compare it to MD4.

On Thu, Jan 31, 2013 at 6:54 AM, Solar Designer <solar@...nwall.com> wrote:
> On Thu, Jan 31, 2013 at 09:03:00AM +0400, Solar Designer wrote:
>> I took a look.  It's the last portion of the key, not block, that
>> contains only 2 bytes.  The table can't be precomputed just once because
>> it depends on the challenge, but it can be precomputed in salt() (higher
>> memory usage)
>
> I have a quick and dirty implementation, storing the entire 512 KB table
> per salt.  (This can be lowered by storing partial DES blocks - still
> sufficient to reject most password candidates.)
>
> I'll post benchmarks and patch shortly.
>
>> or set_salt() (lower memory usage, but also lower speed).
>
> I tried this too, the speed was way too low.  We'd need to increase
> MAX_KEYS_PER_CRYPT a lot in order to go with this approach, and that
> will have performance impact on its own (keys not fitting in caches).
>
> Alexander



-- 
atom

email: atom@...hcat.net

web: http://hashcat.net/

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.