Date: Sun, 15 May 2005 04:07:03 +0400 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: LANMAN and NT Hash ?s...basic On Fri, May 13, 2005 at 03:24:32PM -0700, Whom Ever wrote: > I'm sorry for asking a noob question but I have a sam > file that I ran > GetHashes.exe (SamInside) on and I'm not sure how to > get JtR to work on the > NT hash (really XP hash) part. It autodetects the > LANMAN portion and goes to > work, I tried the --format option but none of the > other options loaded any > passwords. JtR can crack NT hashes, right? As it has correctly been pointed out, you need to apply the contributed patch to get support for the MD4-based NT hashes. The official JtR supports only DES-based NTLM hashes. > And XP uses NT hashes too? Yes. > Example from john.pot (not a working one...I modified > some data): > User:57Q7T4R23E@:1007:14806rd271e60f5re2549d67eb6ef6b1::: > > Now, the NT hash is after the 1007: right? Yes, perhaps, however this does not look exactly like the pwdump-style format that JtR expects: Administrator:500:73CC402BD3E791756C3D3B817E02809D:C7E2622D76D3F001CF08B0753646BBCC:Built-in account for administering the computer/domain:: Notice that the two hashes (NTLM/DES and NT/MD4, respectively) are in the third and fourth field. While you also have what might be the NT hash in the fourth field, you have the preceding two fields set in an unusual way. > It's my understanding with 2k and XP that if you use a > password longer than 14 > characters nulls are entered in the LANMAN portion so > in that case you have > to use the NT hash portion, right? I am not sure of that. It could be more complicated than that (registry settings involved, etc.) I'd rather have someone more knowledgeable in Windows comment on this. Simon? > Also, if JtR does do NT hash, wouldn't a module to get > the LANMAN and then try > the 2^n letter case combinations to run against the NT > hash be fairly easy to > add. I'm probably way off base here or this already exists! No, this is a perfectly reasonable question. There're two reasons why JtR doesn't do this already: 1. It does not yet officially support NT hashes. 2. This does not fit in well within the generic framework of JtR. It'd have to first crack NTLM hashes, then apply that knowledge to NT hashes. I might implement this at some point, but it'd be some added complexity for the now-generic code specific to the NTLM+NT hash case. Having that said, you can use the following procedure for now: 0. In params.h, increase RULE_RANGES_MAX from 8 to at least 14 and re-compile. (I probably need to change this default.) 1. Crack your NTLM hashes. 2. In john.conf, rename the old "[List.Rules:Wordlist]" section, e.g. to "[List.Rules:Disabled]" (or comment it out). 3. Create this section anew: [List.Rules:Wordlist] : lMT[*0]T[*1]T[*2]T[*3]T[*4]T[*5]T[*6]T[*7]T[*8]T[*9]T[*A]T[*B]T[*C]T[*D]Q 4. Crack your NT hashes with these invocations of John: john -show pwfile | cut -d: -f2 > ntlm.lst john -w=ntlm.lst -rules pwfile Don't forget to revert your wordlist rules back when you're done with this step (or just do it in another directory, where you'd keep this edited john.conf). This is untested, but it should work. ;-) -- Alexander Peslyak <solar at openwall.com> GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598 http://www.openwall.com - bringing security into open computing environments
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.