Date: Tue, 24 May 2005 03:15:28 +0400 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: LANMAN and NT Hash ?s...basic On Mon, May 23, 2005 at 03:49:05PM -0700, Whom Ever wrote: > That sounds like a great idea! You must be referring to this proposal of mine: > > On Sun, May 15, 2005 at 02:47:31PM +0200, Simon Marechal wrote: > > > I think so, the lmhash should be aad3b435b51404eeaad3b435b51404ee. > > > > Oh, right now John does not load LM hashes with that value and reports > > them as "NO PASSWORD" with "--show". Perhaps I should enhance it to > > also look at the NTLM hash field and only report the "NO PASSWORD" if > > both LM and NTLM hashes correspond to an empty password. If the LM > > hash is that of an empty string, but the NTLM hash is not, report that > > the password is longer than 14 characters instead. This is something > > to get back to after John 1.7. Please do leave an adequate amount of context in your responses. We're not alone on this mailing list, and there will also be people browsing the archives. > Is that "no password" > output in 1.6.38 because I don't remember seeing that. Oh, I was wrong about it. That's what I get for not working on that code for years. There's a check for the "NO PASSWORD*********************" string in place of the LM hash, but no check for the empty password hash. John is only checking the second half of the LM hash for the value of AAD3B435B51404EE to deduce that the password is no more than 7 characters long. When given the empty password hash (with both halves of AAD3B435B51404EE), John does load the first half for cracking, unless this hash is already found in john.pot, and cracks it almost instantly. Then "john --show" reports an empty string in place of the password, just like it does for empty Unix passwords. > Also, have you noticed some pwdump files show just a > bunch of * for the LM and NT hash...I'm uncertain as > to the meaning for that...any ideas? No, I've only seen the "NO PASSWORD*********************" thing. But Windows is really not my territory. -- Alexander Peslyak <solar at openwall.com> GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598 http://www.openwall.com - bringing security into open computing environments
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.