Date: Sat, 8 Jul 2006 06:57:21 +0400 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: uppercase only from john --show On Fri, Jul 07, 2006 at 08:15:49AM -0400, Jason Briggaman wrote: > I retrieved the passwords from my domain controller using pwdump 6. When I > issue "john --show passwordfile.txt", all of the passwords are in uppercase. This is as intended. > Is there a way that I can display them in their true case? It's not just a matter of "displaying" them in the right case. Windows NT/2000/XP/2003/... systems store two types of password hashes - DES-based LM (LanMan) hashes and MD4-based NTLM hashes. LM hashes process input passwords as case insensitive and are much quicker to crack (for several reasons). John the Ripper supports them out of the box. NTLM hashes process the original case-sensitive passwords and are slower to crack. John the Ripper does not currently support them officially, but there is a contributed patch to add that support, and there are unofficial builds of John the Ripper with the patch applied. Download links for these can be found on John the Ripper homepage. In PWDUMP output files, the third field on each line is the LM hash and the fourth one is the NTLM hash. In some cases, LM hashes may be unavailable - or LM hashes of empty strings (rather than of actual passwords) may be substituted in their place. In particular, the use of LM hashes may be disabled with a registry setting or simply by picking passwords (or passphrases) of 15 characters or more. Now, there can be three possible scenarios: 1. You're auditing your passwords for the purpose of detecting weak ones and LM hashes are available. In that case, you might not actually need to bother cracking NTLM hashes of the same passwords. 2. You only have NTLM hashes. In that case, you need a build of JtR with the contributed patch applied. You also need to pass the "--format=NT" option when you invoke JtR to crack your NTLM hashes and also when you invoke it to display the results (that is, you use "--format=NT" along with "--show"). 3. You have hashes of both types, yet you want to have your cracked passwords displayed in their true case. In that case, you can either use the approach described above or you can be smarter (and likely get more passwords cracked). The instructions below apply to JtR 1.7.x: Start by cracking your LM hashes. At this point, you have your cracked passwords, less the case of characters. In john.conf (or john.ini if you're running on Windows), rename the old [List.Rules:Wordlist] section to [List.Rules:Disabled] to deactivate it. Rename the [List.Rules:NT] section to [List.Rules:Wordlist]. Crack your NTLM hashes almost instantly by invoking a build of JtR with the contributed patch applied as: john -show pwfile | cut -d: -f2 > cracked john -w=cracked -rules -format=nt pwfile The "cut" command requires that you either do this on a Unix system or you have Cygwin installed on your Windows system. Don't forget to revert your wordlist rules back when you're done with this step. To display your final cracked passwords, use: john -show -format=nt pwfile One known problem with this approach is that it'll fail for passwords containing colons. Yes, this is more complicated than it should be. I might integrate this functionality into JtR eventually. -- Alexander Peslyak <solar at openwall.com> GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598 http://www.openwall.com - bringing security into open computing environments Was I helpful? Please give your feedback here: http://rate.affero.net/solar -- To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply to the automated confirmation request that will be sent to you.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.