Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 24 Jan 2007 01:11:02 +0300
From: Solar Designer <>
Subject: Re: Is the passwd in upper or lower case ?

Hi Mick,

The Rogue Fugu has already explained the relevant properties of LM
hashes (thanks!) but let me point you at an older john-users posting of
mine in response to a similar question:

This should fully answer your question as well.

Some other comments (which you didn't ask for) are inline:

On Sun, Jan 21, 2007 at 09:00:03PM +0000, Mick wrote:
> First post to the list.  I've used bkhive-linux to extract the hashes and 
> samdump2 to extract the passwd file from a MS Windows machine.

That's fine, but why didn't you simply use one of the PWDUMP tools?  Are
you unable to login to the Windows system as an administrator, is that
the reason?

> # john -i passwd-hashes-desktop.txt
> Loaded 2 password hashes with no different salts (NT LM DES [32/32 BS])

This tells me three things:

1. You're running John as root (according to your shell prompt).  John
does not need root privileges.  It is generally a bad practice to be
unnecessarily running programs as root.  I understand that you might be
running this off a live CD or something, in which case you probably
don't care.

2. You're using a build of John that is likely non-optimal for your
hardware.  I am guessing that you're running this on a fairly modern x86
system (since these are the most common), yet this build of John does
not use MMX or SSE2.

3. You've forced John to only use "incremental" mode - why?  This was
not needed and it could have resulted in some passwords taking longer to
crack or not getting cracked.  John would proceed with "incremental"
mode after trying "single crack" and wordlist mode with rules anyway;
there's usually no good reason to force it to start with "incremental"
mode right away.  Simply run it with no options (but do provide it with
a password file indeed).

> D01              (LOCALMGTN01:2)
> MG3657R          (LOCALMGTN01:1)

That's fine - both halves of the LM hash got cracked.

> guesses: 2  time: 0:01:15:49  c/s: 2787102  trying: MG36573 - MG36592

This tells me yet another thing - you're using a pre-1.7 version of
John; there was a slight change in the way this line is formatted
shortly before the 1.7 release, so I know that your version is older.
This might contribute to worse performance, too.

> # john -show passwd-hashes-desktop.txt
> LOCALMGTN01:MG3657RD01:500:3fe3...................1c38:::

This looks correct to me - here you see your full cracked password,
less the case of characters indeed.

> Could you please explain if the two accounts shown (LOCALMGTN01:2 and 
> LOCALMGTN01:1) are one and the same?

Yes, they're halves of the same LM hash taken off the same account
(username LOCALMGTN01).

> Similarly, when I tried running ophcrack I got only one password, but 
> additionally it showed lower case letters:   "MG3657rd01"
> Does John show only upper case?

Yes - and that's all you need in order to identify weak passwords.  If
you really need to infer the case of characters, you should be using a
patched version of John as explained in the older posting referenced
above.  Of course, this is specific to Windows passwords - John does
report other types of passwords in their true case.

Alexander Peslyak <solar at>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15 - bringing security into open computing environments

Was I helpful?  Please give your feedback here:

To unsubscribe, e-mail and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.