Date: Wed, 24 Jan 2007 01:11:02 +0300 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: Is the passwd in upper or lower case ? Hi Mick, The Rogue Fugu has already explained the relevant properties of LM hashes (thanks!) but let me point you at an older john-users posting of mine in response to a similar question: http://www.openwall.com/lists/john-users/2006/07/08/2 This should fully answer your question as well. Some other comments (which you didn't ask for) are inline: On Sun, Jan 21, 2007 at 09:00:03PM +0000, Mick wrote: > First post to the list. I've used bkhive-linux to extract the hashes and > samdump2 to extract the passwd file from a MS Windows machine. That's fine, but why didn't you simply use one of the PWDUMP tools? Are you unable to login to the Windows system as an administrator, is that the reason? > # john -i passwd-hashes-desktop.txt > Loaded 2 password hashes with no different salts (NT LM DES [32/32 BS]) This tells me three things: 1. You're running John as root (according to your shell prompt). John does not need root privileges. It is generally a bad practice to be unnecessarily running programs as root. I understand that you might be running this off a live CD or something, in which case you probably don't care. 2. You're using a build of John that is likely non-optimal for your hardware. I am guessing that you're running this on a fairly modern x86 system (since these are the most common), yet this build of John does not use MMX or SSE2. 3. You've forced John to only use "incremental" mode - why? This was not needed and it could have resulted in some passwords taking longer to crack or not getting cracked. John would proceed with "incremental" mode after trying "single crack" and wordlist mode with rules anyway; there's usually no good reason to force it to start with "incremental" mode right away. Simply run it with no options (but do provide it with a password file indeed). > D01 (LOCALMGTN01:2) > MG3657R (LOCALMGTN01:1) That's fine - both halves of the LM hash got cracked. > guesses: 2 time: 0:01:15:49 c/s: 2787102 trying: MG36573 - MG36592 This tells me yet another thing - you're using a pre-1.7 version of John; there was a slight change in the way this line is formatted shortly before the 1.7 release, so I know that your version is older. This might contribute to worse performance, too. > # john -show passwd-hashes-desktop.txt > LOCALMGTN01:MG3657RD01:500:3fe3...................1c38::: This looks correct to me - here you see your full cracked password, less the case of characters indeed. > Could you please explain if the two accounts shown (LOCALMGTN01:2 and > LOCALMGTN01:1) are one and the same? Yes, they're halves of the same LM hash taken off the same account (username LOCALMGTN01). > Similarly, when I tried running ophcrack I got only one password, but > additionally it showed lower case letters: "MG3657rd01" > > Does John show only upper case? Yes - and that's all you need in order to identify weak passwords. If you really need to infer the case of characters, you should be using a patched version of John as explained in the older posting referenced above. Of course, this is specific to Windows passwords - John does report other types of passwords in their true case. -- Alexander Peslyak <solar at openwall.com> GPG key ID: 5B341F15 fp: B3FB 63F4 D7A3 BCCC 6F6E FC55 A2FC 027C 5B34 1F15 http://www.openwall.com - bringing security into open computing environments Was I helpful? Please give your feedback here: http://rate.affero.net/solar -- To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply to the automated confirmation request that will be sent to you.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.