Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1180639505.10438.212.camel@localhost>
Date: Thu, 31 May 2007 14:25:05 -0500
From: jmk <jmk@...fus.net>
To: john-users@...ts.openwall.com
Subject: Re: LM/NTLMv1 challenge/response cracking

On Sun, 2007-05-27 at 14:19 +0400, Solar Designer wrote:
<snip>

Thanks for the feedback!

I've made the following changes:

* Removed "-lssl" from Makefile
* Replaced md4.c/h files with updated versions. However, I carried over
the mdfour() function from the previous version.
* Removed copyright and placed formats in the public domain
* Changed FORMAT_NAMEs to your suggestions.

Updated patch against clean 1.7.0.2:
http://www.foofus.net/~jmk/tools/jtr/john-1.7.0.2-netlm-netntlm-jmk-2.diff

Updated patch against 1.7.2 w/ john-1.7.2-all-3.diff:
http://www.foofus.net/~jmk/tools/jtr/john-1.7.2-all-netlm-netntlm-jmk-2.diff



In case anyone is interested, the following are some general notes
regarding my use of this patch...

* Capture the LM/NTLM challenge/response exchange. I've posted[1] a
modification to Samba to assist with this effort.

* Use RainbowCrack to lookup first 7 characters of the password using
the LM response hash (half LM response tables).

* Use JtR to crack the remaining characters. I've found the following
type of john.conf file to be useful. For example, if the password found
via RainbowCrack was "TEST!@#", I'd create the following config: 

[Incremental:LM]
File = /usr/share/john/lanman.chr
MinLen = 1
MaxLen = 7
CharCount = 69

[List.External:HalfLM]
void filter()
{
	word[13] = word[6];
	word[12] = word[5];
	word[11] = word[4];
	word[10] = word[3];
	word[9] = word[2];
	word[8] = word[1];
	word[7] = word[0];
	word[6] = "#";
	word[5] = "@";
	word[4] = "!";
	word[3] = "T";
	word[2] = "S";
	word[1] = "E";
	word[0] = "T";
}

* Determine the correct character case using the NTLM response and a
custom john.conf word list, such as:
 
[List.Rules:Wordlist]
l
lMT[*0]T[*1]T[*2]T[*3]T[*4]T[*5]T[*6]T[*7]T[*8]T[*9]T[*A]T[*B]T[*C]T[*D]Q

Some random thoughts... I've written a simple Perl script to automate
this task. I've also hacked a command-line parameter option into JtR to
accept john.conf files other than the system-wide default, which this
script utilizes. I don't know if it's in the future plans, but having
easily accessible functionality built into JtR (case toggle, setting a
seed password, custom configuration files specified on the command-line,
etc) might be useful. Just a thought...


Thanks,
Joe

[1] http://www.foofus.net/jmk/smbchallenge.html


-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.