Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 18 Aug 2007 18:50:13 -0800
From: bdk <bdk@...rdmason.com>
To:  john-users@...ts.openwall.com
Subject: 4 hashes per user, which ones to use?

I've read most of the posts in 2007 and can't find one that addresses my
question.

I've booted my server (normally running win2k3) with EBCD and have used
the EBCD to discover the hash values for 3 users. During this process it
gave me a 'Crypted NT Password', 'Crypted LM Password', 'MD4 Hash' and a
'LANMAN Hash'. In trying to understand which does what and what JTR is
capable of cracking right now I've come to some level of confusion.

Is the 'Crypted LM Password' referred to as LANMAN also? (LM == LanMan?)

The 3 users that I gained the 4 hashes for each, all of the 'Crypted NT
PW' and 'Crypted LM PW' start with "01 00 01 00".  Are the 'Crypted'
entries the challenge portion?

I've reconstructed what EBCD gave me for both the Crypted NT & LM hashes
for each user using
http://www.openwall.com/lists/john-users/2005/09/01/9 as a guide:

[User]:[Crypted NT PW]:[Crypted LM PW]

Administrator:01000100377add...:010001001e295f...:::
User1:01 0001008ec826...:01000100f9f8be...:::
User2:01 000100f9daf1...:0100010022941a...:::

I've compiled john 1.7.0.2 using linux-x86-mmx and ran "john --test":
<..snip..>
Benchmarking: NT LM DES [64/64 BS MMX]... DONE
Raw:    7148K c/s real, 7162K c/s virtual

Does this mean that this version of JTR has NT/LM support and I don't
need the "Windows NT/2000/XP/2003 NTLM (MD4) hash support for 1.7.2+, by
Alain Espinosa"?

I then started JTR:

me@pc$ ./john hash_list
Loaded 6 password hashes with no different salts (NT LM DES [64/64 BS MMX])
<Any key>
guesses: 0  time: 0:09:10:05 (3)  c/s: 40015K  trying: E#MDFHV - E#MDWA%

I did try the example referenced on
http://www.openwall.com/lists/john-users/2005/09/01/9 and my install of
JTR found the password instantly. So I know that my install of JTR does
find windows passwords, but to what extent and which kind I'm not clear
about.

Ultimately I'm in need to know if I'm using the right pair of hashes.
Should I be using the MD4 & LANMAN hashes instead? Do I need to patch
1.7.0.2 with the NTLM (MD4) hash support patch? I imagine yes if I
should be using the MD4 & LANMA hash, but I don't know if those are the
ones I should be using.

If someone can lead me to the correct syntax of the 4 hashes I have, I
would greatly appreciate it. I'm not necessarily looking for spelled out
answers, but if someone can point me to the right manual I can RTFM. :)

Thanks.

-bdk

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.