Date: Sat, 18 Aug 2007 18:50:13 -0800 From: bdk <bdk@...rdmason.com> To: john-users@...ts.openwall.com Subject: 4 hashes per user, which ones to use? I've read most of the posts in 2007 and can't find one that addresses my question. I've booted my server (normally running win2k3) with EBCD and have used the EBCD to discover the hash values for 3 users. During this process it gave me a 'Crypted NT Password', 'Crypted LM Password', 'MD4 Hash' and a 'LANMAN Hash'. In trying to understand which does what and what JTR is capable of cracking right now I've come to some level of confusion. Is the 'Crypted LM Password' referred to as LANMAN also? (LM == LanMan?) The 3 users that I gained the 4 hashes for each, all of the 'Crypted NT PW' and 'Crypted LM PW' start with "01 00 01 00". Are the 'Crypted' entries the challenge portion? I've reconstructed what EBCD gave me for both the Crypted NT & LM hashes for each user using http://www.openwall.com/lists/john-users/2005/09/01/9 as a guide: [User]:[Crypted NT PW]:[Crypted LM PW] Administrator:01000100377add...:010001001e295f...::: User1:01 0001008ec826...:01000100f9f8be...::: User2:01 000100f9daf1...:0100010022941a...::: I've compiled john 22.214.171.124 using linux-x86-mmx and ran "john --test": <..snip..> Benchmarking: NT LM DES [64/64 BS MMX]... DONE Raw: 7148K c/s real, 7162K c/s virtual Does this mean that this version of JTR has NT/LM support and I don't need the "Windows NT/2000/XP/2003 NTLM (MD4) hash support for 1.7.2+, by Alain Espinosa"? I then started JTR: me@pc$ ./john hash_list Loaded 6 password hashes with no different salts (NT LM DES [64/64 BS MMX]) <Any key> guesses: 0 time: 0:09:10:05 (3) c/s: 40015K trying: E#MDFHV - E#MDWA% I did try the example referenced on http://www.openwall.com/lists/john-users/2005/09/01/9 and my install of JTR found the password instantly. So I know that my install of JTR does find windows passwords, but to what extent and which kind I'm not clear about. Ultimately I'm in need to know if I'm using the right pair of hashes. Should I be using the MD4 & LANMAN hashes instead? Do I need to patch 126.96.36.199 with the NTLM (MD4) hash support patch? I imagine yes if I should be using the MD4 & LANMA hash, but I don't know if those are the ones I should be using. If someone can lead me to the correct syntax of the 4 hashes I have, I would greatly appreciate it. I'm not necessarily looking for spelled out answers, but if someone can point me to the right manual I can RTFM. :) Thanks. -bdk -- To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply to the automated confirmation request that will be sent to you.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.