Date: Fri, 18 Dec 2009 15:19:28 +0300 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: JTR and format NTLM On Fri, Dec 18, 2009 at 06:52:19AM -0500, madfran wrote: > From two different ways I always arrive at the same result. What two different ways, specifically? > Administrator:500:AAD3B435B51404EEAAD3B435B51404EE: > A82FF8E15A18E4E73399D231E9B32157F::: This has LM hash of an empty string (which usually indicates that LM hashes are disabled). Then, instead of the NTLM hash, which would normally be represented with 32 hex digits, you have some other string of 33 hex digits. My guess is that it has to do with your "two different ways" - e.g., maybe you used some program that obfuscates password hashes that it dumps, maybe for use with some specific tool or online service. I suggest that you try pwdump6: http://xxx.foofus.net/~fizzgig/pwdump/ http://www.openwall.com/passwords/microsoft-windows-nt-2000-xp-2003-vista#pwdump Please don't forget to let the list know how you obtained this broken NTLM hash, and what approach you ended up using instead. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.