Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 20 Dec 2009 15:23:44 -0500
From: "madfran" <>
Subject: Re: JTR and format NTLM

>>>From two different ways I always arrive at the same result.
>>What two different ways, specifically?
>> Administrator:500:AAD3B435B51404EEAAD3B435B51404EE:
>> A82FF8E15A18E4E73399D231E9B32157F:::

>This has LM hash of an empty string (which usually indicates that LM
>hashes are disabled).  Then, instead of the NTLM hash, which would
>normally be represented with 32 hex digits, you have some other string
>of 33 hex digits.  My guess is that it has to do with your "two
>different ways" - e.g., maybe you used some program that obfuscates
>password hashes that it dumps, maybe for use with some specific tool or
>online service.

ok. lc3 say that LM password is empty, but in fact doesn't work.

>I suggest that you try pwdump6:

Difficult to do.
Symantec antivirus detects the original pwdump as a virus.
I don't want to disable it because I have had some problems in the past.

>Please don't forget to let the list know how you obtained this broken
>NTLM hash, and what approach you ended up using instead.

First approach.
Old lc3 (l0htcrack version 3)
As I explained yet, I have administrator's rights and I can use it.

Second approach.
-Start the laptop from an USB device with a linux SO
-Download from my hard disc the following files,
 - system
 - SAM
-Start the laptop in the standard way (Windows XP)
-Extract the bootkey from "system" with the tool Bkhive
-Use samdump to extract the hash

Today approach
-Download pwdump6-2.0.0
-The PwDumpDebug is not detected by Symantec!
-Extract the hash


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.