Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 21 Dec 2009 18:21:52 +0300
From: Solar Designer <>
Subject: Re: JTR and format NTLM

On Sun, Dec 20, 2009 at 03:23:44PM -0500, madfran wrote:
> Symantec antivirus detects the original pwdump as a virus.

You'll do everyone a favor if you contact Symantec and ask them to fix
their anti-virus.  It's the users of those anti-virus products who may
make these companies reconsider their current approach at inflating the
"virus" count. ;-)  For example, in 2005 avast! would detect the
official build of JtR 1.6 for Win32 as name: "Win32:Trojan-gen.
{Other}", type: "Virus/Worm" (I have a user-provided screenshot).  Well,
avast! no longer detects JtR (current official build for Win32), at all.
I don't know if they removed the 1.6 signature or simply didn't add a
signature for the new build, but I wouldn't be surprised if some user
complaints have helped to achieve this. :-)

> Today approach
> -Download pwdump6-2.0.0
> -The PwDumpDebug is not detected by Symantec!
> -Extract the hash
>  Administrator:500:NO 
> PASSWORD*********************:A82FF8E15A18E4E7399D231E9B32157F:::

Well, this has what looks like a valid NTLM hash.  Notice how it is 32
hex digits, not 33.  JtR with the jumbo patch loads it just fine.

I assume that your problem was a copy-paste error where you inadvertently
duplicated one character.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.