Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 23 Dec 2009 01:26:52 +0300
From: Solar Designer <>
Subject: Re: JTR and format NTLM

On Tue, Dec 22, 2009 at 04:37:38PM -0500, madfran wrote:
> I always find the same hash,
> A82FF8E15A18E4E7399D231E9B32157F
> and this hash is not detected by JtR v-1.7.3 with jumbo patch compiled 
> under cygwin.

Why, it is detected.  Depending on how you format the file (PWDUMP-like
or Unix passwd-like), you may need to specify the "--format=nt" option.
When JtR sees a PWDUMP-like file, it focuses on LM rather than NTLM
hashes by default.

host!solar:~/john/john-$ cat pw-madfran-pwdump-1
host!solar:~/john/john-$ ./john --format=nt pw-madfran-pwdump-1
Loaded 1 password hash (NT MD4 [128/128 X2 SSE2-16])

host!solar:~/john/john-$ cat pw-madfran-pwdump-2
Administrator:0:NO PASSWORD*********************:A82FF8E15A18E4E7399D231E9B32157F:::
host!solar:~/john/john-$ ./john --format=nt pw-madfran-pwdump-2
Loaded 1 password hash (NT MD4 [128/128 X2 SSE2-16])

host!solar:~/john/john-$ cat pw-madfran-passwd  
host!solar:~/john/john-$ ./john --format=nt pw-madfran-passwd 
Loaded 1 password hash (NT MD4 [128/128 X2 SSE2-16])

The hash that you posted originally wouldn't be detected because you had
one of the characters duplicated (increasing the total length from 32 to
33 hex digits).  At first, I thought this was your problem, but I am not
sure any longer - maybe you introduced the extra character in your
john-users postings only...


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.