Date: Sun, 27 Dec 2009 20:59:01 +0300 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: JTR and format NTLM On Wed, Dec 23, 2009 at 01:26:52AM +0300, Solar Designer wrote: > On Tue, Dec 22, 2009 at 04:37:38PM -0500, madfran wrote: > > I always find the same hash, > > A82FF8E15A18E4E7399D231E9B32157F > > and this hash is not detected by JtR v-1.7.3 with jumbo patch compiled > > under cygwin. > > Why, it is detected. Depending on how you format the file (PWDUMP-like > or Unix passwd-like), you may need to specify the "--format=nt" option. > When JtR sees a PWDUMP-like file, it focuses on LM rather than NTLM > hashes by default. I've addressed this in the FAQ for now by adding the following answer: Q: Why doesn't John load my password file? It says "No password hashes loaded". [...] A: With PWDUMP-format files, John focuses on LM rather than NTLM hashes by default, and it might not load any hashes at all if there are no LM hashes to crack. To have JtR Pro or a build of JtR with the jumbo patch focus on NTLM hashes instead, you need to pass the "--format=nt" option. (The FAQ also has many other answers to the same question.) I might address the same issue in the code later, e.g. by having JtR print a warning and a suggestion when appropriate. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.