Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 27 Dec 2009 20:59:01 +0300
From: Solar Designer <>
Subject: Re: JTR and format NTLM

On Wed, Dec 23, 2009 at 01:26:52AM +0300, Solar Designer wrote:
> On Tue, Dec 22, 2009 at 04:37:38PM -0500, madfran wrote:
> > I always find the same hash,
> > A82FF8E15A18E4E7399D231E9B32157F
> > and this hash is not detected by JtR v-1.7.3 with jumbo patch compiled 
> > under cygwin.
> Why, it is detected.  Depending on how you format the file (PWDUMP-like
> or Unix passwd-like), you may need to specify the "--format=nt" option.
> When JtR sees a PWDUMP-like file, it focuses on LM rather than NTLM
> hashes by default.

I've addressed this in the FAQ for now by adding the following answer:

Q: Why doesn't John load my password file?  It says "No password hashes
A: With PWDUMP-format files, John focuses on LM rather than NTLM hashes
by default, and it might not load any hashes at all if there are no LM
hashes to crack.  To have JtR Pro or a build of JtR with the jumbo patch
focus on NTLM hashes instead, you need to pass the "--format=nt" option.

(The FAQ also has many other answers to the same question.)

I might address the same issue in the code later, e.g. by having JtR
print a warning and a suggestion when appropriate.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.