Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 10 Sep 2010 00:02:45 +0400
From: Solar Designer <>
Subject: Re: Attacking Windows-ALT chars in LM Hashes


Thank you for bringing this topic up!

On Thu, Sep 09, 2010 at 01:12:14PM -0400, Charles Weir wrote:

This appears to assume Windows-1252:

> 2) I could certainly modify dumbforce/or knownforce mode to target a
> limited range of the most commonly used ALT + normal characters. I
> guess my biggest question then is what numerical values do the ALT
> characters correspond to? aka is ALT-0142 represented as a character
> with value 142 in Windows, or is it encoded some other way?

Apparently, these 8-bit character codes are passed into LM hashes as-is
(assuming that those hashes are produced at all).

Here's a relevant thread with some hash samples that I found when
LM-hashing single 8-bit character strings with Perl's
Authen::Passphrase::LANManager and Googling for the resulting hashes:

LM hashes use 8-bit characters internally, so this is natural.
(But this is not the case for NTLM.)

> 3) As a similar question, I remember reading somewhere that LANMAN
> doesn't handle certain ALT characters, (in which case you would only
> end up with NTLM hashes). Does anyone have a list of the allowed ALT
> characters? Also does Windows LM capitalize ALT characters like
> ALT-0228 which is the lowercase a with the umlaut?

Good questions.  I don't know the answers.

> 4) Is there a way to include these ALT characters in John's wordlist
> rules? For example, I'd like to have a rule sa"ALT-0288", which would
> replace 'a' with the ALT-0228 character. I guess what I'm trying to
> say is if there is a way to specify the hex value of a character vs
> just typing it in the config file.

This was requested before and it is on my to-do list.  Your request for
this feature has just raised its priority.

> Now I'll freely admit, not many people use ALT characters, but when I
> do run across an 'Unbreakable' LM hash I'd love to have a few tricks
> up my sleeve to deal with it.

During the contest, I tried an overstrike-one-char-in-every-pos ruleset
line with all non-control 8-bit characters in it (a preprocessor range
starting with the space character and ending with the character with
code 0xff).  This didn't help in the contest, but overall it is a
reasonable approach to use against fast hashes where you suspect that
some passwords have exactly one 8-bit character.  Of course, it'd be
more convenient to type such a line in with the feature requested above
(not having to type the weird character as-is).  Also, maybe such a line
should be included in a ruleset bundled with JtR.

> Also, if they are using a different
> codepage encoding, (instead of using ALT characters), that opens up a
> whole new can of worms.

If you try the entire 8-bit range rather than individual characters, it
probably does not.  If the non-ASCII characters are getting converted to
uppercase, then this is likely affected by the current codepage, though.

> Finally on a somewhat unrelated note, is there any easy way to search
> throught the mailing list archive. I've looked through the selected
> posts on the wiki, and found the actual mailing list archie at
>, but I was wondering if
> there was a search option, since I really doubt I'm the first person
> to run into this problem and I hate spamming the list with questions
> that have already been answered.

Here you are:

These are linked from the JtR homepage.

Thanks again,


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.