Date: Fri, 10 Sep 2010 00:02:45 +0400 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: Attacking Windows-ALT chars in LM Hashes Matt, Thank you for bringing this topic up! On Thu, Sep 09, 2010 at 01:12:14PM -0400, Charles Weir wrote: > http://tlt.its.psu.edu/suggestions/international/accents/codealt.html This appears to assume Windows-1252: http://en.wikipedia.org/wiki/Windows-1252 > 2) I could certainly modify dumbforce/or knownforce mode to target a > limited range of the most commonly used ALT + normal characters. I > guess my biggest question then is what numerical values do the ALT > characters correspond to? aka is ALT-0142 represented as a character > with value 142 in Windows, or is it encoded some other way? Apparently, these 8-bit character codes are passed into LM hashes as-is (assuming that those hashes are produced at all). Here's a relevant thread with some hash samples that I found when LM-hashing single 8-bit character strings with Perl's Authen::Passphrase::LANManager and Googling for the resulting hashes: http://www.freerainbowtables.com/phpBB3/topic387-120.html LM hashes use 8-bit characters internally, so this is natural. (But this is not the case for NTLM.) > 3) As a similar question, I remember reading somewhere that LANMAN > doesn't handle certain ALT characters, (in which case you would only > end up with NTLM hashes). Does anyone have a list of the allowed ALT > characters? Also does Windows LM capitalize ALT characters like > ALT-0228 which is the lowercase a with the umlaut? Good questions. I don't know the answers. > 4) Is there a way to include these ALT characters in John's wordlist > rules? For example, I'd like to have a rule sa"ALT-0288", which would > replace 'a' with the ALT-0228 character. I guess what I'm trying to > say is if there is a way to specify the hex value of a character vs > just typing it in the config file. This was requested before and it is on my to-do list. Your request for this feature has just raised its priority. > Now I'll freely admit, not many people use ALT characters, but when I > do run across an 'Unbreakable' LM hash I'd love to have a few tricks > up my sleeve to deal with it. During the contest, I tried an overstrike-one-char-in-every-pos ruleset line with all non-control 8-bit characters in it (a preprocessor range starting with the space character and ending with the character with code 0xff). This didn't help in the contest, but overall it is a reasonable approach to use against fast hashes where you suspect that some passwords have exactly one 8-bit character. Of course, it'd be more convenient to type such a line in with the feature requested above (not having to type the weird character as-is). Also, maybe such a line should be included in a ruleset bundled with JtR. > Also, if they are using a different > codepage encoding, (instead of using ALT characters), that opens up a > whole new can of worms. If you try the entire 8-bit range rather than individual characters, it probably does not. If the non-ASCII characters are getting converted to uppercase, then this is likely affected by the current codepage, though. > Finally on a somewhat unrelated note, is there any easy way to search > throught the mailing list archive. I've looked through the selected > posts on the wiki, and found the actual mailing list archie at > http://www.openwall.com/lists/john-users/, but I was wondering if > there was a search option, since I really doubt I'm the first person > to run into this problem and I hate spamming the list with questions > that have already been answered. Here you are: http://dir.gmane.org/gmane.comp.security.openwall.john.user http://marc.info/?l=john-users These are linked from the JtR homepage. Thanks again, Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.