Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 10 Sep 2010 12:47:02 -0400
From: Charles Weir <>
Subject: Re: Attacking Windows-ALT chars in LM Hashes

Hey thanks Solar! I have a couple more comments inline:

> Here's a relevant thread with some hash samples that I found when
> LM-hashing single 8-bit character strings with Perl's
> Authen::Passphrase::LANManager and Googling for the resulting hashes:

Wow, that thread was exactly what I was looking for. I'm still digging
through it and I need to run some sanity tests myself, but it implies
that we can really speed up Dumbforce mode against LM hashes, (at
least when CodePage 437 - the default one for English - is used). It
also seems to imply that the current Dumbforce mode might miss several
password hashes. That is because some of the characters are mapped
back to control characters when they are run through the LM hashing
algorithm. For example, the character with the value 149 is mapped
back to 7, (which is the ASCII value for a BELL). Think of it like how
lowercase characters are mapped to uppercase charactes. At the same
time, since many of the upper value characters are mapped to other
values, we can safely skip them, (once again I'm only tallking about
CP 437).

> This was requested before and it is on my to-do list.  Your request for
> this feature has just raised its priority.

Hey thanks! It's a pretty rare issue to be dealing with so there's no
real hurry. I'm probably just going to write an external program to do
that and just pipe the results into JtR. The -stdin option is still
the best feature I've seen in any password cracking program, and is
one of the main reasons I use JtR.

>> Also, if they are using a different
>> codepage encoding, (instead of using ALT characters), that opens up a
>> whole new can of worms.
> If you try the entire 8-bit range rather than individual characters, it
> probably does not.  If the non-ASCII characters are getting converted to
> uppercase, then this is likely affected by the current codepage, though.

I agree, if you search through the entire 8-bit range it doesn't
matter. It looks like any optimizations though will
be highly dependend on the codepage being attacked.

> Here you are:
> These are linked from the JtR homepage.

Dough, didn't see that, and thanks once again!


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.