Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 10 Sep 2010 15:08:18 -0400
From: Brad Tilley <brad@...ystems.com>
To: john-users@...ts.openwall.com
Subject: Re: Attacking Windows-ALT chars in LM Hashes

Magnum, P.I. wrote:
> On 09/09/2010 10:02 PM, Solar Designer wrote:
>>> 2) I could certainly modify dumbforce/or knownforce mode to target a
>>> limited range of the most commonly used ALT + normal characters. I
>>> guess my biggest question then is what numerical values do the ALT
>>> characters correspond to? aka is ALT-0142 represented as a character
>>> with value 142 in Windows, or is it encoded some other way?
>>
>> Apparently, these 8-bit character codes are passed into LM hashes as-is
>> (assuming that those hashes are produced at all).
> 
> Well, they are first converted from [in this case] cp1252 to utf-16le.
> 
> JtR however, cheats when doing this conversion: it just puts a 0x00
> between each char.

You mean for NT hashes I guess?

I think the correct wording would be "inserts a null after each char"
rather than "between each char". I'm not sure that is cheating. It works
and is portable across operating systems. Windows has non-portable ways
to do it, but if you want to crack NT hashes on Linux or BSD, etc then
this approach works. That's how I do it too:

	std::string unicode_string;
	unicode_string.reserve(generated_string.size()*2);
		
	std::string::const_iterator it, end(generated_string.end());

	for(it = generated_string.begin(); it != end; ++it)
	{
		unicode_string.push_back(*it);
		unicode_string.push_back('\0');
	}

That makes the ascii word "pass" look like this (spaces are for clarity):

"p NULL a NULL s NULL s NULL" // See why "after each char" is important?

After which the string can be MD4 encoded.

bytes = MD4("p NULL a NULL s NULL s NULL");

I think that is the NT hash in a nutshell.

Brad

> This works for most of the charset when converting
> from iso-8859-1 to utf-16le, but will fail on anything else. Thus,
> without rewriting JtR you will never ever crack a LM password containing
> a character whose utf-16le msb is not 0x00. There is no workaround.
> 
> In this case of ALT-0xxx keyboard codes, I guess this all means that if
> the character is the same position in iso-8859-1 as in cp1252, it will
> work, otherwise it will not.
> 
> This is a complex matter. I think I got it right, anyway this is the
> gist of it.
> 
> cheers
> magnum

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.