Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 11 Nov 2011 18:29:22 +0100
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: Re: NTLM challenge/response cracking (again...)

2011-11-11 16:42, rootkit rootkit wrote:
> I have a few NTLM C/R proxy authentications sniffed with ettercap and
> I'm trying to crack them. They look like the usual:
> 
> user:::LM:NTLM:CHALLENGE
> 
> The challenge changes every time as this is just a sniff.
> 
> Information on this topic are very difficult to find. At the beginning
> I was thinking about generating rainbow tables for each different
> CHALLENGE, but that would be really too much.

It would miss the whole point of rainbow tables. In short, if you do not
already have the tables, cracking with JtR will be quicker.

> However there's something I don't understand: does the NETLM cracking
> work only if the challenge is 1122334455667788? Would it work for any
> challenge?

JtR works for any challenge. That particular challenge stems from some
old public attacks where the challenge was forced to this value, thereby
making the salt (challenge) "worthless". And, because of this, I'm
pretty sure there are rainbow tables for that very challenge.

> I'm asking this because I tried to crack my own account (of which I
> know the password) using a dictionary with my password in it, and it
> didn't work. And it did not work with brute force either.

Like Solar said, post some example hashes. It should work if you do it
right - at least if you run JtR version 1.7.7-jumbo-5 or newer. Earlier
versions had a variety of shortcomings and was also substantially slower
for these hashes.

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.