Date: Mon, 14 Nov 2011 08:17:36 +0100 From: rootkit rootkit <rootkit77@...il.com> To: john-users@...ts.openwall.com Subject: Re: NTLM challenge/response cracking (again...) On Sat, Nov 12, 2011 at 1:10 AM, rootkit rootkit <rootkit77@...il.com> wrote: > I'm a little bit confused now. From NETNTLMv2_fmt_plug.c I see that > the challenge/response should be in the following format > > USERNAME::DOMAIN:SERVER CHALLENGE:NTLMv2 RESPONSE:CLIENT CHALLENGE > > where ServerChallenge is 8 bytes, NTLMv2Response is 16 bytes, and > ClientChallenge is variable (90 bytes in the example provided). > > My sample looks more to be in the NTLM format. From NETNTLM_fmt_plug.c > > USERNAME:::LM RESPONSE:NTLM RESPONSE:CHALLENGE > > with both LMResponse and NTLMResponse being 24 bytes. > > How should I format it in the NETNTLMv2 cracking mode? > > I take a wild guess here: maybe ettercap does not recognize NTLMv2 > (development stopped in 2005) and is trunkating the NTLMv2 response at > the 24th byte. That would explain why all my captured hashes terminate > with 0101000000000000. Hello, so, I guess I was right (or at least in the right direction). Ettercap doesn't dump properly NTLMv2 authentication C/R, instead it's formatting them as NTLMv1. So I tried a different approach, using wireshark to capture the packets, and then extracting the hashes myself. Cracking them with john NETNTLMv2 mode worked wonderfully. Thanks again for your help.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.