Date: Thu, 15 Nov 2012 08:06:41 -0500 From: Rich Rumble <richrumble@...il.com> To: john-users@...ts.openwall.com Subject: Re: LM with empty strings = password longer than 15 chars? On Thu, Nov 15, 2012 at 7:25 AM, Aleksey Cherepanov <aleksey.4erepanov@...il.com> wrote: > Windows 7 does not support LM hashes. So passwords of any length would > have LM hashes empty. It does still support them, BUT by default they are disabled, it can be re-enabled but that's not a good idea (security wise). > (Empty LM hashes are a sign of password length greater than 14 only on > Windows XP (and only if LM hashes are enabled, I guess the most system > are so)). This is kinda the same thing, you CAN turn LM on/off in win2k and XP (as well as the others), it's a good idea to have LM disabled from a security point of view, but from a recovery point of view it sometimes makes it harder. If LM is enabled, and it's the blank hash, THEN you can assume it's 15 or more characters. We always recommend people disable LM using GPO's. That does not erase current LM hashes, and AD remembers (8 by default) previous LM hashes even after this setting is enabled, but once enabled, and passwords from that point do not remember the LM hash. So once you enable the setting, and change your password, then only 7 LM hashes are remain in the NTDS.dit file for that user. > So you need to load NT hashes. I guess the easiest to do that is to > add '--format=nt' option to your invocation of John. Yep, even without knowing the specifics of the LM settings, the blank hash in the LM spot mean use NT or NT2 (is one faster than the other? I've never been clear on that...) They are both the same format, so I'm not sure why there are 2 implementations of it. -rich
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.