Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jan 2014 13:35:27 -0500
From: Rich Rumble <>
Subject: Re: Cracking MSChap v2

On Tue, Jan 14, 2014 at 9:15 AM, Rob Fuller <> wrote:
> @Rich I completely agree about WCE and Mimikatz, both are amazing tools and
> clear text is great. However, both tools require coded execution and
> administrator / SYSTEM access on a machine to do this. Gaining NetNTLMv1
> hashes are MUCH easier to achieve using tools like Responder or other
Well getting a mini-dump of the lsass.exe does require higher priv's,
but that mini-dump can be copied anywhere and then you can run mimi on
it later, it can be separate machines in that sense. Prior to the
latest Alpha version of Mimi it did require it to be locally run like
WCE does still. I bet someone could carve this out of a hibernation
file too, that might be fun :)

> @magnum those are amazing speeds, are you saying that JtR jumbo already
> does NetNTLMv1 => NTLM via DES hack/bypass/brute (not sure what the right
> word is)
JtR brute forces it the "traditional way", using the challenge. JtR
takes the input candidate "pass1234", then uses the challenge to hash
the input word. If the hashes then match, you get the plain-text, if
not then move on to "passw0rd" etc.... This challenge is not very
"expensive" since you know the challenge and the hash is very quick,
so there are only a few extra operations in addition to the hashing.
Passing the hash could be done after the plain-text is found, but that
takes away the main point of passing the hash. I think someone could
write something to do what the script on that blog does + what
cloudcracker does, but the need and usefulness beyond pass-the-hash is
probably very small. l0pht, Cain&Able, HashCat, they use the
"traditional method" of bruteforcing a challenge and response.
> Finally, I totally agree the JtR is a "weak password finder". It's the same
> answer I got from hashcat team (think it was Atom but it was a while ago I
> ask (just re-asked in their channel yesterday as well). But honestly I have
> no where else to go to ask for this. The JtR and Hashcat teams would be the
> only people who could accomplish a feat like this for the public security
> community.
I agree, these guys could code that, but it's a dubious endeavor to
release, as I can only see pass-the-hash as the use case. That's not
to say it's not a good use case, it's something administrators should
worry about, just needs someone to do it I guess. (I probably would if
I could:)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.