Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jan 2014 00:13:27 -0500
From: Rich Rumble <>
Subject: Re: Cracking MSChap v2

On Mon, Jan 13, 2014 at 8:14 PM, Rob Fuller <> wrote:
> @RichRumble => The big deal for me is because I'm an ops guy. I worry about
> useable, if the gun fires good enough to kill my enemy, it's good enough
> for me. The fact that if I can get an NetNTLMv1 hash, no matter how long or
> complex it is and in 23 hours with I can turn it into
I hope I don't take this discussion too far off of JtR, but what I say
applies to passwords (M$) so I think this will be ok. JtR jumbo does
load hashes like these
You can load them as -format=netntlm (case sens) or -format=netlm
(case insensitive)

The point I made in my comment on that blog, and one iterated by
another, was why crack the password when it's plain-text in memory.
Sniffing a challenge response might seem like it's easier, and doesn't
require Admin priv's necessarily, I'd argue that if you're in a
position to sniff, you could get admin too. There are loads of Rainbow
table sites out there, CloudCrackER (different than cloudcrack [no
"er"] but also not)is one of a hundred. Getting the hash from the
response isn't the hard part, and while cloudcracker can almost
certainly recover that part, the hash remains. Pass-the-hash can be
used at that point, I have no question about that.

> something useable (pass the hash) is huge. Problem is, I have too many
> legal and ethical concerns about submitting even a hash to an online hash
> cracking tool that this removes it from my tool box since no tool out there
> that I know of can "crack" it the same way cloud crack does.
I guess the point of the blog was it's easy to get the hash out even
when it's challenge-response, but that was known for a decade or
more.Pass-the-hash seems new, but it dates back a long while, but the
first kit I think was in 2007?

> I understand this isn't the traditional "cracking" to clear text, but it's
> certainly a game changer on the attacker / offensive security front.

WCE and Mimikatz are more game changing I think.
Mimikatz is now able to read memory dumps of the lsass.exe process
(you can right-click the process in task manager to make one) and mimi
can read that without having to be on the box, all you need is the
mem-dump and you get all windows passwords on the machine for most
accounts. WCE has to be local at this time, I believe there are others
too that can now do this.

My ultimate point was pass-the-hash isn't the one I worry about
anymore, it's every process that could possibly make a memory dump of
the lsass.exe process.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.