Date: Tue, 14 Jan 2014 00:13:27 -0500 From: Rich Rumble <richrumble@...il.com> To: john-users@...ts.openwall.com Subject: Re: Cracking MSChap v2 On Mon, Jan 13, 2014 at 8:14 PM, Rob Fuller <jd.mubix@...il.com> wrote: > @RichRumble => The big deal for me is because I'm an ops guy. I worry about > useable, if the gun fires good enough to kill my enemy, it's good enough > for me. The fact that if I can get an NetNTLMv1 hash, no matter how long or > complex it is and in 23 hours with cloudcrack.com I can turn it into I hope I don't take this discussion too far off of JtR, but what I say applies to passwords (M$) so I think this will be ok. JtR jumbo does load hashes like these You can load them as -format=netntlm (case sens) or -format=netlm (case insensitive) ADMIN:::59DE5D885E583167C3A9A92AC42C0AE52F85252CC731BB25:5ADA49D539BD174E7049805DC1004925E25130C33DBE892A:1122334455667788 ADMIN:::76365E2D142B5612980C67D057EB9EFEEE5EF6EB6FF6E04D:727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595:1122334455667788 The point I made in my comment on that blog, and one iterated by another, was why crack the password when it's plain-text in memory. Sniffing a challenge response might seem like it's easier, and doesn't require Admin priv's necessarily, I'd argue that if you're in a position to sniff, you could get admin too. There are loads of Rainbow table sites out there, CloudCrackER (different than cloudcrack [no "er"] but also not)is one of a hundred. Getting the hash from the response isn't the hard part, and while cloudcracker can almost certainly recover that part, the hash remains. Pass-the-hash can be used at that point, I have no question about that. > something useable (pass the hash) is huge. Problem is, I have too many > legal and ethical concerns about submitting even a hash to an online hash > cracking tool that this removes it from my tool box since no tool out there > that I know of can "crack" it the same way cloud crack does. I guess the point of the blog was it's easy to get the hash out even when it's challenge-response, but that was known for a decade or more.Pass-the-hash seems new, but it dates back a long while, but the first kit I think was in 2007? > I understand this isn't the traditional "cracking" to clear text, but it's > certainly a game changer on the attacker / offensive security front. WCE and Mimikatz are more game changing I think. http://www.ampliasecurity.com/research/wcefaq.html http://blog.gentilkiwi.com/mimikatz https://github.com/thomhastings/mimikatz-en Mimikatz is now able to read memory dumps of the lsass.exe process (you can right-click the process in task manager to make one) and mimi can read that without having to be on the box, all you need is the mem-dump and you get all windows passwords on the machine for most accounts. WCE has to be local at this time, I believe there are others too that can now do this. My ultimate point was pass-the-hash isn't the one I worry about anymore, it's every process that could possibly make a memory dump of the lsass.exe process. -rich
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.