Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 14 Jan 2014 00:13:27 -0500
From: Rich Rumble <richrumble@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Cracking MSChap v2

On Mon, Jan 13, 2014 at 8:14 PM, Rob Fuller <jd.mubix@...il.com> wrote:
> @RichRumble => The big deal for me is because I'm an ops guy. I worry about
> useable, if the gun fires good enough to kill my enemy, it's good enough
> for me. The fact that if I can get an NetNTLMv1 hash, no matter how long or
> complex it is and in 23 hours with cloudcrack.com I can turn it into
I hope I don't take this discussion too far off of JtR, but what I say
applies to passwords (M$) so I think this will be ok. JtR jumbo does
load hashes like these
You can load them as -format=netntlm (case sens) or -format=netlm
(case insensitive)
ADMIN:::59DE5D885E583167C3A9A92AC42C0AE52F85252CC731BB25:5ADA49D539BD174E7049805DC1004925E25130C33DBE892A:1122334455667788
ADMIN:::76365E2D142B5612980C67D057EB9EFEEE5EF6EB6FF6E04D:727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595:1122334455667788

The point I made in my comment on that blog, and one iterated by
another, was why crack the password when it's plain-text in memory.
Sniffing a challenge response might seem like it's easier, and doesn't
require Admin priv's necessarily, I'd argue that if you're in a
position to sniff, you could get admin too. There are loads of Rainbow
table sites out there, CloudCrackER (different than cloudcrack [no
"er"] but also not)is one of a hundred. Getting the hash from the
response isn't the hard part, and while cloudcracker can almost
certainly recover that part, the hash remains. Pass-the-hash can be
used at that point, I have no question about that.

> something useable (pass the hash) is huge. Problem is, I have too many
> legal and ethical concerns about submitting even a hash to an online hash
> cracking tool that this removes it from my tool box since no tool out there
> that I know of can "crack" it the same way cloud crack does.
I guess the point of the blog was it's easy to get the hash out even
when it's challenge-response, but that was known for a decade or
more.Pass-the-hash seems new, but it dates back a long while, but the
first kit I think was in 2007?

> I understand this isn't the traditional "cracking" to clear text, but it's
> certainly a game changer on the attacker / offensive security front.

WCE and Mimikatz are more game changing I think.
http://www.ampliasecurity.com/research/wcefaq.html
http://blog.gentilkiwi.com/mimikatz https://github.com/thomhastings/mimikatz-en
Mimikatz is now able to read memory dumps of the lsass.exe process
(you can right-click the process in task manager to make one) and mimi
can read that without having to be on the box, all you need is the
mem-dump and you get all windows passwords on the machine for most
accounts. WCE has to be local at this time, I believe there are others
too that can now do this.

My ultimate point was pass-the-hash isn't the one I worry about
anymore, it's every process that could possibly make a memory dump of
the lsass.exe process.
-rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.