Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 22 Apr 2015 21:51:05 +0200
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: Re: NTLM proxy auth

On 2015-04-17 09:29, Micha Borrmann wrote:
> Am 17.04.2015 um 00:28 schrieb Frank Dittrich:
>> On 04/17/2015 12:05 AM, Micha Borrmann wrote:
>>> thanks for the hints. I manually created the hashfile and it seems there
>>> is a bug in JtR: I know one password but JtR was not able to recover it.
>>> But with another tool (oclHashcat), it was possible to recover it (and
>>> to confirm, that my hash was extracted correctly).
>>
>> Can you supply a sample hash and the known password?
>> Then someone could look into this.
>
> There are information like name of the used active directory in the
> hash. For privacy reasons, I will not distribute it.

Was this with 1.8.0-jumbo-1 or some later snapshot? Our NET*LM* formats 
are pretty well tested in our Test Suite so I wonder what could be going 
on here.

Was this NTLMv1, as in -m 5500 for Hashcat? Was it formatted just like 
on the Hashcat samples page, or was there any difference in what fields 
were used/empty?
	http://hashcat.net/wiki/doku.php?id=example_hashes

Was there any non-ascii character involved (in names or plaintext)? I 
guess this is not the problem because Hashcat can only do 8859-1 and 
that's what we do by default. Although if you did change codepage 
settings in john.conf (eg. to UTF-8), this could be a problem if you 
then use an input file that doesn't match the settings.

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.