Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Tue, 2 May 2006 19:11:26 +0200 (CEST)
From: rembrandt@...erlin.de
To: john-users@...ts.openwall.com
Subject: Re: JtR & NTLMv2 passwords


> On Tue, May 02, 2006 at 02:18:13PM +0200, Guillaume Arcas wrote:
>> I'm a bit confused about the ability of JtR to crack Windows passwords
>> that use
>> NTLMv2 format.
>
> This question itself is confusing.
>
> My (limited) understanding is that NTLMv2 is a revision of the NTLM
> authentication protocol as described, for example, here:
>
> 	http://davenport.sourceforge.net/ntlm.html
>
> However, even when NTLMv2 is in use, the underlying password hashes
> that are stored on Windows systems are plain NTLM, not NTLMv2 (there's
> no such thing as an NTLMv2 password hash; instead, there are NTLMv2
> challenge responses).
>
> JtR supports LM and NTLM hashes (the latter with the contributed patch)
> that are stored on Windows systems.
>
> JtR does not support sniffed NTLM protocol challenge/response pairs.

That is correct but there are sniffers.
Attackers could DoS a special Port at a e.g. Domaincontroler to make it
(and all Clients) fall back to NTLMv1 but since 2000 NTLMv2 is the default
(if you don`t force them to fall back :)).

With NTLMv2 they simply corrected a misstake wich leads to an easy to
build up Codebook (aka "Rainbowbook") (~80GB) for NTLMv1.

Supporting NTLMv2 would be neat indeed because Bruteforc eis the only way
to crack this stuff (as far as I know).


Rembrandt

Powered by Openwall GNU/*/Linux - Powered by OpenVZ