|
Message-ID: <20060608190240.GA14844@openwall.com> Date: Thu, 8 Jun 2006 23:02:40 +0400 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: NTLM Character Limitation On Wed, Jun 07, 2006 at 07:17:20AM -0700, Welty, Timothy wrote: > I'm trying to crack a set of NTLM password hashes using John 1.7.2 > patched with john-ntlm-v03.diff.gz. All the passwords are known to be > 14 characters long and are composed of a known character set. What is your reason for cracking the NTLM hashes instead of much weaker LM hashes? Are LM hashes of the same passwords not available? What is that known character set, precisely - or at least how many different characters are there? > I defined a custom incremental mode in my john.conf per below: > > [Incremental:TIM] > File = $JOHN/all.chr > MinLen = 14 > MaxLen = 14 > CharCount = 95 [...] > MaxLen = 14 exceeds the compile-time limit of 8 [...] > I understand cracking the longer passwords will be difficult, but I need > to say I tried. Is there a way around this problem? Well, you can do several things: 1. Crack LM hashes of the same passwords instead of the NTLM hashes. Then you do not need to go beyond MaxLen = 7. 2. Use cracking modes other than "incremental". If some of your passwords are based on dictionary words with little other information, you will get them cracked. Obviously, you'll run "single crack" mode and password.lst with rules first - John does that by default (with no options given). Then you can proceed with a larger wordlist and possibly with a larger ruleset. Since NTLM hashes are saltless and are quite quick to compute, you may use a huge wordlist and a lot of wordlist rules. You can also use the [List.External:Keyboard] mode. You'd set minlength and maxlength to 14 (your known length) within this mode's init() function. If your known character set is small enough (e.g., digits only), you can define an external mode that will search the password space exhaustively. You can modify the existing [List.External:LanMan] sample for that. 3. Modify the compile-time CHARSET_* settings in params.h, rebuild John, generate a new .chr file, and use "incremental mode". Please refer to this older posting for how to do that and for some reasons to not do it: http://article.gmane.org/gmane.comp.security.openwall.john.user/11 -- Alexander Peslyak <solar at openwall.com> GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598 http://www.openwall.com - bringing security into open computing environments Was I helpful? Please give your feedback here: http://rate.affero.net/solar
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.