Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20130131035952.GA8373@openwall.com>
Date: Thu, 31 Jan 2013 07:59:52 +0400
From: Solar Designer <solar@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: NetNTLMv1

magnum, all -

Since I think you're not on Twitter:

TTYtter> /th c9
zz0> (x13) <hashcat> Exploited a NetNTLMv1 weakness which made it as easy to crack as NTLM: http://t.co/Sul7VK1p - No, this is not what CloudCracker does
zz1> <@thorsheim> @hashcat Another weakness first discovered by you? ;-)\n(if so; @dangoodin001 ...)
zz2> <@hashcat> @thorsheim @dangoodin001 I discovered it myself and afterwards found it on jtr mailinglist. They never made any use of it /cc @solardiz
zz3> <@thorsheim> @hashcat Perhaps a forum post on its implications? Speed improvements etc? / @solardiz
zz4> <@hashcat> @thorsheim @solardiz Yeah why not. Will do it once I ported it to GPU. It will be far far to fast for such an important algorithm :-)

I'm not sure what exactly atom is referring to.  There's definitely lots
of room for optimization of the code in JtR:

http://www.openwall.com/lists/john-dev/2011/04/17/1

We could switch to using JtR's faster NTLM code, and bitslice DES code
for the DES portion.  This would probably provide speeds similar to
hashcat's on that screenshot (76M c/s for NetNTLMv1 on one CPU chip), or
maybe even better.  (Looks like JtR's NTLM provides 22.6*8 = ~181M c/s
on FX-8120 - that's --test speeds combined for 8 independent processes.
Of course, actual cracking speed will be less.)

However, maybe atom somehow reduced or eliminated the DES portion from
the per-candidate loop, as I doubt he went for bitslice DES here. ;-)

Curious.

Oh, here's an idea: what if we apply the DES encryption (or decryption)
to the last of the 3 blocks, not the first?  Doesn't the last block
contain only like a couple of non-zero bytes?  (I don't recall.)  If so,
we could replace this instance of DES with a lookup table, computed just
once (e.g. at program startup, to avoid increasing program size).

Is this it?  Was it mentioned on our mailing lists before?  Maybe in the
2007 discussion with jmk, in rainbow tables context?

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.