Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150514155945.GA18235@openwall.com>
Date: Thu, 14 May 2015 18:59:45 +0300
From: Aleksey Cherepanov <lyosha@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: Johnny: 1.5.2 Hash type suggestion/guessing, using
 --show=types (was: displaying full meta information about hashes with
 --show=types)

Mathieu,

On Thu, May 14, 2015 at 10:39:24AM -0500, Mathieu Laprise wrote:
> Aleksey said:
> 
> > The patch was pulled into bleeding-jumbo branch (default). So pull the
> > new version and try to run it against some files. You'll see the
> > output, the format is described above. Skeleton of parser in Perl is
> > in attach.
> >
> I played with the latest bleeding-jumbo branch and show=types and now I
> understand the output and the format you described. Thanks.

Good.

> Is it our goal
> to call the perl script in Johnny or is it just to help me write a C++
> function ?

Perl script is supposed to help you write parser in C++. It is
supposed to be called from Johnny. The output from --show=types is
better for Johnny unlike output of the parser.

> Files in PWDUMP format need special handling: per line list show only
> > lm and nt, lm for 3rd field and nt for 4th field. IIRC Johnny shows lm
> > and nt on separate lines. When you read the file with hashes, you may
> > need to remember if line is in PWDUMP format. I am sure you'll find a
> > way to connect everything correctly.
> >
> I didn't work yet with that kind of file. I've only used /etc/shadow files
> in john yet. I've made some research on Google about LM ,NT password hashes
> and pwdumping of SAM to understand what you are talking about. I found this
> sample that I send to john --show=types
> Input:
> Administrator:500:207277225E983B147AC464727886BD82:90BBDB25BC6556610DAA4F03900FBE9

I guess this line is from
http://h.foofus.net/?page_id=55
and it is not full, the full line from the site is
Administrator:500:207277225E983B147AC464727886BD82:90BBDB25BC6556610DAA4F03900FBE92:::

> The website where I found it said it has LM and NT(not sure if it's true,
> the Windows things is really new to me and I seriously lack files to test
> for now :( ).
> Output :
> Administrator:207277225E983B147AC464727886BD82:500:::::LM:0:0:1:$LM$207277225e983b14:$LM$7ac464727886bd82:0:
> Output parser:
> valid format LM (disabled 0, dynamic 0)
> orig: 207277225E983B147AC464727886BD82
> 2 parts:
>   $LM$207277225e983b14
>   $LM$7ac464727886bd82
> 
> Is this normal that the 4th field 90BBDB25BC6556610DAA4F03900FBE9 seems to
> be ignored ? I thought it was supposed to be the NT one?

Without "2" on the end, there are 31 hex digits, so it is not a
correct NT hash.

> Are the field "2 parts:" from last example's parser important for Johnny or
> is it only the orig: XXXXXXXXx thing that is important ?

Orig thing is loaded into table view already. To suggest types, it is
not important at all.

Thanks!

-- 
Regards,
Aleksey Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.