Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <78784280607080728g1fc95dd4r9eb77de8e6fef774@mail.gmail.com>
Date: Sat, 8 Jul 2006 10:28:31 -0400
From: "Jason Briggaman" <brignasty@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: uppercase only from john --show

That worked great! Thank you!

On 7/7/06, Solar Designer <solar@...nwall.com> wrote:
> On Fri, Jul 07, 2006 at 08:15:49AM -0400, Jason Briggaman wrote:
> > I retrieved the passwords from my domain controller using pwdump 6. When I
> > issue "john --show passwordfile.txt", all of the passwords are in
> uppercase.
>
> This is as intended.
>
> > Is there a way that I can display them in their true case?
>
> It's not just a matter of "displaying" them in the right case.
>
> Windows NT/2000/XP/2003/... systems store two types of password hashes -
> DES-based LM (LanMan) hashes and MD4-based NTLM hashes.  LM hashes
> process input passwords as case insensitive and are much quicker to
> crack (for several reasons).  John the Ripper supports them out of the
> box.  NTLM hashes process the original case-sensitive passwords and are
> slower to crack.  John the Ripper does not currently support them
> officially, but there is a contributed patch to add that support, and
> there are unofficial builds of John the Ripper with the patch applied.
> Download links for these can be found on John the Ripper homepage.
>
> In PWDUMP output files, the third field on each line is the LM hash and
> the fourth one is the NTLM hash.  In some cases, LM hashes may be
> unavailable - or LM hashes of empty strings (rather than of actual
> passwords) may be substituted in their place.  In particular, the use
> of LM hashes may be disabled with a registry setting or simply by
> picking passwords (or passphrases) of 15 characters or more.
>
> Now, there can be three possible scenarios:
>
> 1. You're auditing your passwords for the purpose of detecting weak ones
> and LM hashes are available.  In that case, you might not actually need
> to bother cracking NTLM hashes of the same passwords.
>
> 2. You only have NTLM hashes.  In that case, you need a build of JtR
> with the contributed patch applied.  You also need to pass the
> "--format=NT" option when you invoke JtR to crack your NTLM hashes and
> also when you invoke it to display the results (that is, you use
> "--format=NT" along with "--show").
>
> 3. You have hashes of both types, yet you want to have your cracked
> passwords displayed in their true case.  In that case, you can either
> use the approach described above or you can be smarter (and likely get
> more passwords cracked).  The instructions below apply to JtR 1.7.x:
>
> Start by cracking your LM hashes.  At this point, you have your cracked
> passwords, less the case of characters.
>
> In john.conf (or john.ini if you're running on Windows), rename the old
> [List.Rules:Wordlist] section to [List.Rules:Disabled] to deactivate it.
> Rename the [List.Rules:NT] section to [List.Rules:Wordlist].
>
> Crack your NTLM hashes almost instantly by invoking a build of JtR with
> the contributed patch applied as:
>
> 	john -show pwfile | cut -d: -f2 > cracked
> 	john -w=cracked -rules -format=nt pwfile
>
> The "cut" command requires that you either do this on a Unix system or
> you have Cygwin installed on your Windows system.
>
> Don't forget to revert your wordlist rules back when you're done with
> this step.
>
> To display your final cracked passwords, use:
>
> 	john -show -format=nt pwfile
>
> One known problem with this approach is that it'll fail for passwords
> containing colons.
>
> Yes, this is more complicated than it should be.  I might integrate
> this functionality into JtR eventually.
>
> --
> Alexander Peslyak <solar at openwall.com>
> GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
> http://www.openwall.com - bringing security into open computing environments
>
> Was I helpful?  Please give your feedback here: http://rate.affero.net/solar
>
> --
> To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
> to the automated confirmation request that will be sent to you.
>
>

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.