![]() |
|
Message-ID: <20070606161257.GA579@openwall.com> Date: Wed, 6 Jun 2007 20:12:57 +0400 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: LM/NTLMv1 challenge/response cracking On Thu, May 31, 2007 at 02:25:05PM -0500, jmk wrote: > Updated patch against clean 1.7.0.2: > http://www.foofus.net/~jmk/tools/jtr/john-1.7.0.2-netlm-netntlm-jmk-2.diff Thank you! I've placed this in contrib/ now. > Updated patch against 1.7.2 w/ john-1.7.2-all-3.diff: > http://www.foofus.net/~jmk/tools/jtr/john-1.7.2-all-netlm-netntlm-jmk-2.diff I decided to put out a new revision of the jumbo patch with this code included instead of your patch-over-a-patch. While doing it, I've noticed numerous things that were wrong about the jumbo patch and I've fixed some (I hope Erik doesn't mind): - Enabled one salt vs. multiple salts benchmarks for more hash types by changing BENCHMARK_LENGTH from -1 to 0 for them. - Replaced md[45].[ch] with newer revisions that include two trivial optimizations for x86-64; updated md5_go.[ch] accordingly. - Patched E_md4hash() in smbencrypt.c to not require mdfour(). - Dropped "-lssl", added a linefeed character to the end of BFEgg_fmt.c. With the above changes, the revision currently in contrib/ is -all-6. Joe - please consider the BENCHMARK_LENGTH and mdfour() changes for your patch. Also, I think that it would help to have comments at the start of both *_fmt.c files explaining the expected input file format and/or providing references to tools that can be used to dump C/R exchanges in a supported format. > In case anyone is interested, the following are some general notes > regarding my use of this patch... Thank you for sharing this - I think that someone might find it useful, especially as it will remain on the web (in list archives). Your approach looks quite smart. Some questions, just out of curiosity (and in case it helps someone browsing the archives): > * Capture the LM/NTLM challenge/response exchange. I've posted[1] a > modification to Samba to assist with this effort. > [1] http://www.foofus.net/jmk/smbchallenge.html > > * Use RainbowCrack to lookup first 7 characters of the password using > the LM response hash (half LM response tables). > > * Use JtR to crack the remaining characters. Is there a reason to not generate and use rainbow tables for this step as well? I don't immediately see one. The key for second block of responses crosses DES block boundary in LM hashes, but that shouldn't be a problem (just a bit more computation to do when building the tables). It is entirely possible that I am missing something as I haven't looked into this before. > Some random thoughts... I've written a simple Perl script to automate > this task. I've also hacked a command-line parameter option into JtR to > accept john.conf files other than the system-wide default, which this > script utilizes. I don't know if it's in the future plans, but having > easily accessible functionality built into JtR (case toggle, setting a > seed password, custom configuration files specified on the command-line, > etc) might be useful. Just a thought... Indeed. I hope to find the time to rework the core of JtR to make it even more extensible first, then proceed to add features like those you've mentioned and many others. It's just that this is not happening for a long time now... Thanks again, -- Alexander Peslyak <solar at openwall.com> GPG key ID: 5B341F15 fp: B3FB 63F4 D7A3 BCCC 6F6E FC55 A2FC 027C 5B34 1F15 http://www.openwall.com - bringing security into open computing environments -- To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply to the automated confirmation request that will be sent to you.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.