Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 14 Feb 2010 07:39:30 +0300
From: Solar Designer <>
Subject: Re: NTLMv2 Challenge/Response Cracking

On Fri, Feb 12, 2010 at 10:17:02AM -0600, jmk wrote:
> I've posted a patch against John (w/ Jumbo 2 applied) for NTLMv2
> challenge/response cracking:
> The Jumbo-2 patch currently contains support for LMv1, NTLMv1, and LMv2
> challenge/response. I originally assumed that a LMv2 response would
> always be sent along with a NTLMv2 exchange, so I never bothered with
> NTLMv2. However, I've now found that Windows 7 likes to zero out the
> LMv2 fields, so NTLMv2 is necessary.

Thank you for contributing this.  Going forward, I suggest that you (and
others) base your patches on the latest version of JtR (with the jumbo
patch), which would be this time.  Also, I suggest that
you start making more use of the wiki to publish patches:

Anyway, I've integrated your patch into john- and
john-, which I've just released.  I've also added your to the run directory.  And I've edited your loader.c hacks
replacing the unreasonable uses of sprintf() - I did not test these
changes at all (other than that they compile), so I'd appreciate it if
you review and/or test them.  Finally, I noticed that you use
fmt_default_binary_hash() and fmt_default_get_hash() in your "formats",
which will result in poor performance when many hashes are loaded at
once - you could want to correct that in a new revision of your code.

While at it, I've integrated Alexandre Hamelin's oracle11_fmt.c (support
for Oracle 11g SHA-1 based hashes).  Somehow this was missed previously.

The updated jumbo patches are linked from the usual place:

Thanks again,


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.