Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20100216105358.GA25035@openwall.com>
Date: Tue, 16 Feb 2010 13:53:58 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: NTLMv2 Challenge/Response Cracking

On Mon, Feb 15, 2010 at 04:30:34PM -0600, jmk wrote:
> On Sun, 2010-02-14 at 07:39 +0300, Solar Designer wrote:
> > I suggest that you start making more use of the wiki to publish patches:
> > 
> > http://openwall.info/wiki/john/patches
> 
> I'll plan to post to the Wiki in the future. My comprehension of how
> John really works is pretty limited. As such, I'm often not sure if my
> approach with these formats is valid. I assumed the mailing list was the
> easiest method to get feedback and flush out issues.

Your assumption was correct.  My suggestion is that you publish your
patches on the wiki in addition to announcing them on the mailing list.
In fact, the wiki page itself says just that - "Significant updates to
this wiki page (such as newly added patches) are to be announced on the
john-users mailing list (in addition to updating the wiki page, not
instead of that)."

> I just noticed that my netntlm.pl script relies on the ability to
> specify a temporary John config, which it creates. The script sets the
> first 7 characters of the password (i.e. the seed -- looked up via
> Rainbow Tables) in it and brutes the rest. I've posted an example config
> below. This has worked for me for the past few years. Is this an OK
> approach, when you know the first 7 characters of a password that may be
> anywhere from 7 to 14 characters?

Yes, that's fine.

> If so, I can extract the "--config" option modifications and post the diff.

Please do.  You may upload this to the wiki as a separate patch and
announce it in here.  I will likely merge it into the jumbo patch then.
In fact, this feature was recently requested by Minga.

Speaking of your netntlm.pl, it uses /tmp inappropriately.  We'll need
to patch this - either use the current directory instead or have the
script create a directory for its temporary files.

> File = /usr/share/john/lanman.chr

I suggest that you use $JOHN instead of explicit /usr/share/john.

> MinLen = 1
> MaxLen = 7

Should MinLen possibly be 0, not 1?

> void filter()
> {
>   word[13] = word[6];

You need to explicitly NUL-terminate the word[].  I suggest that you do
it with:

void init()
{
	word[14] = 0;
}

> [List.Rules:Wordlist]
> l
> lMT[*0]T[*1]T[*2]T[*3]T[*4]T[*5]T[*6]T[*7]T[*8]T[*9]T[*A]T[*B]T[*C]T[*D]Q

The default john.conf in 1.7.4+ includes a more efficient implementation
of the above.  You could want to update the script to use that instead.

Maybe we should include more of your stuff into the jumbo patch -
perhaps create a subdirectory under doc/ and place your patches to other
tools in there, with a text file explaining their use along with JtR.
What do you think?  If you agree, then can you please prepare a "patch"
like this (to be applied on top of 1.7.4.2-jumbo-3)?

My concern is that right now your "formats" integrated into the jumbo
patch are of little use on their own (or am I wrong?)  One has to obtain
other stuff from your website and figure out how to use it along with
jumbo-patched JtR.

Thanks,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.