Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <1268944470.17352.92.camel@localhost>
Date: Thu, 18 Mar 2010 15:34:30 -0500
From: jmk <jmk@...fus.net>
To: john-users@...ts.openwall.com
Subject: Re: NTLMv2 Challenge/Response Cracking

Good afternoon,

I haven't forgotten about your request for a patch containing
documentation on using my NetLM/NetNTLM/etc. formats. ;) I will
*hopefully* get this done in the not too distance future.

One quick question...

On Tue, 2010-02-16 at 13:53 +0300, Solar Designer wrote:
> > MinLen = 1
> > MaxLen = 7
> 
> Should MinLen possibly be 0, not 1?

I took a look at my john-netntlm.pl script to see why I had set MinLen
to 1. It looks like I had added a check prior to the incremental run to
see if the seed password was indeed the actual password. I'm a bit rusty
on this, since I wrote it 3 years ago, but it looks to me like this
could be removed if MinLen was indeed set to 0. Unfortunately, this
doesn't seem to work in practice. 

I've included a sample config below for a NetLM/NetNTLM password of
"Abc123". I would think that John would check length 0 first,
essentially testing "Abc123" and immediately cracking it. In the log I
see:

0:00:00:00 - Lengths 0 to 8, up to 69 different characters
[snip - testing lengths > 1]
0:00:00:00 - Switching to length 1

I don't see anything about length 0 and it doesn't seem to be able to
crack the password via incremental mode when the seed fully matches the
password. Anything obvious that I'm doing incorrect?

Thanks,
Joe

----
john -format:netlm -config=test.conf -external:HalfLM -incremental:LM
user.lc
----
user::WORKGROUP:936A63E94CB4F50A1CE4492D6560B3252F85252CC731BB25:F767E400A6DCBD4B5D008373CD0196D45D911145EABF79CA:1122334455667788
----
[Incremental:LM]
File = $JOHN/lanman.chr
MinLen = 0
MaxLen = 8
CharCount = 69

[List.External:HalfLM]
void init()
{
  word[14] = 0;
}

void filter()
{
  word[13] = word[7];
  word[12] = word[6];
  word[11] = word[5];
  word[10] = word[4];
  word[9] = word[3];
  word[8] = word[2];
  word[7] = word[1];
  word[6] = word[0];
  word[5] = '3';
  word[4] = '2';
  word[3] = '1';
  word[2] = 'c';
  word[1] = 'b';
  word[0] = 'A';
}
----

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.