Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20100715053349.GA10154@openwall.com>
Date: Thu, 15 Jul 2010 09:33:49 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: 1.7.6-jumbo-3 breaks john --show --fomat=LM output

On Wed, Jul 14, 2010 at 07:19:50AM +0800, Kurt Grutzmacher wrote:
> The latest jumbo patch for John The Ripper 1.7.6 breaks the --show command
> output for LANMAN hashes.

I wouldn't call this "breakage" - just a change of behavior, and it's
been in there for a long time (definitely since before 1.7.6).  It was
not obvious to me what behavior was more appropriate anyway.  Now that I
revisit this, I agree that keeping the LM hash behavior the same whether
the jumbo patch is applied or not makes sense.  It's an issue of
consistency, not "greater correctness" of any one choice.

> Patch to fix uses the ciphertext variable instead of line. Enjoy!

No, that's not correct.  I've attached a more elaborate patch - please
test.  With this patch applied (on top of jumbo) and with the following
line in the input file:

u1:1:78bccaee08c90e29aad3b435b51404ee:f9e37e83b83c47a93c2f09f66408631b:abc123::

The "--show" output for the LM hash is:

u1:ABC123:1:f9e37e83b83c47a93c2f09f66408631b:abc123::

and for NTLM (with explicit "--format=nt") it is:

u1:abc123:1:abc123::

That is, when showing cracked passwords for LM hashes, also shown are
NTLM hashes - for further cracking maybe?  JtR won't load those lines
directly, though - it only accepts an NTLM hash in the fourth field if
the third field looks like an LM hash (32 chars).  At least this is
consistent with what non-patched JtR outputs.

When showing cracked passwords for NTLM hashes, no hashes are shown (so
the output has one field less).  It felt pointless to show any of the
hashes in this case, and it felt pointless to include a placeholder field.

Is this as desired?

Thanks,

Alexander

View attachment "john-1.7.6-jumbo-4-lm-ntlm-show-1.diff" of type "text/plain" (518 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.