Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20100909200245.GA17700@openwall.com>
Date: Fri, 10 Sep 2010 00:02:45 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Attacking Windows-ALT chars in LM Hashes

Matt,

Thank you for bringing this topic up!

On Thu, Sep 09, 2010 at 01:12:14PM -0400, Charles Weir wrote:
> http://tlt.its.psu.edu/suggestions/international/accents/codealt.html

This appears to assume Windows-1252:

http://en.wikipedia.org/wiki/Windows-1252

> 2) I could certainly modify dumbforce/or knownforce mode to target a
> limited range of the most commonly used ALT + normal characters. I
> guess my biggest question then is what numerical values do the ALT
> characters correspond to? aka is ALT-0142 represented as a character
> with value 142 in Windows, or is it encoded some other way?

Apparently, these 8-bit character codes are passed into LM hashes as-is
(assuming that those hashes are produced at all).

Here's a relevant thread with some hash samples that I found when
LM-hashing single 8-bit character strings with Perl's
Authen::Passphrase::LANManager and Googling for the resulting hashes:

http://www.freerainbowtables.com/phpBB3/topic387-120.html

LM hashes use 8-bit characters internally, so this is natural.
(But this is not the case for NTLM.)

> 3) As a similar question, I remember reading somewhere that LANMAN
> doesn't handle certain ALT characters, (in which case you would only
> end up with NTLM hashes). Does anyone have a list of the allowed ALT
> characters? Also does Windows LM capitalize ALT characters like
> ALT-0228 which is the lowercase a with the umlaut?

Good questions.  I don't know the answers.

> 4) Is there a way to include these ALT characters in John's wordlist
> rules? For example, I'd like to have a rule sa"ALT-0288", which would
> replace 'a' with the ALT-0228 character. I guess what I'm trying to
> say is if there is a way to specify the hex value of a character vs
> just typing it in the config file.

This was requested before and it is on my to-do list.  Your request for
this feature has just raised its priority.

> Now I'll freely admit, not many people use ALT characters, but when I
> do run across an 'Unbreakable' LM hash I'd love to have a few tricks
> up my sleeve to deal with it.

During the contest, I tried an overstrike-one-char-in-every-pos ruleset
line with all non-control 8-bit characters in it (a preprocessor range
starting with the space character and ending with the character with
code 0xff).  This didn't help in the contest, but overall it is a
reasonable approach to use against fast hashes where you suspect that
some passwords have exactly one 8-bit character.  Of course, it'd be
more convenient to type such a line in with the feature requested above
(not having to type the weird character as-is).  Also, maybe such a line
should be included in a ruleset bundled with JtR.

> Also, if they are using a different
> codepage encoding, (instead of using ALT characters), that opens up a
> whole new can of worms.

If you try the entire 8-bit range rather than individual characters, it
probably does not.  If the non-ASCII characters are getting converted to
uppercase, then this is likely affected by the current codepage, though.

> Finally on a somewhat unrelated note, is there any easy way to search
> throught the mailing list archive. I've looked through the selected
> posts on the wiki, and found the actual mailing list archie at
> http://www.openwall.com/lists/john-users/, but I was wondering if
> there was a search option, since I really doubt I'm the first person
> to run into this problem and I hate spamming the list with questions
> that have already been answered.

Here you are:

http://dir.gmane.org/gmane.comp.security.openwall.john.user
http://marc.info/?l=john-users

These are linked from the JtR homepage.

Thanks again,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.