Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAP4Wu7Vr37kbtJ5YgJZcPhxWjO1S=D958FVPcngTmsyahjHswA@mail.gmail.com>
Date: Mon, 14 Nov 2011 08:17:36 +0100
From: rootkit rootkit <rootkit77@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: NTLM challenge/response cracking (again...)

On Sat, Nov 12, 2011 at 1:10 AM, rootkit rootkit <rootkit77@...il.com> wrote:

> I'm a little bit confused now. From NETNTLMv2_fmt_plug.c I see that
> the challenge/response should be in the following format
>
> USERNAME::DOMAIN:SERVER CHALLENGE:NTLMv2 RESPONSE:CLIENT CHALLENGE
>
> where ServerChallenge is 8 bytes, NTLMv2Response is 16 bytes, and
> ClientChallenge is variable (90 bytes in the example provided).
>
> My sample looks more to be in the NTLM format. From NETNTLM_fmt_plug.c
>
> USERNAME:::LM RESPONSE:NTLM RESPONSE:CHALLENGE
>
> with both LMResponse and NTLMResponse being 24 bytes.
>
> How should I format it in the NETNTLMv2 cracking mode?
>
> I take a wild guess here: maybe ettercap does not recognize NTLMv2
> (development stopped in 2005) and is trunkating the NTLMv2 response at
> the 24th byte. That would explain why all my captured hashes terminate
> with 0101000000000000.

Hello,

so, I guess I was right (or at least in the right direction). Ettercap
doesn't dump properly NTLMv2 authentication C/R, instead it's
formatting them as NTLMv1.

So I tried a different approach, using wireshark to capture the
packets, and then extracting the hashes myself. Cracking them with
john NETNTLMv2 mode worked wonderfully.

Thanks again for your help.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.