Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <553025FD.603@shc.qinetiq-tim.com>
Date: Thu, 16 Apr 2015 22:13:33 +0100
From: JJ Gray <jj.gray@....qinetiq-tim.com>
To: john-users@...ts.openwall.com
Subject: Re: NTLM proxy auth

On 16/04/2015 12:49, Micha Borrmann wrote:
> Hello,
> 
> I've captured authentication data to a proxy with NTLM authentication, like
> 
> GET /dummy HTTP/1.0
> Host: www.dummy.net
> Proxy-Authorization: NTLM TlRMTVNTUAABAAA...AAAAAAA=
[..]
> I have the data in pcap (or txt) file. How I can convert it to use it
> with JtR? 

You have a couple of options: convert the values from Base64 to Hex or
fire the pcap into Ettercap -r and it should convert it to the
"standard" hex format (I tend to do that for a multiple users). Then
it's simply looking at what the JtR format is for that particular
version of NETLM. Personally, with each new revision of JtR I just run
something like:

C:\CLI Tools\John>john.exe --list=format-all-details >
jtr_hash_formats.txt and use that text file as a reference since I can't
remember all of the hash formats, or you could do this on the fly with
something like:

C:\CLI Tools\John>john.exe --list=format-all-details | grep -E "Format
label|Example ciphertext" | grep -A 1 'netnt'
Format label                         netntlmv2
Example ciphertext
USER1::Domain:1122334455667788:5E4AB1BF243DCA304A00ADEF78DC38DF:0101000000000000BB50305495AACA01338BC7B090A6285600000000020
0120057004F0052004B00470052004F00550050000000000000000000
Format label                         netntlm
Example ciphertext
$NETNTLM$1122334455667788$BFCCAF26128EC95F9999C9792F49434267A1D9B0EF89BFFB
Format label                         netntlm-naive
Example ciphertext
User:::lm-hash:35B62750E1B9B3205C50D6BA351092C12A1B9B3CDC65D44A:1122334455667788

Or a combination thereof.

Cheers,
		JJ

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.