|
Message-ID: <55303225.3000605@borrmann.syss.de> Date: Fri, 17 Apr 2015 00:05:25 +0200 From: Micha Borrmann <johnusers@...rmann.syss.de> To: john-users@...ts.openwall.com Subject: Re: NTLM proxy auth Am 16.04.2015 um 23:13 schrieb JJ Gray: > On 16/04/2015 12:49, Micha Borrmann wrote: >> Hello, >> >> I've captured authentication data to a proxy with NTLM authentication, like >> >> GET /dummy HTTP/1.0 >> Host: www.dummy.net >> Proxy-Authorization: NTLM TlRMTVNTUAABAAA...AAAAAAA= > [..] >> I have the data in pcap (or txt) file. How I can convert it to use it >> with JtR? > > You have a couple of options: convert the values from Base64 to Hex or > fire the pcap into Ettercap -r and it should convert it to the > "standard" hex format (I tend to do that for a multiple users). Then > it's simply looking at what the JtR format is for that particular > version of NETLM. Personally, with each new revision of JtR I just run > something like: > > C:\CLI Tools\John>john.exe --list=format-all-details > > jtr_hash_formats.txt and use that text file as a reference since I can't > remember all of the hash formats, or you could do this on the fly with > something like: > > C:\CLI Tools\John>john.exe --list=format-all-details | grep -E "Format > label|Example ciphertext" | grep -A 1 'netnt' > Format label netntlmv2 > Example ciphertext > USER1::Domain:1122334455667788:5E4AB1BF243DCA304A00ADEF78DC38DF:0101000000000000BB50305495AACA01338BC7B090A6285600000000020 > 0120057004F0052004B00470052004F00550050000000000000000000 > Format label netntlm > Example ciphertext > $NETNTLM$1122334455667788$BFCCAF26128EC95F9999C9792F49434267A1D9B0EF89BFFB > Format label netntlm-naive > Example ciphertext > User:::lm-hash:35B62750E1B9B3205C50D6BA351092C12A1B9B3CDC65D44A:1122334455667788 > > Or a combination thereof. thanks for the hints. I manually created the hashfile and it seems there is a bug in JtR: I know one password but JtR was not able to recover it. But with another tool (oclHashcat), it was possible to recover it (and to confirm, that my hash was extracted correctly). Micha
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.