headers
Michael Behrisch | 13 May 2005 10:39
Picon
Favicon

Comparing John session files and more

Hello,
We use JtR to check our passwords on a regular basis and I would 
like to know whether something like the following would be 
considered possible from your point of view.

While testing a passwd (of say 1000 users) the users keep on 
changing passwords, thus one could try to check the new
passwords whenever they reached a certain limit (say 100).
In order not to loose the progress on the remaining 900 
passwords I would like to stop the first process, start another 
john just checking the 100 new ones and joining the two
when the second reached the state of the first.
The following questions occur:
Is it save to restore a session with a different passwd than 
it was interrupted with?
How do I know whether the second process did catch up?
(At the moment I do compare the rule number in wordlist mode 
and the entry number in incremental mode which are both recorded 
in the .rec file. Is that the right thing to do?)

Attached You will find my bash-script which runs as a daily cron job.
Maybe it's helpful.

Thanks for your help,
Michael Behrisch

--

-- 
Michael Behrisch (Tel. +49 30 2093-3123)
HU Berlin, Institut fuer Informatik, Arbeitsgruppe Algorithmen
http://www.informatik.hu-berlin.de/~behrisch/
(Continue reading)

Permalink | Reply | 3 comments |
headers
Whom Ever | 14 May 2005 00:24
Picon
Favicon

LANMAN and NT Hash ?s...basic

I'm sorry for asking a noob question but I have a sam
file that I ran 
GetHashes.exe (SamInside) on and I'm not sure how to
get JtR to work on the 
NT hash (really XP hash) part.  It autodetects the
LANMAN portion and goes to 
work, I tried the --format option but none of the
other options loaded any 
passwords.  JtR can crack NT hashes, right?  And XP
uses NT hashes too?  When 
I ran GetHashes I did NOT have the SYSTEM file so that
may be part of the 
problem...not sure.

Example from john.pot (not a working one...I modified
some data):
User:57Q7T4R23E <at> :1007:14806rd271e60f5re2549d67eb6ef6b1:::

Now, the NT hash is after the 1007: right?

It's my understanding with 2k and XP that if you use a
password longer than 14 
characters nulls are entered in the LANMAN portion so
in that case you have 
to use the NT hash portion, right?

Also, if JtR does do NT hash, wouldn't a module to get
the LANMAN and then try 
the 2^n letter case combinations to run against the NT
hash be fairly easy to
(Continue reading)

Permalink | Reply | 5 comments |
headers
Simon Marechal | 14 May 2005 02:20

Re: LANMAN and NT Hash ?s...basic

Whom Ever wrote:
> JtR can crack NT hashes, right?

Vanilla john can't, you have to add the nt hash support that is in the 
contribs.

> Also, if JtR does do NT hash, wouldn't a module to get
> the LANMAN and then try 
> the 2^n letter case combinations to run against the NT
> hash be fairly easy to 
> add.  I'm probably way off base here or this already exists!

You can use the discovered passwords to use with john in wordlist mode 
with rules to do that.

If you have some spare disk space you can download ophcrack, which 
performs a time/memory tradeof, features a nice gui, and ships with 
pre-calculated tables, or use rainbowcrack which is more widely used but 
less effective.
Permalink | Reply | 0 comments |
headers
Whom Ever | 14 May 2005 02:25
Picon
Favicon

Re: LANMAN and NT Hash ?s...basic

Well, looks like perhaps I should RTFM.  I installed 

File: john-ntlm-patch-v02.tgz

against JtR 1.6.38 and then ran:

./john -format:NT pass.1

I'm running a test to see if this is going to work!

Does this sound right?  Also, please feel free to
comment on the other issues in my first post!  Like
longer XP passwords, etc.

Thanks!

		
__________________________________ 
Yahoo! Mail Mobile 
Take Yahoo! Mail with you! Check email on your mobile phone. 
http://mobile.yahoo.com/learn/mail
Permalink | Reply | 501 comments |
headers
Whom Ever | 14 May 2005 19:41
Picon
Favicon

NT hast maxlen questions...

NT hashes are not split correct?  So in john.conf
(1.6.38 patched with NT hash capability) if I change
maxlen in incremental all it indicated that I need to
do that at compile time.  If 8 will not get a 12
character NT hash (i.e., it's not split like LANMAN)
where do I make the adjustment and recompile?

Thanks.

		
Discover Yahoo! 
Get on-the-go sports scores, stock quotes, news and more. Check it out! 
http://discover.yahoo.com/mobile.html
Permalink | Reply | 1 comment |
headers
Whom Ever | 14 May 2005 23:02
Picon
Favicon

Re: NT hast maxlen questions...

Ok, I found the params.h file but not sure how to
adjust.  I mean what if I wanted to check 16 character
passwords?  Then I'd have 95^16 which is >> 2^64 even
if you adjust the SCALE term.  And if you go ahead and
just make the lenghth 16 and violate the 64 bit
requirment, it appears the *.chr files no longer are
appropriate.  So maybe NT hases are split? and
therefore the lenght of 8 is ok?

Thanks.

--- Whom Ever <amwhoever@...> wrote:
> NT hashes are not split correct?  So in john.conf
> (1.6.38 patched with NT hash capability) if I change
> maxlen in incremental all it indicated that I need
> to
> do that at compile time.  If 8 will not get a 12
> character NT hash (i.e., it's not split like LANMAN)
> where do I make the adjustment and recompile?
> 
> Thanks.
> 
> 
> 		
> Discover Yahoo! 
> Get on-the-go sports scores, stock quotes, news and
> more. Check it out! 
> http://discover.yahoo.com/mobile.html
>
(Continue reading)

Permalink | Reply | 1 comment |
headers
Solar Designer | 15 May 2005 01:19
Favicon

Re: Comparing John session files and more

Michael,

On Fri, May 13, 2005 at 10:39:57AM +0200, Michael Behrisch wrote:
> While testing a passwd (of say 1000 users) the users keep on 
> changing passwords, thus one could try to check the new
> passwords whenever they reached a certain limit (say 100).
> In order not to loose the progress on the remaining 900 
> passwords I would like to stop the first process, start another 
> john just checking the 100 new ones and joining the two
> when the second reached the state of the first.

That's fine, but there's the complication you mention below.

> The following questions occur:
> Is it save to restore a session with a different passwd than 
> it was interrupted with?

Usually, yes.  But this means editing the recovery file, which is an
undocumented territory and subject to change without notice.

You need to realize that in "single crack" mode the candidate
passwords John will try depend on the password files' content.  But
"single crack" is quick, so you probably were not going to do this
trick to it.

Other issues may arise with changed or multiple hash types in your
password files.

> How do I know whether the second process did catch up?
> (At the moment I do compare the rule number in wordlist mode
(Continue reading)

Permalink | Reply | 2 comments |
headers
Solar Designer | 15 May 2005 02:07
Favicon

Re: LANMAN and NT Hash ?s...basic

On Fri, May 13, 2005 at 03:24:32PM -0700, Whom Ever wrote:
> I'm sorry for asking a noob question but I have a sam
> file that I ran 
> GetHashes.exe (SamInside) on and I'm not sure how to
> get JtR to work on the 
> NT hash (really XP hash) part.  It autodetects the
> LANMAN portion and goes to 
> work, I tried the --format option but none of the
> other options loaded any 
> passwords.  JtR can crack NT hashes, right?

As it has correctly been pointed out, you need to apply the
contributed patch to get support for the MD4-based NT hashes.
The official JtR supports only DES-based NTLM hashes.

> And XP uses NT hashes too?

Yes.

> Example from john.pot (not a working one...I modified
> some data):
> User:57Q7T4R23E <at> :1007:14806rd271e60f5re2549d67eb6ef6b1:::
> 
> Now, the NT hash is after the 1007: right?

Yes, perhaps, however this does not look exactly like the pwdump-style
format that JtR
expects:

Administrator:500:73CC402BD3E791756C3D3B817E02809D:C7E2622D76D3F001CF08B0753646BBCC:Built-in
(Continue reading)

Permalink | Reply | 3 comments |
headers
Solar Designer | 15 May 2005 02:23
Favicon

Re: LANMAN and NT Hash ?s...basic

On Fri, May 13, 2005 at 05:25:51PM -0700, Whom Ever wrote:
> Well, looks like perhaps I should RTFM.  I installed 
> 
> File: john-ntlm-patch-v02.tgz
> 
> against JtR 1.6.38 and then ran:
> 
> ./john -format:NT pass.1
> 
> I'm running a test to see if this is going to work!
> 
> Does this sound right?

Yes, -- assuming that what you had in that file is actually the NT
hash, indeed.

--

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments
Permalink | Reply | 501 comments |
headers
Solar Designer | 15 May 2005 02:27
Favicon

Re: NT hast maxlen questions...

On Sat, May 14, 2005 at 10:41:35AM -0700, Whom Ever wrote:
> NT hashes are not split correct?

Yes.  They are not.

> So in john.conf
> (1.6.38 patched with NT hash capability) if I change
> maxlen in incremental all it indicated that I need to
> do that at compile time.

You can't set it beyond 8 with the default params.h settings and the
supplied *.chr files.

> If 8 will not get a 12
> character NT hash (i.e., it's not split like LANMAN)
> where do I make the adjustment and recompile?

It's CHARSET_LENGTH and other CHARSET_* settings in params.h (as
you've already discovered by now).  But there're some good reasons to
not alter them.  I'll explain in my response to your other e-mail.

--

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments
Permalink | Reply | 0 comments |

Gmane