Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20091218121928.GA24708@openwall.com>
Date: Fri, 18 Dec 2009 15:19:28 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: JTR and format NTLM

On Fri, Dec 18, 2009 at 06:52:19AM -0500, madfran wrote:
> From two different ways I always arrive at the same result.

What two different ways, specifically?

> Administrator:500:AAD3B435B51404EEAAD3B435B51404EE:
> A82FF8E15A18E4E73399D231E9B32157F:::

This has LM hash of an empty string (which usually indicates that LM
hashes are disabled).  Then, instead of the NTLM hash, which would
normally be represented with 32 hex digits, you have some other string
of 33 hex digits.  My guess is that it has to do with your "two
different ways" - e.g., maybe you used some program that obfuscates
password hashes that it dumps, maybe for use with some specific tool or
online service.

I suggest that you try pwdump6:

http://xxx.foofus.net/~fizzgig/pwdump/
http://www.openwall.com/passwords/microsoft-windows-nt-2000-xp-2003-vista#pwdump

Please don't forget to let the list know how you obtained this broken
NTLM hash, and what approach you ended up using instead.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.