Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20091221152152.GA10201@openwall.com>
Date: Mon, 21 Dec 2009 18:21:52 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: JTR and format NTLM

On Sun, Dec 20, 2009 at 03:23:44PM -0500, madfran wrote:
> Symantec antivirus detects the original pwdump as a virus.

You'll do everyone a favor if you contact Symantec and ask them to fix
their anti-virus.  It's the users of those anti-virus products who may
make these companies reconsider their current approach at inflating the
"virus" count. ;-)  For example, in 2005 avast! would detect the
official build of JtR 1.6 for Win32 as name: "Win32:Trojan-gen.
{Other}", type: "Virus/Worm" (I have a user-provided screenshot).  Well,
avast! no longer detects JtR (current official build for Win32), at all.
I don't know if they removed the 1.6 signature or simply didn't add a
signature for the new build, but I wouldn't be surprised if some user
complaints have helped to achieve this. :-)

> Today approach
> -Download pwdump6-2.0.0
> -The PwDumpDebug is not detected by Symantec!
> -Extract the hash
>  Administrator:500:NO 
> PASSWORD*********************:A82FF8E15A18E4E7399D231E9B32157F:::

Well, this has what looks like a valid NTLM hash.  Notice how it is 32
hex digits, not 33.  JtR with the jumbo patch loads it just fine.

I assume that your problem was a copy-paste error where you inadvertently
duplicated one character.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.