Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20100214043930.GA15760@openwall.com>
Date: Sun, 14 Feb 2010 07:39:30 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: NTLMv2 Challenge/Response Cracking

On Fri, Feb 12, 2010 at 10:17:02AM -0600, jmk wrote:
> I've posted a patch against John 1.7.3.4 (w/ Jumbo 2 applied) for NTLMv2
> challenge/response cracking:
> 
> http://www.foofus.net/jmk/smbchallenge.html
> http://www.foofus.net/jmk/tools/jtr/john-1.7.3.4-jumbo-2-netntlmv2.diff
[...]
> The Jumbo-2 patch currently contains support for LMv1, NTLMv1, and LMv2
> challenge/response. I originally assumed that a LMv2 response would
> always be sent along with a NTLMv2 exchange, so I never bothered with
> NTLMv2. However, I've now found that Windows 7 likes to zero out the
> LMv2 fields, so NTLMv2 is necessary.

Thank you for contributing this.  Going forward, I suggest that you (and
others) base your patches on the latest version of JtR (with the jumbo
patch), which would be 1.7.4.2-jumbo-2 this time.  Also, I suggest that
you start making more use of the wiki to publish patches:

http://openwall.info/wiki/john/patches

Anyway, I've integrated your patch into john-1.7.3.4-jumbo-3 and
john-1.7.4.2-jumbo-3, which I've just released.  I've also added your
netntlm.pl to the run directory.  And I've edited your loader.c hacks
replacing the unreasonable uses of sprintf() - I did not test these
changes at all (other than that they compile), so I'd appreciate it if
you review and/or test them.  Finally, I noticed that you use
fmt_default_binary_hash() and fmt_default_get_hash() in your "formats",
which will result in poor performance when many hashes are loaded at
once - you could want to correct that in a new revision of your code.

While at it, I've integrated Alexandre Hamelin's oracle11_fmt.c (support
for Oracle 11g SHA-1 based hashes).  Somehow this was missed previously.

The updated jumbo patches are linked from the usual place:

http://www.openwall.com/john/#contrib

Thanks again,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.