Re: Best way to crack NT passwds

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear X u r r o n,

You  needn't  actually crack the password if you know your hash, because
cleartext password is never used in Windows environment. You could apply
this patch to md4.c from Samba distribution:

--- md4.c.orig  2004-04-04 11:37:00.000000000 +0400
  +++ md4.c       2004-10-27 23:01:31.000000000 +0400
  @@ -130,6 +130,21 @@
          C = 0x98badcfe;
          D = 0x10325476;
  +
  +       if(n == 64){
  +        int j;
  +        unsigned char * hexd = (unsigned char *)"0123456789ABCDEF";
  +        for(j = 0; j<16; j++){
  +         if(!strchr(hexd, in[(j<<2)]))break;
  +         if(in[(j<<2)+1])break;
  +         if(!strchr(hexd, in[(j<<2)+2]))break;
  +         if(in[(j<<2)+3])break;
  +         out[j] = ((strchr(hexd, in[(j<<2)]) - (char *)hexd)<<4);
  +         out[j] ^= (strchr(hexd, in[(j<<2)+2]) - (char *)hexd);
  +        }
  +        if(j == 16) return;
  +       }
  +
          while (n > 64) {
                  copy64(M, in);
                  mdfour64(M);

And  change  your  password with Samba utilities by entering NT password
hash (in HEX) instead of password then prompted.

--Saturday, July 30, 2005, 12:15:47 PM, you wrote to full-disclosure () lists grok org uk:

Xurron> hiya!
Xurron> I have tried many softwares for cracking NTLM hashes, like NC4,
Cain and have't tried Rainbow Crack yet.
Xurron> Once i had to recover my XPs lost admin password and i spend
around 1 day but Cain/NC4 were not able to guess that. Then i posted
that hashes on some site and it did recover my passwd in around 5min. I
want to know which technique they used to crack so fast ?

Xurron> Xurron


-- 
~/ZARAZA
http://www.security.nnov.ru/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/