Friday, June 13, 2008

MS Cache and John the Ripper

Chalk this one up to knowledge remembered, forgotten, and then remembered again!

Lately I have been playing with using our MPI John the Ripper cluster to increase the crack rate of MS Cache passwords. With a very long list of passwords, some of which I knew would be easy to crack, I set out and started the process on 20 nodes. After a few days and ZERO cracks I started to wonder what the hell was going on.

The answer is one I knew many years ago when cachedump first came on the scene. The MS Cache encryption routine's salt includes the lower case username as part of the salt! Because some of the cachedump tools take the username out of the registry as-is and don't convert the case you'll run JTR for days with an invalid salt. No cracks for you!

So we can do a couple of things here:
  • Remember this next time and manually lowercase the usernames

  • Tell the authors to modify the tools we use to grab the cache hashes

  • Patch the tools ourselves (if we have the sources) and give them to the author

  • Modify the cracking program to always lowercase the usernames

John The Ripper's source code is really easy to fix and the quickest to do so a simple diff against mscash_fmt.c:

--- mscash_fmt.c 2008-06-13 15:56:07.000000000 -0700
+++ mscash_fmt-lower.c 2008-06-13 15:55:49.000000000 -0700
@@ -16,6 +16,7 @@


#include "arch.h"
#include "misc.h"
@@ -158,6 +159,9 @@

l = strlen(ciphertext);
strncpy(out, ciphertext + 2, l - PLAINTEXT_LENGTH + 1);
+ for(l=0; l < strlen(out); l++) {
+ out[l] = tolower(out[l]);
+ }
return out;

And now I don't have to remember this every time! JTR will remember for me and with a cluster of 20 nodes all running around 600,000 cracks a second maybe SOMETHING will crack. :)

1 comment:

deros68 said...


all my dumps with fgdump always leave the username as lowercase.

CAIN also did that.