GCIH · Question #670
A security auditor is using John the Ripper to review password strength on Windows machines. The auditor knows that the company requires a 15-character minimum in their passwords. In this scenario, wh
The correct answer is C. --format=NT. Windows does not generate LANMAN (LM) hashes for passwords of 15 or more characters, so only the NT hash format is present to crack.
Question
A security auditor is using John the Ripper to review password strength on Windows machines. The auditor knows that the company requires a 15-character minimum in their passwords. In this scenario, what format parameter must be passed to John (with Jumbo Patch) to crack the passwords?
Options
- A--format=LANMAN
- B--format=UNIX
- C--format=NT
- D--format=SHA256
How the community answered
(54 responses)- A6% (3)
- B2% (1)
- C83% (45)
- D9% (5)
Why each option
Windows does not generate LANMAN (LM) hashes for passwords of 15 or more characters, so only the NT hash format is present to crack.
LANMAN hashes are not stored by Windows for passwords of 15 or more characters, so there is no LM hash present to crack with --format=LANMAN.
--format=UNIX targets Unix-style crypt(3) password hashes, which are not used for Windows local or domain account password storage.
Windows automatically disables LM hash generation for any password that is 15 characters or longer, storing only the NT (NTLM) hash derived via MD4. Because the company enforces a 15-character minimum, no LM hash will exist in the SAM database for any compliant account, making --format=NT the correct and only viable format parameter for John the Ripper to target these credentials.
--format=SHA256 would target SHA-256 hashes, which Windows does not use for local account password storage in the SAM database.
Concept tested: Windows NT vs LANMAN hash generation for 15-character passwords
Source: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
Topics
Community Discussion
No community discussion yet for this question.