Using passwords recovered from LM hashes to crack NTLM hashes is easier with John the Ripper, because it comes with a rule (NT) to toggle all letter combinations:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --wordlist=lm-passwords.txt --rules=NT --pot=john-lm-ntlm.pot nt.john.out Warning: detected hash type "NT", but the string is also recognized as "nt2" Use the "--format=nt2" option to force loading these as that type instead Loaded 43 password hashes with no different salts (NT [MD4 128/128 SSE2 + 32/32] ) Warning: no OpenMP support for this hash type Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (user01) FEPARAGON (user20) V (user21) Y6G (user23) aS (user22) *qFT (user24) lm1181992 (user16) 976b0 (user26) *Vqc( (user25) Root1$ (Administrator) Lzac08@ (user19) kurt!!! (user05) XjW*wL (user27) yeliz6 (user14) tadob (user15) zordic7 (user04) maisie2007 (user12) 8N)IMRgQ57_ (user31) girlish2020 (user06) thurlow1 (user09) cuningo (user17) A9LT5J$r (user28) Crx3#W+f (user29) beaufort1 (user10) 43PDlBR8tS#V (user32) 453758487l (user08) F-62RqTo@m (user30) WBJ_Pvtz6i42AV (user34) rachelleanne (user03) amorosaoveja (user07) b#f1HvU@Qz7nk (user33) 31g 0:00:00:00 DONE (2016-07-18 22:19) 382.7g/s 426851p/s 426851c/s 6317KC/s wbj_pvtz6I42av..wbj_pvtz6i42av Use the "--show" option to display all of the cracked passwords reliably Session completed
Using –show:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-lm-ntlm.pot ad-database\kali\dump\nt.john.out Administrator:Root1$:S-1-5-21-3188177830-2933342842-421106997-500:: user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106:: user03:rachelleanne:S-1-5-21-3188177830-2933342842-421106997-1108:: user04:zordic7:S-1-5-21-3188177830-2933342842-421106997-1109:: user05:kurt!!!:S-1-5-21-3188177830-2933342842-421106997-1110:: user06:girlish2020:S-1-5-21-3188177830-2933342842-421106997-1111:: user07:amorosaoveja:S-1-5-21-3188177830-2933342842-421106997-1112:: user08:453758487l:S-1-5-21-3188177830-2933342842-421106997-1113:: user09:thurlow1:S-1-5-21-3188177830-2933342842-421106997-1114:: user10:beaufort1:S-1-5-21-3188177830-2933342842-421106997-1115:: user12:maisie2007:S-1-5-21-3188177830-2933342842-421106997-1117:: user14:yeliz6:S-1-5-21-3188177830-2933342842-421106997-1119:: user15:tadob:S-1-5-21-3188177830-2933342842-421106997-1120:: user16:lm1181992:S-1-5-21-3188177830-2933342842-421106997-1121:: user17:cuningo:S-1-5-21-3188177830-2933342842-421106997-1122:: user19:Lzac08@:S-1-5-21-3188177830-2933342842-421106997-1124:: user20:FEPARAGON:S-1-5-21-3188177830-2933342842-421106997-1125:: user21:V:S-1-5-21-3188177830-2933342842-421106997-1126:: user22:aS:S-1-5-21-3188177830-2933342842-421106997-1127:: user23:Y6G:S-1-5-21-3188177830-2933342842-421106997-1128:: user24:*qFT:S-1-5-21-3188177830-2933342842-421106997-1129:: user25:*Vqc(:S-1-5-21-3188177830-2933342842-421106997-1130:: user26:976b0:S-1-5-21-3188177830-2933342842-421106997-1131:: user27:XjW*wL:S-1-5-21-3188177830-2933342842-421106997-1132:: user28:A9LT5J$r:S-1-5-21-3188177830-2933342842-421106997-1133:: user29:Crx3#W+f:S-1-5-21-3188177830-2933342842-421106997-1134:: user30:F-62RqTo@m:S-1-5-21-3188177830-2933342842-421106997-1135:: user31:8N)IMRgQ57_:S-1-5-21-3188177830-2933342842-421106997-1136:: user32:43PDlBR8tS#V:S-1-5-21-3188177830-2933342842-421106997-1137:: user33:b#f1HvU@Qz7nk:S-1-5-21-3188177830-2933342842-421106997-1138:: user34:WBJ_Pvtz6i42AV:S-1-5-21-3188177830-2933342842-421106997-1139:: 31 password hashes cracked, 12 left
Didier Stevens 