Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 16 Apr 2011 00:06:58 +0200
From: magnum <rawsmooth@...dband.net>
To: john-dev@...ts.openwall.com
Subject: Re: "SSH private keys cracker" patch for JtR [first cut
 for GSoC]

On 2011-04-15 21:49, magnum wrote:
> One drawback is that when I created a second [same name, overwritten] testkey.rsa.pub with a stronger passphrase it did not load, as john.conf had recorded the *filename* from my "bingo" test.

I meant, of course, john.pot and testkey.rsa.

$ tail -1 ../run/john.pot
testkey.rsa:bingo

I don't have a copy of that "bingo" testfile but the second test file 
looks like this:

$ cat testkey.rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,3503C93C037175EEE450311F2B6F57F3

EuIoguzn+rpAAEotcqA/dvqRHsvn4yfRSGz9xaKe5PogMe7TdPzznQ2Ep8AXG3Sd
...
-----END RSA PRIVATE KEY-----

I believe that first 3503C93C037175EEE450311F2B6F57F3 hash can be used 
in john.pot instead, as an identifier of the corresponding cracked file. 
I just created a couple of test key files with the same passphrase and 
that hash was unique. If implementing this you should really add a tag 
(like $ssh$) so we don't add to the current mess. So, my john.pot should 
have read:

$ssh$7175EEE450311F2B6F57F33503C93C03:bingo

using (of course) whatever DEK hash was in that file.

just some thoughs,
magnum

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ