Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 14 Jul 2011 09:22:17 -0500
From: "JimF" <jfoug@....net>
To: <john-dev@...ts.openwall.com>
Subject: Re: was [john-users] John Test Suite v1.03 released

Moved to john-dev, to explain a little 'under the hood' issues.

----- Original Message ----- >
>A new version of John Test Suite (v1.03) has bee released. This version is
> much more comprehensive than prior versions.

I have run the test suite against john-1.7.8-jumbo-2, built for x86-SSE2 (32 
bit), and also for x86-'any' (generic).  Here are the results of failures, 
with some comentary.

I believe that all of the failures for md5_gen (and phpass), are due to MD5 
not putting proper limits on the length of passwords accepted, and when 
testing overlong passwords, the SSE buffer (or random memory), following the 
SSE buffer which the overlong password was being added.  There were numerous 
'limitatation' added to md5_gen, in the preloads file to correct this 
(mostly for SSE builds).

Build:  win32-cygwin-x86-sse2

-form=md5_gen(1)                guesses: 1452 time: 0:00:00:00 DONE
.POT Chk:  md5_gen(1)           guesses: 1452 time: 0:00:00:00 DONE
-form=md5_gen(5)                guesses: 1452 time: 0:00:00:00 DONE
.POT Chk:  md5_gen(5)           guesses: 1452 time: 0:00:00:00 DONE
-form=md5_gen(8)                guesses: 1452 time: 0:00:00:00 DONE
.POT Chk:  md5_gen(8)           guesses: 1452 time: 0:00:00:00 DONE
-form=md5_gen(17)               guesses: 1365 time: 0:00:00:49 DONE
.POT Chk:  md5_gen(17)          guesses: 1365 time: 0:00:00:41 DONE
-form=md5_gen(21)               guesses: 1452 time: 0:00:00:02 DONE
.POT Chk:  md5_gen(21)          guesses: 1452 time: 0:00:00:02 DONE
-form=PHPass-md5                guesses: 1365 time: 0:00:00:51 DONE
.POT Chk:  PHPass-md5           guesses: 1365 time: 0:00:00:34 DONE

I am not sure why these are zero, but they are.
-form=md5_gen(24)               guesses: 0 time: 0:00:00:04 DONE
.POT Chk:  md5_gen(24)          guesses: 1 time: 0:00:00:00 DONE
-form=md5_gen(25)               guesses: 0 time: 0:00:00:04 DONE
.POT Chk:  md5_gen(25)          guesses: 1 time: 0:00:00:00 DONE

Most of these failures (possibly all), are due to 20, 21 and 22 char user 
names in the input file.

-form=mscash2                   guesses: 1410 time: 0:00:01:51 DONE
.POT Chk:  mscash2              guesses: 1410 time: 0:00:01:34 DONE

These failures are due to improper upcasing of 'binary' data. Thus, there 
are lower cased letters > 0x80, and these are not properly being upcased. 
This also affects the oracle format, in this version.  The reason the 
numbers are different, is because in the course of building the test bed 
data, the passwords used for mssql and other formats is slightly different.

-form=mssql                     guesses: 1255 time: 0:00:00:00 DONE
.POT Chk:  mssql                guesses: 1255 time: 0:00:00:00 DONE
-form=oracle                    guesses: 1243 time: 0:00:00:03 DONE
.POT Chk:  oracle               guesses: 1243 time: 0:00:00:01 DONE

These next 2 are using the -utf8 switch on non-utf8 data.  The reason they 
'normally' find fewer values, is because due to binary data, there is some 
data conversion happening, but the original hashes were done against the 
raw-binary data only.

Not sure the problem with cash2, but this is before the re-write and 
optimization changes (which also fixed some issues).

-form=mscash2-utf8              guesses: 987 time: 0:00:02:37 DONE   (should 
be 1050)
.POT Chk:  mscash2-utf8         guesses: 987 time: 0:00:01:06 DONE

'max' sized salt was not being handled.

-form=oracle-utf8               guesses: 1223 time: 0:00:00:03 DONE  (Should 
be 1229)
.POT Chk:  oracle-utf8          guesses: 1223 time: 0:00:00:01 DONE

These 3 are -utf8 switch against utf8 encrypted passwords.  1500 'should' be 
the proper count found.

-form=mscash2-utf8              guesses: 1200 time: 0:00:01:36 DONE
.POT Chk:  mscash2-utf8         guesses: 1200 time: 0:00:01:20 DONE

We were not doing proper utf8 upcasing before.  This is the results.  The 
ones found, likely have NO lowercased Unicode characters, other than 'a' to 
'z'.

-form=mssql-utf8                guesses: 511 time: 0:00:00:00 DONE
.POT Chk:  mssql-utf8           guesses: 511 time: 0:00:00:00 DONE
-form=oracle-utf8               guesses: 512 time: 0:00:00:02 DONE
.POT Chk:  oracle-utf8          guesses: 512 time: 0:00:00:00 DONE


Issues seen from 1.7.8-jumbo-2 build using win32-cygwin-x86-any  (i.e. 
generic)

Here, we have none of the md5_gen failures (the  buffers are independant, 
and are not prone to overwrite). However, the other issues do show up.

-form=mscash2                   guesses: 1410 time: 0:00:01:47 DONE
.POT Chk:  mscash2              guesses: 1410 time: 0:00:01:34 DONE

-form=mssql                     guesses: 1255 time: 0:00:00:01 DONE
.POT Chk:  mssql                guesses: 1255 time: 0:00:00:00 DONE

-form=oracle                    guesses: 1243 time: 0:00:00:02 DONE
.POT Chk:  oracle               guesses: 1243 time: 0:00:00:01 DONE

-form=mscash2-utf8              guesses: 987 time: 0:00:02:37 DONE
.POT Chk:  mscash2-utf8         guesses: 987 time: 0:00:01:06 DONE

-form=oracle-utf8               guesses: 1223 time: 0:00:00:03 DONE
.POT Chk:  oracle-utf8          guesses: 1223 time: 0:00:00:01 DONE

-form=mscash2-utf8              guesses: 1200 time: 0:00:01:35 DONE
.POT Chk:  mscash2-utf8         guesses: 1200 time: 0:00:01:20 DONE

-form=mssql-utf8                guesses: 511 time: 0:00:00:01 DONE
.POT Chk:  mssql-utf8           guesses: 511 time: 0:00:00:00 DONE

-form=oracle-utf8               guesses: 512 time: 0:00:00:02 DONE
.POT Chk:  oracle-utf8          guesses: 512 time: 0:00:00:00 DONE



I have not tested 1.7.8-J2 built by a BE system, but I know there were 
several formats which would not work at all on BE (when I started).

All of these issues were fixed in the recent patch.

Jim. 

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ