Date: Mon, 26 Sep 2011 08:21:40 -0400 From: David Jones <jonesd@...umbus.rr.com> To: john-dev@...ts.openwall.com Cc: David Jones <jonesd@...umbus.rr.com> Subject: Re: Patch for dynamically loaded formats I updated the patches wiki with version 2.4 of the OpenVMS kit. The major change is I renamed uaf_to_password.c to uaf2john.c and updated it to run on non-VMS systems. The kit includes a vms_tst.uaf file, synthesized from the bf_tst.in passwords, that can be used to test uaf2john and subsequently vms_fmt with 1500 test hashes. 24-SEP-2011 This is a new patch for John the Ripper (1.7.8) to support OpenVMS password hashes. The major difference between this patch and the 2002 patch by Jean-loup Gailly is that this version supports mixed-case passwords (UAI flag UAI$M_PWDMIX). It is also multi-threaded, increasing performance up to 50-65% on a dual-processor system (splitting your password file into multiple jobs is probably more effective). The only builds done so far are on OpenVMS Alpha 8.3 and OS X x86 1.6 (Mac Mini). Building: This kit has 3 parts: a patch to JtR version 1.7.8 to add the --plugin=dll_file option; the openvms format module; and a OpemVMS utility program to convert SYSUAF.DAT files to passwd files. Start with the source tree from the standard John the Ripper (JtR) distribution version 1.7.8, unzip the distribution file with the src directory as the default, which will create ./vms directory with several files in it. Then apply the patch with the one of the commands: patch -p1 <vms/john_1^.7^.8^.plugin.diff @[.vms]patch_src [.vms]john_1.7.8.plugin.diff [.vms] A descrip.mms and build.com file are provided for building on OpenVMS, a replacement Makefile is provided for building the vms_fmt shareble on Unix/Linux. If you start with s 'jumbo patch' version of John the Ripper, invoke mms with /macro=jumbo=7 or use the build_jumbo.com procedure. On Unix, the make produces a new ../run/vms_fmt shared library, a build on OpenVMS produces 3 or 4 image files in the [-.run] directory: john.exe, uaf_to_passwd.exe, vms_fmt.exe (shareable image), and (optionally) openssl_shim.exe. The shim file is needed because John requires case sensitive external names and HPs OpenSSL library provides only case insensitive (upcased) symbol definitions. John the Ripper executable: A new command line and config file option was added to john to support dynamically loading modules to handle new password hash formats. The VMS password hash function was then added via this mechnism (the vms_fmt.exe shareable image). You can either specify this module on the command line as --plugin=dll_file or by adding the line "plugin = dll_file" to john.conf. Note that on VMS the dll_file filename must be a full file specification since dlopen() looks in sys$share by default. vms_fmt shareable image/dll: When loaded, the vms_fmt module registers a format name of "openvms". On startup, this module uses an environment variable, JOHN_OPENVMS_THREADS, to configure the multi-threading parameters. The variable value is a string of the form "number threshold limit", where: number Is a decimal integer indicating the number of auxillary worker threads to create (default 1). The worker threads are given batches of candidate passwords to hash against a salt, the results of which will be searched for a match with the password file entry. Zero is a legal value, which forces all work to be done by the main thread. threshold Number of candidate passwords (keys) that must be accumulated before a work request may be initiated asychronously to a worker thread (default 36). limit Maximum number of candidate passwords passed to a worker thread in a single request (default 120, max 1680). The degree of concurrency achieved depends upon threshold, limit, and john the ripper's operating mode. Best results are when john is operating in wordlist mode. Uaf2john executable: This program reads a UAF data file and generates a passwd file that JtR uses as input. Note that the 'ciphertext' hash string inserted in the password field is encoded very differently than what the J. Gailly patch uses. The username component is condensed to 5.32 bits/character (RAD-50, 3 chars/ 16 bits) and the string is a fixed length. On OpenVMS, the SYS$GETUAI service (with inherent privilege checks) is used to extract the information from SYSUAF. A non-privilege user can extract his own account's password hash from the system SYSUAF, but no one else's. OpenVMS Command line: uaf2john [sysuaf-listing|$|~username] [output-file] Unix Command line: uaf2john rawuaf-file [output-file] Arguments: rawuaf-file Binary file containing contents of SYSUAF.DAT converted to a flat file with fixed length (1412 byte) records. The uaf2fixed.com command procedure invokes the OpenVMS convert utility to procduce this file. sysuaf-listing Must be a file of the format produced by the authorize list/brief command. The usernames to lookup are extracted from this file. $ Spawn the appropriate authorize command and use the SYSUAF.LIS file produced. It is not deleted afterwards. ~username Produce a temporary input file with a single line containing the specified user and enough elememts to be parsed by uaf_to_passwd. output-file A unix-style passwd file (7 colon-delimited fields) suitable for input to John the Ripper. If omitted, output goes to stdout (sys$output). Files in kit that apply to Unix and OpenVMS: vms_fmt.c Defines class record for registering vms_std-mp.c as a plugin (dynamically loaded) format for OpenVMS hash strings. vms_std-mp.c, .h Provide decoding/hashing functions to JtR for processing openvms format ($V$) hash strings. This module is where multi-threading takes place. uaf_raw.h Defines record layout for SYSUAF.DAT file (after conversion by uaf2fixed.com). uaf_encode.c, .h Support routines for encoding/decoding ciphertext strings from SYSUAF information. uaf_hash.c Logically part of uaf_encode.c, provides the password hash function for testing candidate passwords. uaf2john.c Conversion utility, see preceding section. vms_tst.uaf Test input file for uaf2john on Unix systems. File passwords were taken from bf_tst.in in 1.03 test suite. john_1.7.8.plugin.diff Used to patch JtR source files to allow loading of DLL-based format via the --plugin=dll. Updates files: john.c, Makefile, formats.h, options.c, and options.h. Adds new files plugin.c and plugin.h. makefile Make file for vms_fmt DLL and uaf2john executable. Files in kit that apply to OpenVMS only: patch_src.com descrip.mms Used for OpenVMS build. MMS description file. build.com build_jumbo Command procedures to build executables. prejohn.c Wrapper main() for setting up C RTL environment for john.c's main(). tty-vms.c Used for OpenVMS build to provide non-blocking reads of terminal keystrokes. JTR polls keyboard once a second and outputs status line if any activity. signals-mp.c Used for OpenVMS build. alpha-vms.h Used for OpenVMS build, platform-specific architecture information (seed for arch.h). stdbool.h,stdint.h Substitute system headers not shipped with DECC. john_build_rule.h Supplies pseudo-make 'rule' for build: "OpenVMS-MMS". uaf2fixed.com OpenVMS command procedure to convert SYSUAF.DAT to format for processing on Unix. john.opt john-j7.opt Used for OpenVMS build, linker options file. vms_fmt.opt Linker options file for vms_fmt DLL. openssl_shim.opt (Jumbo build on OpenVMS) Copyright (c) 2011 by David L. Jones <jonesd/at/columbus.rr.com>, and is hereby released to the general public under the following terms: Redistribution and use in source and binary forms, with or without modifications, are permitted.
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux - Powered by OpenVZ