Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 8 Jun 2012 10:45:31 -0500
From: "jfoug" <jfoug@....net>
To: <john-dev@...ts.openwall.com>
Subject: RE: Was: RE: [john-users] JtR to process the LinkedIn hash dump

I believe this version (patches into magnum-jumbo), fixes the problem.  Now
if there are 

0000003ced2802e237e597f6a9d14e963206d6c3
122b603ced2802e237e597f6a9d14e963206d6c3

JtR will only internally work with one hash. It will always write this one:
122b603ced2802e237e597f6a9d14e963206d6c3
To the .pot file.

Also, if ONLY 0000003ced2802e237e597f6a9d14e963206d6c3 existed in the input
file, then it would be cracked properly, and
122b603ced2802e237e597f6a9d14e963206d6c3 would be written out to the .pot.

The loader code, also properly removes both 00000... and 122b6...  if
122b603ced2802e237e597f6a9d14e963206d6c3 is in the .pot file.

Note, this DOES require get_source to return a possibly different string
than the split().  This is 'against' the assertion rules.  This was causing
self tests to fail, IF there were any of the 00000 hashes in self test
strings, so they simply have been removed.  Now, self test passes, since we
are not breaking the assertion ourselves, and the format properly handles
ALL strings.


In this format, we 'could' remove the raw-sha1_LI, and simply change
raw-sha1 to behave like this.  It still tests 128 bits of the hash, and
works exactly the same (same .pot, same loader removals, and internal dupe
logic), BUT it allows these smashed LinkedIn hashes to also load.   I have
not done it this way right now, but it is something we 'could' do.

This patch patches right to the jumbo-bleeding git, as long as magnum has
not yet updated it.


Ok, here are 2 runs, one with the newest of code, and one with prior version
(but with the 00000's in the hash). The prior version did NOT unify the
hashes, and did not reconstruct the proper hash.

./johnb2 -inc:digits -nolog -pot=johnb2.pot -form=raw-sha1_LI combo_not.txt
Loaded 5787239 password hashes with no different salts (Raw SHA-1-LI [SSE2
4x])
....
guesses: 179810  time: 0:00:00:37 DONE (Fri Jun  8 10:41:34 2012)  c/s:
16934G  trying: 83536781 - 83536784
Warning: passwords printed above might not be all those cracked
Use the "--show" option to display all of the cracked passwords reliably


./johnb -inc:digits -nolog -pot=johnb.pot -form=raw-sha1_LI combo_not.txt
Loaded 6458020 password hashes with no different salts (Raw SHA-1-LI [SSE2
4x])
....
guesses: 179810  time: 0:00:00:47 DONE (Fri Jun  8 10:43:29 2012)  c/s:
14916G  trying: 83536781 - 83536784
Use the "--show" option to display all of the cracked passwords reliably


NOTE, that only 5787239 were loaded on this version, compared with 6458020
(which is the count in the input file), on the older version.

This means there are 670781 'dupes' in the hash file.  With the new patch,
these all get cracked together (well, each 'pair' will get cracked
together).

Jim.


[ CONTENT OF TYPE application/octet-stream SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ