Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 8 Jun 2012 10:45:31 -0500
From: "jfoug" <jfoug@....net>
To: <john-dev@...ts.openwall.com>
Subject: RE: Was: RE: [john-users] JtR to process the LinkedIn hash dump

I believe this version (patches into magnum-jumbo), fixes the problem.  Now
if there are 

0000003ced2802e237e597f6a9d14e963206d6c3
122b603ced2802e237e597f6a9d14e963206d6c3

JtR will only internally work with one hash. It will always write this one:
122b603ced2802e237e597f6a9d14e963206d6c3
To the .pot file.

Also, if ONLY 0000003ced2802e237e597f6a9d14e963206d6c3 existed in the input
file, then it would be cracked properly, and
122b603ced2802e237e597f6a9d14e963206d6c3 would be written out to the .pot.

The loader code, also properly removes both 00000... and 122b6...  if
122b603ced2802e237e597f6a9d14e963206d6c3 is in the .pot file.

Note, this DOES require get_source to return a possibly different string
than the split().  This is 'against' the assertion rules.  This was causing
self tests to fail, IF there were any of the 00000 hashes in self test
strings, so they simply have been removed.  Now, self test passes, since we
are not breaking the assertion ourselves, and the format properly handles
ALL strings.


In this format, we 'could' remove the raw-sha1_LI, and simply change
raw-sha1 to behave like this.  It still tests 128 bits of the hash, and
works exactly the same (same .pot, same loader removals, and internal dupe
logic), BUT it allows these smashed LinkedIn hashes to also load.   I have
not done it this way right now, but it is something we 'could' do.

This patch patches right to the jumbo-bleeding git, as long as magnum has
not yet updated it.


Ok, here are 2 runs, one with the newest of code, and one with prior version
(but with the 00000's in the hash). The prior version did NOT unify the
hashes, and did not reconstruct the proper hash.

./johnb2 -inc:digits -nolog -pot=johnb2.pot -form=raw-sha1_LI combo_not.txt
Loaded 5787239 password hashes with no different salts (Raw SHA-1-LI [SSE2
4x])
....
guesses: 179810  time: 0:00:00:37 DONE (Fri Jun  8 10:41:34 2012)  c/s:
16934G  trying: 83536781 - 83536784
Warning: passwords printed above might not be all those cracked
Use the "--show" option to display all of the cracked passwords reliably


./johnb -inc:digits -nolog -pot=johnb.pot -form=raw-sha1_LI combo_not.txt
Loaded 6458020 password hashes with no different salts (Raw SHA-1-LI [SSE2
4x])
....
guesses: 179810  time: 0:00:00:47 DONE (Fri Jun  8 10:43:29 2012)  c/s:
14916G  trying: 83536781 - 83536784
Use the "--show" option to display all of the cracked passwords reliably


NOTE, that only 5787239 were loaded on this version, compared with 6458020
(which is the count in the input file), on the older version.

This means there are 670781 'dupes' in the hash file.  With the new patch,
these all get cracked together (well, each 'pair' will get cracked
together).

Jim.


Download attachment "raw-sha1_LI_fix-v2.diff" of type "application/octet-stream" (7283 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.