Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 10 Sep 2012 02:34:42 +0200
From: magnum <john.magnum@...hmail.com>
To: john-dev@...ts.openwall.com
Subject: Re: Cracking Mountain Lion hashes (WIP)


On 10 Sep, 2012, at 2:11 , Alexander Cherepanov <cherepan@...me.ru> wrote:

> On 2012-09-10 03:29, magnum wrote:
>> On 10 Sep, 2012, at 1:20 , Alexander Cherepanov <cherepan@...me.ru> wrote:
>> 
>>> On 2012-09-08 15:38, Dhiru Kholia wrote:
>>> 
>>>> Sample Output: lulu.plist:$ml$23923$c3fa2e153466f7619286024fe7d812d0a8ae836295f84b9133ccc65456519fc3$ccb903ee691ade6d5dee9b3c6931ebed6ddbb1348f1b26c21add8ba0d45f27e61e97c0b80d9a18020944bb78f1ebda6fdd79c5cf08a12c80522caf987c287b6d
>>>> 
>>>> Format : filename:$ml$iterations$salt$hash
>>> 
>>> Isn't it better to print user name in the first field as usually done in
>>> other formats?
>> 
>> Good catch, the file name is the actual user name so you should strip '.plist' from every entry. This will help Single mode produce much less worthless candidates.
> 
> In fact I thought about an attribute 'name' in the source .plist file.
> But it's even better -- there are also attributes 'uid', 'gid',
> 'realname', 'home', 'shell', so full gecos can be constructed.

That is even better, way better!

>> BTW most *2john tools that put the filename in the username field
>> should strip the path for the same reason. I did that to rar2john. The
>> filename might be useful for Single mode, but probably not the
>> [cracker's] full path.
> 
> Full path may be good for keeping track which hash is for which file.
> But I'm not sure where it's better to put it.

For rar -hp archives we do this:

archive_name:$RAR3$*type*hex(salt)*hex(partial-file-contents):type::::full_archive_name

The "user name" field is filename without path. The last field (just beyond where Single mode looks) is the full path name.

On a side note, I place "type" in the uid field too. This is so you can put all your rar files in a single infile, but then attack only a certain type (-hp or -p) using the -user option. It's a hack, but it works fine :)

magnum

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ