Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 16 Feb 2013 02:28:33 +0100
From: Frank Dittrich <frank_dittrich@...mail.com>
To: john-dev@...ts.openwall.com
Subject: Re: AIX password hashes

On 02/16/2013 12:32 AM, magnum wrote:
> I have a feeling the "hard" part of figuring out the AIX hashes is to establish the exact encoding scheme. 


I think there is also some broken magic used. Without reverse
engineering he algorithm, more samples might help,

In addition to the ones in
http://www.openwall.com/lists/john-users/2013/02/15/2
we might need some more.

First, a
./AIXtest ... | wc -l

Then, the may be the top 100 hashes of those broken formats, but not
just the ones which have a '...' sequence in the hash.

To get more certainty, a larger set of samples could help.

E.g., it looks like the frequency of hashes with '...' sequences for
{ssha512}06$ is about 4 times as high as for {ssha512}04$.
It might be a coincidence, but {ssha512}06$ also has 4 times as many
iterations.

For {ssha256}04$ and {ssha256}06$, there is no such difference.

OTOH, for {ssha1}04 there seem to be only very few of these hashes,
close to the end, while {ssha256}06, the frequency is very high again.

Also, while for {smd5} the position of the '...' looks random, for the
other hashes there is a strong bias towards the end of the hash.

I am really curious how they managed to get such results.
And, of course, a larger sample size could help.

E.g., all hashes for passwords of length 1 or 2 for all printable
characters / character combinations.
Or, trying to detect patterns if the salt changes, but the password is
the same. And so on.

Frank

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ