Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 16 Mar 2013 17:28:06 +0100
From: Frank Dittrich <frank_dittrich@...mail.com>
To: john-dev@...ts.openwall.com
Subject: Re: Cisco - Password type 4 - SHA256

On 03/16/2013 02:54 PM, Dhiru Kholia wrote:
> On Sat, Mar 16, 2013 at 5:48 PM, Sc00bz64@...oo.com <sc00bz64@...oo.com> wrote:
>> Yeah so I released code on #openwall http://pastebin.com/1yCLwyVY
> 
> Thanks.
> 
> I have made a crappy format for this,
> https://github.com/kholia/JohnTheRipper/tree/cisco-type-4

Your implementation uses PLAINTEXT_LENGTH 125.
Is the max. length supported by Cisco documented somewhere, or can you
test it?
E.g., use a password of length 128, then try the 64 leading characters,
see if the hash differs or not, and find out the correct length applying
a binary search...

Also, can you make sure the algorithm really distinguishes upper and
lower case characters?

What about trying some non-ascii characters?
You specified FMT_8_BIT, so you should verify that those characters are
not "truncated" to 7 bits (or even converted to UTF-8).

> Ideally, one time base64 decoding should be used instead of repetitive
> base64 encoding.

Right.
The valid() implementation could need additional checks.

Frank

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ