Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 03 Aug 2015 03:51:27 +0200
From: magnum <john.magnum@...hmail.com>
To: john-dev@...ts.openwall.com
Subject: Re: auditing our use of FMT_* flags

On 2015-08-01 17:23, Kai Zhao wrote:
> Maybe "OpenVMS" should NOT set FMT_CASE.
>
> 1. Get two hash from vms_fmt_plug.c's test vector.
>
> {"$V$9AYXUd5LfDy-aj48Vj54P-----", "USER"},
> {"$V$p1UQjRZKulr-Z25g5lJ-------", "service"},
>
> 2. Copy the hash to pwfile.
>
> $ cat pwfile
>
> $V$9AYXUd5LfDy-aj48Vj54P-----
> $V$p1UQjRZKulr-Z25g5lJ-------
>
> 3. cat password.lst, (case has CHANGED)
>
> usER
> SERvice
>
> 4. run
>
> John cracked the two passwords.
>
> "USER"  -> "usER"
> "service" -> "SERvice"
>
> But vms_fmt_plug.c has set FMT_CASE. Should we remove this flag ?

Yes, it looks like we should.

magnum

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ