Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 7 Sep 2015 10:08:44 -0500
From: JimF <jfoug@....net>
To: john-dev@...ts.openwall.com
Subject: Re: FormSpring valid()



On 9/7/2015 8:27 AM, Kai Zhao wrote:
> Hi Alexander,
>
> On Mon, Sep 7, 2015 at 1:28 AM, Solar Designer <solar@...nwall.com> wrote:
>> Kai - how did you obtain the test vectors that you added to
>> formspring_fmt_plug.c in 101bed96efba9509f5f60447a342a00024bba17e?
>> Specifically, where did their salts come from?  Why are they of 8 hex
>> digits whereas the existing test vectors used two-char salts?
> In dynamic_preloads.c::121
>
> //dynamic_60 -->sha256($p)
>
> So I can generate test vectors by:
>
> $ ./john --test=0 --format='dynamic=sha256($s.$p),debug'
If you change your command to this:

$ ./john --test=0 --format='dynamic=sha256($s.$p),saltlen=2,debug'

It would give proper 2 byte salts for you.

Also:

$ echo -n test | run/pass_gen.pl formspring
#!comment: Built with pass_gen.pl using RAW mode, 0 to 128 characters dict file=stdin

   ** Here are the hashes for format formspring **
u0:0f435d79d56ae33430041d2e1b2892cb13f2e346ab8d9a79febf2d9c695672b6$72:0:0:test:

Also works.  pass_gen.pl was built to provide workable hashes for most of johns format. It does a pretty decent job. It even contains a dynamic 'expression building'  (the logic from it actually was used to make the @dynamic=@ format in john).  It really should be looked at as a first source of obtaining new hashes.


Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ