Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 3 Feb 2008 22:17:13 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Joomla password hashes (was: identify this hash..)

On Sun, Feb 03, 2008 at 09:40:11AM -0500, Steve ...... wrote:
> so my original how to run it in john. I guess just remove the salt dont need
> it? best way? and run --format=raw-MD5.

Of course, you do need the salt.  Your options are:

1. Patch JtR to add support for these hashes - easy to do for someone
who can program in C.

2. Use the existing raw-MD5 functionality, but add the salt with either
a wordlist rule or an external filter().

3. Maybe use tools other than JtR.

With the second option, you do not need to patch anything (beyond what
you already have with the jumbo patch), but you'll have to be cracking
your hashes almost one-by-one, modifying john.conf for each salt.

Here's an example external filter() that adds that salt from your first
posting in this thread:

[List.External:Joomla]
void filter()
{
	int i;

// Find end of "word"
	i = 0; while (word[i]) i++;

// Hard-coded salt from http://www.openwall.com/lists/john-users/2008/02/01/1
	word[i++] = 'R';
	word[i++] = 'i';
	word[i++] = 'y';
	word[i++] = 'O';
	word[i++] = '6';
	word[i++] = 'I';
	word[i++] = 'Z';
	word[i++] = 'T';
	word[i++] = '9';
	word[i++] = 'e';
	word[i++] = 'u';
	word[i++] = 'D';
	word[i++] = 'z';
	word[i++] = '6';
	word[i++] = '9';
	word[i++] = 'F';

	word[i] = 0;
}

To use it, you'd put the hash in a file (let's call it passwd) like this:

	joomla1:4e36196d7ddc2610fd425ba0617233ca

Then run JtR on the file like this:

	./john -w=password.lst --rules --external=joomla --users=joomla1 --format=raw-md5 passwd

Of course, you do not have to specify "--users=joomla1" when there's
only one line in the file.  I've included this to show how you can use
this approach on a file with all of your hashes at once, yet not waste
time cracking other hashes with the wrong salt.

The same approach can also be used with other cracking modes - you just
need to remember to add "--external=joomla" and specify the correct salt
inside john.conf.

The above hash appears to be for a not-too-weak password, so you should
not expect to get it cracked with these examples.  However, I have
tested the approach with another Joomla hash that I've Google'ed up -
and it worked.

While experimenting with this, I found that Joomla is not good at
generating initial "random" passwords - there can only be one million of
those when running with PHP versions below 5.2.1.  The following script,
when run by the command-line PHP interpreter (must be below 5.2.1, too),
should generate all possible initial passwords:

<?php

$charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
$len = strlen($charset);

for ($usec = 0; $usec < 1000000; $usec++) {
	mt_srand(10 * $usec);
	$pass = '';

	for ($i = 0; $i < 8; $i++) {
		$pass .= $charset[mt_rand(0, $len - 1)];
	}

	echo "$pass\n";
}

?>

With quite some effort, it should be possible to roll the above into an
external mode, too - although this is not necessary given that the
"wordlist" produced by the above script is just 9 MB.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.