Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 5 Feb 2009 23:47:19 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Problems with DES valid()?

Joshua,

On Thu, Feb 05, 2009 at 08:25:03AM -0600, Joshua J. Drake wrote:
> It seems that the DES valid() function is improperly marking some
> hashes as invalid...  I'm not 100% sure this is a valid hash, but it
> is the right length and contains the right characters.  I'm currently
> looking at a file with a thousand or so of these hashes. One such hash
> is PSdSQOAjO8IcV.
> 
> Is this hash invalid or is there something wrong with valid()?  If
> it's invalid, why?

This is a 13-character string that uses the correct character set, yet
it can't possibly be produced by the traditional DES-based crypt(3),
because it has one of the unused and "always-zero" bits set.  Those are
part of the last character of the hash encoding.

The corresponding check is this line:

	if (atoi64[ARCH_INDEX(*(pos - 1))] & 3) return 0;

in DES_fmt.c: valid().  This check is indeed correct, no bug there.

If you like, you may try commenting this line out - then JtR will load
your "hashes" - but this is unlikely to result in any of those invalid
hash encodings getting cracked.  Most likely, they're either not hashes
at all or they are not traditional DES-based crypt(3) hashes (but rather
some other unsupported hashes, which happen to use similar encoding).

If you don't mind, please post some info on the system these strings
came from - OS, version, etc.  Does JtR load some percentage of the
"hashes", and is it close to 25%?

Also, if you find out anything further (e.g., if you get any of these
cracked in whatever way), please let the list know.

Thanks,

Alexander Peslyak <solar at openwall.com>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ