[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 Jun 2010 22:12:40 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: john the ripper for Kerberos Ticket
On Mon, Jun 21, 2010 at 10:20:36AM +0800, kristian wrote:
> atom:$krb5$e3649a0c63274f2f20aff89ddc2a1e8f6cac133ef8ebc6a1e28c2ee20336ea4720b437f4e676963192b8231a109656503a8bc3235c41909c28c5ef0de95c07753472ef094e6f33c113d14ee75eb60259e589fc800e695e0bae874e2471958545ee663ba1e74ea397c8b15c127df1d33972e29c7d88e2d9e253dd2a982c67c732a78603945be96061aa80e5c4d8f3fb01aa3bacf35664c94f4441b7f95108ff47592203619aa9bfb8a765f5db52d99e7ccbd3f9b98c1274858be1b67774f1cdb2e5a10322741f4dc23626d3dca408bf19acfc2e8e300b391ff9a19d852e6915163c7150c6e0b3bb2909f571561216bbe97b6160e9575e798ba7c5c4cad8d94f0d217f959446c08327881e36aa5b5ecdf86dc8627d:
The above is not entirely correct, but the code in KRB5_fmt.c was not
robust enough to detect that. I've just fixed the code (for the next
revision of the jumbo patch). Anyway, the correct syntax is:
atom:$krb5$atom$ITTELKOM.AC.ID$e3649a0c63274f2f20aff89ddc2a1e8f6cac133ef8ebc6a1e28c2ee20336ea4720b437f4e676963192b8231a109656503a8bc3235c41909c28c5ef0de95c07753472ef094e6f33c113d14ee75eb60259e589fc800e695e0bae874e2471958545ee663ba1e74ea397c8b15c127df1d33972e29c7d88e2d9e253dd2a982c67c732a78603945be96061aa80e5c4d8f3fb01aa3bacf35664c94f4441b7f95108ff47592203619aa9bfb8a765f5db52d99e7ccbd3f9b98c1274858be1b67774f1cdb2e5a10322741f4dc23626d3dca408bf19acfc2e8e300b391ff9a19d852e6915163c7150c6e0b3bb2909f571561216bbe97b6160e9575e798ba7c5c4cad8d94f0d217f959446c08327881e36aa5b5ecdf86dc8627d
This includes the username and the realm (just my guess for it, probably
wrong) in the ciphertext string. Here are two other examples from the
KRB5_fmt.c file:
test1:$krb5$oskov$ACM.UIUC.EDU$4730d7249765615d6f3652321c4fb76d09fb9cd06faeb0c31b8737f9fdfcde4bd4259c31cb1dff25df39173b09abdff08373302d99ac09802a290915243d9f0ea0313fdedc7f8d1fae0d9df8f0ee6233818d317f03a72c2e77b480b2bc50d1ca14fba85133ea00e472c50dbc825291e2853bd60a969ddb69dae35b604b34ea2c2265a4ffc72e9fb811da17c7f2887ccb17e2f87cd1f6c28a9afc0c083a9356a9ee2a28d2e4a01fc7ea90cc8836b8e25650c3a1409b811d0bad42a59aa418143291d42d7b1e6cb5b1876a4cc758d721323a762e943f774630385c9faa68df6f3a94422f97
test2:$krb5$oskov$ACM.UIUC.EDU$6cba0316d38e31ba028f87394792baade516afdfd8c5a964b6a7677adbad7815d778b297beb238394aa97a4d495adb7c9b7298ba7c2a2062fb6c9a4297f12f83755060f4f58a1ea4c7026df585cdfa02372ad619ab1a4ec617ad23e76d6e37e36268d9aa0abcf83f11fa8092b4328c5e6c577f7ec6f1c1684d9c99a309eee1f5bd764c4158a2cf311cded8794b2de83131c3dc51303d5300e563a2b7a230eac67e85b4593e561bf6b88c77b82c729e7ba7f3d2f99b8dc85b07873e40335aff4647833a87681ee557fbd1ffa1a458a5673d1bd3c1587eceeabaebf4e44c24d9a8ac8c1d89
With these three lines placed in the same file, I get two of three
passwords cracked as follows:
$ ./john -w=w pw-krb5
Loaded 3 password hashes with 3 different salts (Kerberos v5 TGT [krb5 3DES (des3-cbc-sha1)])
p4ssW0rd (test1)
Nask0Oskov (test2)
guesses: 2 time: 0:00:00:00 100.00% (ETA: Thu Jun 24 21:53:59 2010) c/s: 500 trying: Nask0Oskov
$ ./john --show pw-krb5
test1:p4ssW0rd
test2:Nask0Oskov
2 password hashes cracked, 1 left
Yes, I had these known test passwords in the "w" wordlist file. I was
not able to quickly crack "your" password, perhaps because it is not a
weak one and/or because I did not guess the realm name correctly and/or
because you did not provide the correct username.
While testing this, I identified a memory leak in KRB5_std.c. I'll have
it fixed in the next jumbo patch update.
I've attached a patch with my code fixes so far.
Please let the list know whether you manage to get things working for
you or not - and provide some detail either way.
Thanks,
Alexander
diff -urp john-1.7.6-jumbo-3/src/KRB5_fmt.c john-1.7.6/src/KRB5_fmt.c
--- john-1.7.6-jumbo-3/src/KRB5_fmt.c 2009-09-22 21:03:43 +0000
+++ john-1.7.6/src/KRB5_fmt.c 2010-06-24 16:40:17 +0000
@@ -105,7 +105,7 @@ krb5_key *krb5key = &_krb5key;
/**
* hex2bin // {{{
*/
-static void hex2bin(char *src, unsigned char *dst, int outsize) {
+static char hex2bin(char *src, unsigned char *dst, int outsize) {
char *p, *pe;
unsigned char *q, *qe, ch, cl;
@@ -118,14 +118,15 @@ static void hex2bin(char *src, unsigned
if ((ch >= '0') && (ch <= '9')) ch -= '0';
else if ((ch >= 'a') && (ch <= 'f')) ch -= 'a' - 10;
- else return;
+ else return p[0];
if ((cl >= '0') && (cl <= '9')) cl -= '0';
else if ((cl >= 'a') && (cl <= 'f')) cl -= 'a' - 10;
- else return;
+ else return p[1];
*q++ = (ch << 4) | cl;
}
+ return 0;
}
// }}}
@@ -166,51 +167,55 @@ int krb5_decrypt_compare() {
// }}}
/**
- * int krb5_valid // {{{
+ * void * krb5_salt // {{{
*
*/
-static int krb5_valid(char *ciphertext) {
-
- if (strncmp(ciphertext, MAGIC_PREFIX, strlen(MAGIC_PREFIX)) != 0)
- return 0;
-
- return 1;
+static void * krb5_salt(char *ciphertext) {
+ static struct salt salt;
+ char *data = ciphertext, *p;
+ int n;
+
+ // advance past the $krb5$ string - it was checked for in valid()
+ data += strlen(MAGIC_PREFIX);
+
+ // find and copy the user field
+ p = strchr(data, '$');
+ if (!p)
+ return NULL;
+ n = (p - data) + 1;
+ if (n >= sizeof(salt.user))
+ return NULL;
+ strnzcpy(salt.user, data, n);
+ data = p + 1;
+
+ // find and copy the realm field
+ p = strchr(data, '$');
+ if (!p)
+ return NULL;
+ n = (p - data) + 1;
+ if (n >= sizeof(salt.realm))
+ return NULL;
+ strnzcpy(salt.realm, data, n);
+ data = p + 1;
+
+ // copy over the TGT in a binary form to the salt struct
+ if (hex2bin(data, (unsigned char *) salt.tgt_ebin, TGT_SIZE))
+ return NULL;
+
+ return &salt;
}
// }}}
/**
- * void * krb5_salt // {{{
+ * int krb5_valid // {{{
*
*/
-static void * krb5_salt(char *ciphertext) {
-
- struct salt *salt = NULL;
- char *data = ciphertext, *p;
+static int krb5_valid(char *ciphertext) {
- // check the presence of $krb5$
- if (strncmp(data, MAGIC_PREFIX, strlen(MAGIC_PREFIX)) == 0) {
- // advance past the $krb5$ string
- data += strlen(MAGIC_PREFIX);
-
- // allocate memory for the struct
- salt = malloc(sizeof(struct salt));
- if (salt == NULL)
- return NULL;
-
- // find and copy the user field
- p = strchr(data, '$');
- strnzcpy(salt->user, data, (p - data) + 1);
- data = p + 1;
-
- // find and copy the realm field
- p = strchr(data, '$');
- strnzcpy(salt->realm, data, (p - data) + 1);
- data = p + 1;
-
- // copy over the TGT in a binary form to the salt struct
- hex2bin(data, (unsigned char *) salt->tgt_ebin, TGT_SIZE);
- }
- return salt;
+ if (strncmp(ciphertext, MAGIC_PREFIX, strlen(MAGIC_PREFIX)) != 0)
+ return 0;
+
+ return krb5_salt(ciphertext) ? 1 : 0;
}
// }}}
diff -urp john-1.7.6-jumbo-3/src/KRB5_std.c john-1.7.6/src/KRB5_std.c
--- john-1.7.6-jumbo-3/src/KRB5_std.c 2009-10-29 03:53:54 +0000
+++ john-1.7.6/src/KRB5_std.c 2010-06-24 17:44:41 +0000
@@ -280,7 +280,8 @@ void str2key(char *user, char *realm, ch
// derive key from key
derive_key(derive_const, sizeof(derive_const), krb5key);
-
+
+ free(text);
}
// }}}
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ
