Openwall GNU/*/Linux 3.0 - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 27 Mar 2012 22:20:03 +0200
From: Per Thorsheim <per@...rsheim.net>
To: john-users@...ts.openwall.com
Subject: Re: EPiServer hashes


On Tue, 2012-03-27 at 12:21 +0200, Per Thorsheim wrote:
> On Tue, 2012-03-27 at 11:27 +0400, Solar Designer wrote:
> > Hi,
> > 
> > This thread was referenced in tweets CC'ed to @Openwall:
> > 
> > http://hashcat.net/forum/thread-987-post-5151.html#pid5151
> > 
> > Maybe our EPiServer format is wrong or out of date.
> > 
> > Per - what's the status on this?  Does JtR work right for your hashes?
> > Does any change in JtR need to be made?
> > 
> > Alexander

Updated status:
Twitter/@...adel came to the rescue, revealing that the standard hash
format used by episerver - or Microsoft .NET to be exact, is sha1(salt |
utf16bytes(secret)). @hashcat has updated the forum thread with example
code that works against default config. 

@klingsen provided an interesting sidenote: with .NET 4 it defaults to
sha256.

I presume episerver will, if they haven't got it already, create a guide
for their customers on how to improve the default security provided
by .NET. After all .NET does have PBKDF2 support (raise your hands if
you know somebody who uses it!)

Given the different types of encryption and hash algorithms supported
by .NET, there's more possibilities for jumbo patches for JtR. :-)


Best regards,
Per Thorsheim



[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ