[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Aug 2012 09:06:47 -0400
From: Matt Weir <cweir@...edu>
To: john-users@...ts.openwall.com
Subject: Re: Cracking Gauss using dynamic
I've been having some problems getting the correct hash to be
generated. First of all I've been using a bash script from the website
to generate expected values.
--------file hex. This is for the input word "secret" with salt------------
73656372657497486CAA225FE877C035CC0373236D51
--------end file-------------------------------------------------------------------------
-------Bash script-------------------------------------------------------------------------
#!/bin/bash
declare -i count
a=$(cat hex | xxd -p -r | md5 -r | awk '{print $1}')
for (( count = 0 ; count < 10000; count++))
do
a=$(echo -en "$a" | xxd -p -r | md5 -r | awk '{print $1}')
done
echo " done"
echo "$a"
exit 0
---------------------end bash script--------------------------------------
Also rather than paste all 10k lines (x 3-4) here is a python script
that generates the dynamic conf
---------------python script---------------------------------------------
print "#######################################################################"
print "# Dynamic Type for algorithm used in gauss malware
md5(md5(path.file.$s))^^10000"
print "#######################################################################"
print "[List.Generic:dynamic_2033]"
print "# Flag needed here, is Salt"
print "Flag=MGF_SALTED"
#print "SaltLen=16"
print "Func=DynamicFunc__clean_input"
print "Func=DynamicFunc__append_keys"
print "Func=DynamicFunc__append_salt"
print "Func=DynamicFunc__crypt_md5"
print "Func=DynamicFunc__clean_input2"
print "Func=DynamicFunc__append_from_last_output_to_input2_as_base16"
for i in range(10000):
print "Func=DynamicFunc__crypt2_md5"
print "Func=DynamicFunc__clean_input2_kwik"
print "Func=DynamicFunc__append_from_last_output2_as_base16"
print "Func=DynamicFunc__crypt_md5_in2_to_out1"
#print "Test=$dynamic_2033$23d7b45123f84ffb713569c22ebd7230$HEX$97486CAA225FE877C035CC0373236D51:test"
#print "Test=$dynamic_2033$7f6d15c16720a432493ba0fb1556e0a3$HEX$97486CAA225FE877C035CC0373236D51:test"
print "Test=$dynamic_2033$6d7affd7203134e7c13dad602a9b4282$HEX$97486CAA225FE877C035CC0373236D51:secret"
------------------End python
scrip--------------------------------------------------
So as you can see, I've been running some other tests as well. For a
single round of hashing everything works ok, but when I try to re-hash
it the self check fails vs. the output generated by the bash script,
(with me limiting the bash script to 1 rehash as well).
Note, one other issue that eventually will have to be dealt with is
how the input string is encoded with the real data. aka instead of
C:\Program Files..... it has a null '00' between each character so
you'll have to try C.:.\.P.r.o.g.r.a.m...F.i.l.e.s.....
2nd Note: I'm also using "test" and "secret" right now for my test
hashes since I haven't been able to figure out how to get the sample
on the website to work correctly in the dynamic config since it has a
":" in it.
I'm actually going camping in a couple of minutes so I apologize if I
don't respond to e-mails for the rest of the weekend, but I wanted to
post my current status before I left.
Thanks,
Matt
On Fri, Aug 17, 2012 at 8:41 AM, <jfoug@....net> wrote:
>
> On Fri, Aug 17, 2012 at 7:31 AM, jfoug@....net wrote:
>
>> On Fri, Aug 17, 2012 at 12:40 AM, Solar Designer wrote:
>>>
>>> I thought that maybe the implementation of phpass in the dynamic
>>> format was generic enough - but it is not. Its loop is hardcoded in
>>> DynamicFunc__PHPassCrypt(). So it seems like the current dynamic format
>>> is incapable of arbitrary loops. This may be something for JimF to
>>> enhance - not for this specific target, but in general.
>>
>>
>> There is no looping, or variables, or much of any other 'fancy' things in
>> dynamic. Mostly, it is an array of very simple function pointers, such as:
>> clear-this-buffer, append-this-string, crypt-this-buffer,
>> convert-this-to-base-16-and-append-to-buffer, etc, etc. Those are not the
>> real function names, but that is pretty much 'what' they do, and how much
>> smarts they have.
>>
>> So if you wanted to (with current dynamic), do 10k crypt of the crypt, you
>> would simply have to build a format with whatever initialization code was
>> needed to get things 'started', and then 10k of these (well, 9999 of the 2nd
>> part):
>>
>> DynamicFunc__crypt_md5_in1_to_out2
>> DynamicFunc__clean_input2
>> DynamicFunc__append_from_last_output2_as_raw
>> DynamicFunc__crypt2_md5()
>> DynamicFunc__clean_input2_kwik
>> DynamicFunc__append_from_last_output2_as_raw
>> DynamicFunc__crypt2_md5()
>> DynamicFunc__clean_input2_kwik
>> DynamicFunc__append_from_last_output2_as_raw
>>
>> // 9996 more of the:
>> DynamicFunc__clean_input2_kwik
>> DynamicFunc__overwrite_from_last_output2_as_base16_no_size_fix
>
>
> Sorry, wrong, code, should have been
> DynamicFunc__append_from_last_output2_as_raw
>
> That was cut/paste from some code that did not match this problem.
>
>
>> DynamicFunc__crypt2_md5()
>>
>> // then a final
>> DynamicFunc__clean_input2_kwik
>> DynamicFunc__overwrite_from_last_output2_as_base16_no_size_fix
>
>
> Same problem here, should have been
> DynamicFunc__append_from_last_output2_as_raw
>
>> DynamicFunc__crypt_md5_in2_to_out1
>
>
> ....
>
>
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
