Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 7 Sep 2012 23:52:01 +0530
From: Dhiru Kholia <dhiru.kholia@...il.com>
To: john-dev@...ts.openwall.com
Subject: Re: Cracking Mountain Lion hashes (WIP)

On Fri, Sep 7, 2012 at 11:42 PM, Lukas Odzioba <lukas.odzioba@...il.com> wrote:
> 2012/9/7 Dhiru Kholia <dhiru.kholia@...il.com>:
>> On Fri, Sep 7, 2012 at 10:59 PM, Alexander Cherepanov <cherepan@...me.ru> wrote:
>>> On 07.09.2012 20:28, Dhiru Kholia wrote:
>>>> Now we need to parse the output of ml2john.py program and figure out
>>>> what the output means i.e. what is the iteration count, what is salt
>>>> etc.
>>>
>>> Well, ShadowHashData field is also plist. Convert it with the same
>>> script and you get 'salt', 'entropy' and 'iterations'.
>>
>> Thanks!, that worked.
>>
>> Next question, where is the actual pbkdf2 hash? I don't see it.
> Can you post it?

See attached code and earlier archive (use lulu.plist from it)

$ml$23923*32*c3fa2e153466f7619286024fe7d812d0a8ae836295f84b9133ccc65456519fc3*128*ccb903ee691ade6d5dee9b3c6931ebed6ddbb1348f1b26c21add8ba0d45f27e61e97c0b80d9a18020944bb78f1ebda6fdd79c5cf08a12c80522caf987c287b6da10095bb8fd82fcc03803e86675d84744139b694da7cead3c0133033a6257335cb6be0ad68c14f20321315f0ea71670a8b78bc2759ad9751430f0c9c5040617a

> If it is pure sha512pbkdf2 it should be consistent with this:
>
> from passlib.hash import grub_pbkdf2_sha512
> hash = grub_pbkdf2_sha512.encrypt("password", rounds=10964, salt="salt")
> print hash

Great. This works!

grub.pbkdf2.sha512.23923.C3FA2E153466F7619286024FE7D812D0A8AE836295F84B9133CCC65456519FC3.CCB903EE691ADE6D5DEE9B3C6931EBED6DDBB1348F1B26C21ADD8BA0D45F27E61E97C0B80D9A18020944BB78F1EBDA6FDD79C5CF08A12C80522CAF987C287B6D

This output implies that the actual hash is contained in the first
part of 'entropy' field. We now have full information to write a
cracker for Mountain Lion hashes.

Lukas,

Can you commit your code for cracking GRUB / Mountain Lion hashes. I
will clean-up ml2john.py program and commit it to magnum-jumbo.

-- 
Cheers,
Dhiru

Download attachment "ml2john.py" of type "application/octet-stream" (37942 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.