Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 7 Sep 2012 20:28:47 +0200
From: Lukas Odzioba <>
Subject: Re: Cracking Mountain Lion hashes (WIP)

2012/9/7 Dhiru Kholia <>:
> On Fri, Sep 7, 2012 at 11:42 PM, Lukas Odzioba <> wrote:
>> 2012/9/7 Dhiru Kholia <>:
>>> On Fri, Sep 7, 2012 at 10:59 PM, Alexander Cherepanov <> wrote:
>>>> On 07.09.2012 20:28, Dhiru Kholia wrote:
>>>>> Now we need to parse the output of program and figure out
>>>>> what the output means i.e. what is the iteration count, what is salt
>>>>> etc.
>>>> Well, ShadowHashData field is also plist. Convert it with the same
>>>> script and you get 'salt', 'entropy' and 'iterations'.
>>> Thanks!, that worked.
>>> Next question, where is the actual pbkdf2 hash? I don't see it.
>> Can you post it?
> See attached code and earlier archive (use lulu.plist from it)
> $ml$23923*32*c3fa2e153466f7619286024fe7d812d0a8ae836295f84b9133ccc65456519fc3*128*ccb903ee691ade6d5dee9b3c6931ebed6ddbb1348f1b26c21add8ba0d45f27e61e97c0b80d9a18020944bb78f1ebda6fdd79c5cf08a12c80522caf987c287b6da10095bb8fd82fcc03803e86675d84744139b694da7cead3c0133033a6257335cb6be0ad68c14f20321315f0ea71670a8b78bc2759ad9751430f0c9c5040617a
>> If it is pure sha512pbkdf2 it should be consistent with this:
>> from passlib.hash import grub_pbkdf2_sha512
>> hash = grub_pbkdf2_sha512.encrypt("password", rounds=10964, salt="salt")
>> print hash
> Great. This works!
> grub.pbkdf2.sha512.23923.C3FA2E153466F7619286024FE7D812D0A8AE836295F84B9133CCC65456519FC3.CCB903EE691ADE6D5DEE9B3C6931EBED6DDBB1348F1B26C21ADD8BA0D45F27E61E97C0B80D9A18020944BB78F1EBDA6FDD79C5CF08A12C80522CAF987C287B6D
> This output implies that the actual hash is contained in the first
> part of 'entropy' field. We now have full information to write a
> cracker for Mountain Lion hashes.


> Lukas,
> Can you commit your code for cracking GRUB / Mountain Lion hashes. I
> will clean-up program and commit it to magnum-jumbo.

Now we have test vector so making patch for it will be easy.
I'll send it within an hour. Hopefully JtR will be first 10.8 password cracker:)

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.