Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Sep 2013 20:40:11 +0200
From: magnum <>
Subject: Re: mask mode bug

On 10 sep 2013, at 18:53, Sayantan Datta <> wrote:
> On Fri, Sep 6, 2013 at 12:18 AM, magnum <> wrote:
>> form=raw-md5-opencl               guesses: 1323 0:00:00:02 DONE : Expected count(s) (1500)  [!!!FAILED!!!]
>> .pot CHK:raw-md5-opencl           guesses: 1116 0:00:00:02 DONE : Expected count(s) (1500)  [!!!FAILED!!!]
> This issues is fixed on fx 8120, A4500M(CPU) and HD7670M. Please test it on 650M too. 

Excellent, all issues I knew of is gone now *except* one little detail... Try this hash:

$ echo >nullhash nullstring:d41d8cd98f00b204e9800998ecf8427e

Like it says, it's a null string password. Mask mode shouldn't crack it at all and the CPU format doesn't:

$ rm -f test.pot && ../run/john nullhash -form:raw-md5 -pot:test.pot -mask=?A
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 12x])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 0g/s 22400p/s 22400c/s 22400C/s ?..?
Session completed

...but your mask-mode OpenCL formats cracks it with a false positive:

$ rm -f test.pot && GWS=65536 ../run/john nullhash -form:raw-md5-opencl -pot:test.pot -mask=?A
Device 1: GeForce GT 650M 
Local worksize (LWS) 64, global worksize (GWS) 65536
Loaded 1 password hash (Raw-MD5-opencl [MD5 OpenCL (inefficient, development use only)])
Using kernel md5_ccc...
Press 'q' or Ctrl-C to abort, almost any other key for status
?                (nullstring)
1g 0:00:00:00 1.587g/s 1.587p/s 355.5c/s 355.5C/s ?.. 
Use the "--show" option to display all of the cracked passwords reliably
Session completed

That question mark is really the eight-bit character \x80:

$ LC_ALL=C cut -d: -f2 test.pot | hexdump -C
00000000  80 0a                                             |..|

This only seem to happen with -mask=?A, not with eg. ?a or ?A?A. I have no idea if this false positive also means we have some other false negative somewhere, or not. But I tested ?A in lengths up to 4 and compared with CPU format and there seem to be no false negatives, and no other false positives.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.