Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 4 Feb 2008 12:06:47 +0530
From: "Dhirendra Singh Kholia" <dhiru.kholia@...il.com>
To: john-users@...ts.openwall.com
Subject: NETHALFM patch

Hi,

This patch adds support for cracking first 7 characters of LM response.
Please apply against john-1.7.2-all9.

ToDo:

- Speed fixes by using bitsliced DES?
- part-wise cracking.


diff -ruNB john-1.7.2-all9/src/inc.c john-1.7.2-all9+/src/inc.c
--- john-1.7.2-all9/src/inc.c 2008-02-04 10:48:54.000000000 +0530
+++ john-1.7.2-all9+/src/inc.c 2008-02-04 10:50:51.000000000 +0530
@@ -24,6 +24,7 @@

 extern struct fmt_main fmt_LM;
 extern struct fmt_main fmt_NETLM;
+extern struct fmt_main fmt_NETHALFLM;

 typedef char (*char2_table)
 [CHARSET_SIZE + 1][CHARSET_SIZE + 1];
@@ -380,6 +381,8 @@
 mode = "LanMan";
 else if (db->format == &fmt_NETLM)
 mode = "LanMan";
+ else if (db->format == &fmt_NETHALFLM)
+ mode = "LanMan";
 else
 mode = "All";
 }
diff -ruNB john-1.7.2-all9/src/john.c john-1.7.2-all9+/src/john.c
--- john-1.7.2-all9/src/john.c 2008-02-04 10:48:54.000000000 +0530
+++ john-1.7.2-all9+/src/john.c 2008-02-04 10:50:51.000000000 +0530
@@ -54,6 +54,7 @@
 extern struct fmt_main fmt_DOMINOSEC;
 extern struct fmt_main fmt_NETLM;
 extern struct fmt_main fmt_NETNTLM;
+extern struct fmt_main fmt_NETHALFLM;
 extern struct fmt_main fmt_mssql;
 extern struct fmt_main fmt_mssql05;

@@ -102,6 +103,7 @@
 john_register_one(&fmt_DOMINOSEC);
 john_register_one(&fmt_NETLM);
 john_register_one(&fmt_NETNTLM);
+ john_register_one(&fmt_NETHALFLM);
 john_register_one(&fmt_mssql);
 john_register_one(&fmt_mssql05);

diff -ruNB john-1.7.2-all9/src/loader.c john-1.7.2-all9+/src/loader.c
--- john-1.7.2-all9/src/loader.c 2008-02-04 10:48:54.000000000 +0530
+++ john-1.7.2-all9+/src/loader.c 2008-02-04 10:50:51.000000000 +0530
@@ -249,6 +249,19 @@
 *ciphertext = tmp;
 }
 }
+ else if (options.format && ((strncmp(options.format, "nethalflm", 9)==0))) {
+ char *nethalflm = ldr_get_field(&line);
+ char *netntlm = ldr_get_field(&line);
+ char *challenge = ldr_get_field(&line);
+
+ if (strncmp(options.format, "nethalflm", 9)==0) {
+ tmp = (char *) mem_alloc(7 + strlen(challenge) + strlen(nethalflm) + 1);
+ memset(tmp, 0, 7 + strlen(challenge) + strlen(nethalflm) + 1);
+ sprintf(tmp, "$NETHALFLM$%s$%s", challenge, nethalflm);
+ *ciphertext = tmp;
+ }
+
+ }

 if (db_options->flags & DB_WORDS || db_options->shells->head) {
 gid = ldr_get_field(&line);
diff -ruNB john-1.7.2-all9/src/Makefile john-1.7.2-all9+/src/Makefile
--- john-1.7.2-all9/src/Makefile 2008-02-04 10:48:54.000000000 +0530
+++ john-1.7.2-all9+/src/Makefile 2008-02-04 10:50:51.000000000 +0530
@@ -50,6 +50,7 @@
 mscash_fmt.o \
 NETLM_fmt.o \
 NETNTLM_fmt.o \
+ NETHALFLM_fmt.o \
 mssql_fmt.o \
 mssql05_fmt.o \
 batch.o bench.o charset.o common.o compiler.o config.o cracker.o \
diff -ruNB john-1.7.2-all9/src/NETHALFLM_fmt.c
john-1.7.2-all9+/src/NETHALFLM_fmt.c
--- john-1.7.2-all9/src/NETHALFLM_fmt.c 1970-01-01 05:30:00.000000000 +0530
+++ john-1.7.2-all9+/src/NETHALFLM_fmt.c 2008-02-04 10:55:58.000000000 +0530
@@ -0,0 +1,223 @@
+/*
+ * NETHALFLM_fmt.c
+ * Written by DSK (Based on NetLM/NetNTLM patch by JoMo-Kun)
+ * Performs brute-force cracking of the HalfLM challenge/response pairs.
+
+ * Storage Format:
+ * domain\username:::lm response:nt response:challenge
+ *
+ * Code is in public domain.
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include "misc.h"
+#include "common.h"
+#include "formats.h"
+
+#include <openssl/des.h>
+
+#ifndef uchar
+#define uchar unsigned char
+#endif
+
+#define FORMAT_LABEL         "nethalflm"
+#define FORMAT_NAME          "HalfLM C/R DES"
+#define ALGORITHM_NAME       "nethalflm"
+#define BENCHMARK_COMMENT    ""
+#define BENCHMARK_LENGTH     0
+#define PLAINTEXT_LENGTH     7
+#define BINARY_SIZE          24
+#define SALT_SIZE            8
+#define CIPHERTEXT_LENGTH    48
+#define TOTAL_LENGTH         12 + 2 * SALT_SIZE + CIPHERTEXT_LENGTH
+#define MIN_KEYS_PER_CRYPT   1
+#define MAX_KEYS_PER_CRYPT   1
+
+static struct fmt_tests tests[] = {
+  {"$NETHALFLM$1122334455667788$6E1EC36D3417CE9E09A4424309F116C4C991948DAEB4ADAD",
"G3RG3P00!"},
+  {"$NETHALFLM$1122334455667788$6E1EC36D3417CE9E09A4424309F116C4C991948DAEB4ADAD",
"G3RG3P0"},
+  {"$NETHALFLM$1122334455667788$1354FD5ABF3B627B8B49587B8F2BBA0F9F6C5E420824E0A2",
"ZEEEZ@1"}
+};
+
+static char saved_plain[PLAINTEXT_LENGTH + 1];
+static uchar challenge[SALT_SIZE + 1];
+static uchar output[BINARY_SIZE + 1];
+
+static int nethalflm_valid(char *ciphertext)
+{
+  char *pos;
+
+  if (strncmp(ciphertext, "$NETHALFLM$", 9)!=0) return 0;
+  if (ciphertext[27] != '$') return 0;
+
+  for (pos = &ciphertext[28]; atoi16[ARCH_INDEX(*pos)] != 0x7F; pos++);
+    if (!*pos && pos - ciphertext - 28 == CIPHERTEXT_LENGTH) {
+    return 1;
+    }
+    else
+      return 0;
+}
+
+static char *nethalflm_split(char *ciphertext, int index)
+{
+  static char out[TOTAL_LENGTH + 1];
+
+  memset(out, 0, TOTAL_LENGTH + 1);
+  memcpy(&out, ciphertext, TOTAL_LENGTH);
+  strlwr(&out[10]); /* Exclude: $NETHALFLM$ */
+
+  return out;
+}
+
+static void *nethalflm_get_binary(char *ciphertext)
+{
+  static uchar binary[BINARY_SIZE];
+  int i;
+
+  ciphertext+=28;
+  for (i=0; i<BINARY_SIZE; i++)
+  {
+    binary[i] = (atoi16[ARCH_INDEX(ciphertext[i*2])])<<4;
+    binary[i] |= (atoi16[ARCH_INDEX(ciphertext[i*2+1])]);
+  }
+  return binary;
+}
+
+/* Avoid clash with NETLM_fmt.c */
+static void setup_des_key(unsigned char key_56[], des_key_schedule *ks)
+{
+  des_cblock key;
+
+  key[0] = key_56[0];
+  key[1] = (key_56[0] << 7) | (key_56[1] >> 1);
+  key[2] = (key_56[1] << 6) | (key_56[2] >> 2);
+  key[3] = (key_56[2] << 5) | (key_56[3] >> 3);
+  key[4] = (key_56[3] << 4) | (key_56[4] >> 4);
+  key[5] = (key_56[4] << 3) | (key_56[5] >> 5);
+  key[6] = (key_56[5] << 2) | (key_56[6] >> 6);
+  key[7] = (key_56[6] << 1);
+
+  des_set_key(&key, *ks);
+}
+
+static void nethalflm_crypt_all(int count)
+{
+  static unsigned char magic[] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23,
0x24, 0x25};
+  des_key_schedule ks;
+  unsigned char password[7 + 1];
+  unsigned char lm[7];
+
+  /* clear buffers */
+  memset(password, 0, 7 + 1);
+  memset(lm, 0, 7);
+  memset(output, 0, 24);
+
+  strncpy((char *) password, saved_plain, 14);
+  /* Generate first 8-bytes of LM hash */
+  setup_des_key(password, &ks);
+  des_ecb_encrypt((des_cblock*)magic, (des_cblock*)lm, ks, DES_ENCRYPT);
+
+  /* DES-encrypt challenge using LM hash */
+  setup_des_key(lm, &ks);
+  des_ecb_encrypt((des_cblock*)challenge, (des_cblock*)output, ks,
DES_ENCRYPT);
+  /*printf("\nLM Response: ");
+  int i;
+  for( i = 0; i< 24 ;i++)
+  printf("%.2x",output[i]); */
+}
+
+static int nethalflm_cmp_all(void *binary, int count)
+{
+  return !memcmp(output, binary, 8);
+}
+
+static int nethalflm_cmp_one(void *binary, int index)
+{
+  return !memcmp(output, binary, 8);
+}
+
+static int nethalflm_cmp_exact(char *source, int index)
+{
+  return !memcmp(output, nethalflm_get_binary(source), 8);
+}
+
+static void *nethalflm_get_salt(char *ciphertext)
+{
+  static unsigned char binary_salt[SALT_SIZE];
+  int i;
+
+  ciphertext += 11;
+  for (i = 0; i < SALT_SIZE; ++i) {
+  binary_salt[i] = (atoi16[ARCH_INDEX(ciphertext[i*2])] << 4) +
atoi16[ARCH_INDEX(ciphertext[i*2+1])];
+  /*printf("%2x",binary_salt[i]);*/
+  }
+  return (void*)binary_salt;
+}
+
+static void nethalflm_set_salt(void *salt)
+{
+  memcpy(challenge, salt, SALT_SIZE);
+}
+
+static void nethalflm_set_key(char *key, int index)
+{
+  int i;
+
+  memset(saved_plain, 0, PLAINTEXT_LENGTH + 1);
+  strncpy(saved_plain, key, PLAINTEXT_LENGTH);
+
+  /* Upper-case password */
+  for(i=0; i<PLAINTEXT_LENGTH; i++)
+    if ((saved_plain[i] >= 'a') && (saved_plain[i] <= 'z'))
saved_plain[i] ^= 0x20;
+}
+
+static char *nethalflm_get_key(int index)
+{
+  return saved_plain;
+}
+
+struct fmt_main fmt_NETHALFLM = {
+  {
+    FORMAT_LABEL,
+    FORMAT_NAME,
+    ALGORITHM_NAME,
+    BENCHMARK_COMMENT,
+    BENCHMARK_LENGTH,
+    PLAINTEXT_LENGTH,
+    BINARY_SIZE,
+    SALT_SIZE,
+    MIN_KEYS_PER_CRYPT,
+    MAX_KEYS_PER_CRYPT,
+    FMT_8_BIT | FMT_BS | FMT_SPLIT_UNIFIES_CASE,
+    tests
+  }, {
+    fmt_default_init,
+    nethalflm_valid,
+    nethalflm_split,
+    nethalflm_get_binary,
+    nethalflm_get_salt,
+    {
+      fmt_default_binary_hash,
+      fmt_default_binary_hash,
+      fmt_default_binary_hash
+    },
+    fmt_default_salt_hash,
+    nethalflm_set_salt,
+    nethalflm_set_key,
+    nethalflm_get_key,
+    fmt_default_clear_keys,
+    nethalflm_crypt_all,
+    {
+      fmt_default_get_hash,
+      fmt_default_get_hash,
+      fmt_default_get_hash
+    },
+    nethalflm_cmp_all,
+    nethalflm_cmp_one,
+    nethalflm_cmp_exact
+  }
+};
+
+
diff -ruNB john-1.7.2-all9/src/options.c john-1.7.2-all9+/src/options.c
--- john-1.7.2-all9/src/options.c 2008-02-04 10:48:54.000000000 +0530
+++ john-1.7.2-all9+/src/options.c 2008-02-04 10:50:51.000000000 +0530
@@ -101,7 +101,7 @@
 "--salts=[-]COUNT           load salts with[out] at least COUNT passwords " \
 "only\n" \
 "--format=NAME              force ciphertext format NAME: " \
- "DES/BSDI/MD5/BF/AFS/LM/NT/PO/raw-MD5/IPB2/raw-sha1/salt-sha1/md5a/KRB5/bfegg/nsldap/ssha/oracle/MYSQL/mysql-sha1/mscash/lotus5/DOMINOSEC/NETLM/NETNTLM/mssql/mssql05\n"
\
+ "DES/BSDI/MD5/BF/AFS/LM/NT/PO/raw-MD5/IPB2/raw-sha1/salt-sha1/md5a/KRB5/bfegg/nsldap/ssha/oracle/MYSQL/mysql-sha1/mscash/lotus5/DOMINOSEC/NETLM/NETNTLM/NETHALFLM/mssql/mssql05\n"
\
 "--save-memory=LEVEL        enable memory saving, at LEVEL 1..3\n"

 void opt_init(char *name, int argc, char **argv)


-- 
dsk

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.