/* * HALFLM2.C * Performs Dictionary/BF cracking of bytes 8-16 of LM Response. * * Usesful when second part of password is weak!> * Also if first part of response is found, then basically we can * skip the guess loop in this code :-) * * Uses JtR 1-.7.2-all9 engine * Compile: Place in John-1.7.2-all9/src and do gcc HALFLM2 common.o -lssl -o pleasefixeme * Run: ./pleasefixme * Code is in public domain (although the code sucks!) * * TODO: * * - Somehow integrate into nethalflm patch i posted earlier * although i don't even have a faint idea here. * - I posted on oxid.it forums for some alternate idea but haven't * received any response.(I believe that they have better implementation/idea * as cleary shown by Cain & Abel)! */ #include #include #include "misc.h" #include "common.h" #include #ifndef uchar #define uchar unsigned char #endif #define FORMAT_LABEL "nethalflm" #define FORMAT_NAME "HalfLM C/R DES" #define ALGORITHM_NAME "nethalflm" #define BENCHMARK_COMMENT "" #define BENCHMARK_LENGTH 0 #define PLAINTEXT_LENGTH 7 #define BINARY_SIZE 8 #define SALT_SIZE 8 #define CIPHERTEXT_LENGTH 48 #define TOTAL_LENGTH 12 + 2 * SALT_SIZE + CIPHERTEXT_LENGTH static char saved_plain[PLAINTEXT_LENGTH + 1]; static uchar challenge[SALT_SIZE + 1]; static uchar output[BINARY_SIZE + 1]; char *ciphertext = "CBC98FE03D24AB15"; static uchar binary[BINARY_SIZE]; static void nethalflm_get_binary() { int i; for (i=0; i> 1); key[2] = (key_56[1] << 6) | (key_56[2] >> 2); key[3] = (key_56[2] << 5) | (key_56[3] >> 3); key[4] = (key_56[3] << 4) | (key_56[4] >> 4); key[5] = (key_56[4] << 3) | (key_56[5] >> 5); key[6] = (key_56[5] << 2) | (key_56[6] >> 6); key[7] = (key_56[6] << 1); des_set_key(&key, *ks); } static void nethalflm_crypt_all() { static unsigned char magic[] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25}; des_key_schedule ks; unsigned char password[7 + 1]; unsigned char lm[7]; memset(password, 0, 7 + 1); /* clear buffers */ memset(lm, 0, 7); memset(output, 0, 8); printf("\nTarget Response: "); int i; for( i = 0; i< 7 ;i++) printf("%.2x",binary[i]); printf(" Trying key :: %s",saved_plain); strncpy((char *) password, saved_plain, 7); /* Generate first 8-bytes of LM hash */ setup_des_key(password, &ks); des_ecb_encrypt((des_cblock*)magic, (des_cblock*)lm, ks, DES_ENCRYPT); printf(" LM Hash: "); for( i = 0; i< 7 ;i++) printf("%.2x",lm[i]); /* hack */ for( i = 6; i > 0; i--) { lm[i] = lm[i-1]; } int j; for( j=0;j<256;j++) { lm[0]= j; /*printf("\nLM Hash after hack: "); for( i = 0; i< 7 ;i++) printf("%.2x",lm[i]); */ /* DES-encrypt challenge using LM hash */ setup_des_key(lm, &ks); des_ecb_encrypt((des_cblock*)challenge, (des_cblock*)output, ks, DES_ENCRYPT); if( memcmp(output, binary, 8) == 0 ) { printf(" :) Cracked!\n"); /*printf("\nLM Response: "); for( i = 0; i< 24 ;i++) printf("%.2x",output[i]); printf("\n"); */ return; } } printf(" Not found :("); } static void *nethalflm_get_salt(char *salt) { static unsigned char binary_salt[SALT_SIZE]; int i; for (i = 0; i < SALT_SIZE; ++i) { binary_salt[i] = (atoi16[ARCH_INDEX(salt[i*2])] << 4) + atoi16[ARCH_INDEX(salt[i*2+1])]; } return (void*)binary_salt; } static void nethalflm_set_salt(void *salt) { memcpy(challenge, salt, SALT_SIZE); } static void nethalflm_set_key(char *key) { int i; strncpy(saved_plain, key, PLAINTEXT_LENGTH); /* Upper-case password */ for(i=0; i= 'a') && (saved_plain[i] <= 'z')) saved_plain[i] ^= 0x20; } static char *nethalflm_get_key(int index) { return saved_plain; } int main( int argc, char **argv ) { common_init(); nethalflm_get_binary(); nethalflm_set_salt( nethalflm_get_salt("1122334455667788") ); nethalflm_set_key("bbbbbbb"); nethalflm_crypt_all(); nethalflm_set_key("aaaaaaa"); nethalflm_crypt_all(); }