Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 5 Feb 2009 17:28:08 -0600
From: "Joshua J. Drake" <jtr-users@...p.org>
To: Solar Designer <solar@...nwall.com>
Cc: john-users@...ts.openwall.com
Subject: Re: Problems with DES valid()?

On Thu, Feb 05, 2009 at 11:47:19PM +0300, Solar Designer wrote:
> On Thu, Feb 05, 2009 at 08:25:03AM -0600, Joshua J. Drake wrote:
> > It seems that the DES valid() function is improperly marking some
> > hashes as invalid...  I'm not 100% sure this is a valid hash, but it
> > is the right length and contains the right characters.  I'm currently
> > looking at a file with a thousand or so of these hashes. One such hash
> > is PSdSQOAjO8IcV.
> 
> This is a 13-character string that uses the correct character set, yet
> it can't possibly be produced by the traditional DES-based crypt(3),
> because it has one of the unused and "always-zero" bits set.  Those are
> part of the last character of the hash encoding.
> 
> The corresponding check is this line:
> 
> 	if (atoi64[ARCH_INDEX(*(pos - 1))] & 3) return 0;
> 
> in DES_fmt.c: valid().  This check is indeed correct, no bug there.

Thank you for the insight here.

> If you don't mind, please post some info on the system these strings
> came from - OS, version, etc.  Does JtR load some percentage of the
> "hashes", and is it close to 25%?

Unfortunately I don't know much about the original system that this
password file came from.  However, it does indeed have some valid
DES hashes in the file.  There are about 411 found, with 1549 total
entries with 13 character hash fields.

> Also, if you find out anything further (e.g., if you get any of these
> cracked in whatever way), please let the list know.

I will see what I come up with trying to crack them.  Is it possible
that this bit has some arbitrary meaning?  Like perhaps preserving the
bit will result in a crack?  Or maybe removing the extra bits would
work?

-- 
Joshua J. Drake

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.