Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 1 Jul 2009 16:12:53 +0200
From: SL <auditor@...chat.de>
To: john-users@...ts.openwall.com
Subject: Re: Joomla password hashes

On Thu, 7 Feb 2008 07:10:42 +0300, Solar Designer wrote
> On Wed, Feb 06, 2008 at 10:09:17AM -0500, Steve ...... wrote:
>> On Sun, 3 Feb 2008 22:17:13 +0300, Solar Designer wrote:
>>> Here's an example external filter() that adds that salt from your  
>>> first
>>> posting in this thread:
>>>
>>> [List.External:Joomla]
>>> void filter()
>>> {
>>> 	int i;
>>>
>>> // Find end of "word"
>>> 	i = 0; while (word[i]) i++;
>>>
>>> // Hard-coded salt from http://www.openwall.com/lists/john-users/ 
>>> 2008/02/01/1
>>> 	word[i++] = 'R';
>>> 	word[i++] = 'i';
>>> 	word[i++] = 'y';
>>> 	word[i++] = 'O';
>>> 	word[i++] = '6';
>>> 	word[i++] = 'I';
>>> 	word[i++] = 'Z';
>>> 	word[i++] = 'T';
>>> 	word[i++] = '9';
>>> 	word[i++] = 'e';
>>> 	word[i++] = 'u';
>>> 	word[i++] = 'D';
>>> 	word[i++] = 'z';
>>> 	word[i++] = '6';
>>> 	word[i++] = '9';
>>> 	word[i++] = 'F';
>>>
>>> 	word[i] = 0;
>>> }
>>>
>>> To use it, you'd put the hash in a file (let's call it passwd)  
>>> like this:
>>>
>>> 	joomla1:4e36196d7ddc2610fd425ba0617233ca
>>>
>>> Then run JtR on the file like this:
>>>
>>> 	./john -w=password.lst --rules --external=joomla --users=joomla1  
>>> --format=raw-md5 passwd
>>
>> Im a little confused.. so I would have to add that below line for  
>> line to my
>> john.conf and run john wait a couple days then modify it again  
>> changing it
>> line by line run john on another hash?.. sounds like a lot of work  
>> and time.
>
>
> That's correct - although it's up to you to decide how long to let  
> it run
> on just one hash - a couple of days sounds excessive to me if you  
> have a
> lot of hashes.  In fact, if you choose to test for just the initial
> passwords (those not changed by the users), then you'd need just a few
> seconds per hash.
>
> [...]
>
> This external mode that I posted was primarily a proof-of-concept.   
> For
> actual use on a large number of hashes, you'd want support for these
> hashes added to JtR itself.

Sorry for quoting this much, but since it's a reply to a rather dusty  
post, I thought it was sensible.

My approach to salted Joomla MD5's is a little different, but (at  
least to my gusto) more convenient (assuming Bash, may work with  
other shells, works equally well on Linux and OSX/BSD):

#!/bin/bash
IFS=":";
wordlist="./password.lst";
passwd="./passwd";
while read user hash salt comments; do
echo "Trying $user ...";
./john --session="S1" --stdout --wordlist="$wordlist" --rules \
   | sed "s/$/${salt}/" \
   | ./john --session="S2" --stdin --format=raw-MD5 --user="$user"   
"$passwd";
done < "$passwd"

./passwd's format is:
joomla1:4e36196d7ddc2610fd425ba0617233ca:RiyO6IZT9euDz69F
$username:MD5($password$salt):$salt[:comments, full name, email etc.]

This is certainly not the most performant solution, but with a  
carefully crafted wordlist and a moderate ruleset, it's able to audit  
an entire user DB within a fortnight.

Of course, you can equally use "--markov" or "--incremental", if  
you've got plenty of time or CPU cycles. Just replace
./john --session="S1" --stdout --wordlist="$wordlist" --rules
with
./john --session="S1" --stdout --markov
or
./john --session="S1" --stdout --incremental

(I fail to crack the given example hash though, by the way. As Solar  
mentioned, it appears to be nontrivial.)

SL


-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.