Date: Tue, 8 Sep 2009 08:47:09 -0600 From: RB <aoz.syn@...il.com> To: john-users@...ts.openwall.com Subject: Re: John and RARs or ZIPs On Tue, Sep 8, 2009 at 08:06, Nahuel Grisolía<nahuel.grisolia@...il.com> wrote: > Hey Guys, i just want to know if anyone of you has ever coded something to > use John to crack the encryption used in RARs (AES128) or ZIPs (??). This is a class of query that comes up here quite often - "can JtR be used to crack X?" The answer depends largely on the implementation, but is generally "no": JtR doesn't directly support specific file formats, it handles password hashes. In clarification (and simplified terms), you need to understand the difference between hashing and encryption. Hashing is a one-way process by which a statistically unique small value is computationally derived from a [typically] larger data set. The "one-way" part is critical: you cannot derive the original data from a hash, only repeat the process and confirm you have a precise copy. Encryption is a bidirectional process by which data may be converted to and from an opaque form by use of a secret key. In well-designed systems, passwords are stored in hashed form - you cannot derive the original data directly from the hash, but you may hash the data you have and compare the two. What JtR does is create a list of potential passwords, hash them, and then compare them against a specified hash until it finds a match (or reaches the heat death of the universe), hence: John the Ripper does perform any decryption. I split that out because it's incredibly important to understanding the role of password "crackers". Password crackers generally do not do any decryption, they only bumble along (some more intelligently and quickly than others) trying to make up something that matches the known hash. If a particular file format were to be so generous as to include a hash of the password, it would be possible to extract that hash and, if necessary, create a JtR handler for the hash form. However, most encrypted formats aren't so poorly designed and will happily decrypt with whatever key they're given, forcing the attacker to evaluate whether the decrypted results are valid. That evaluation is beyond the scope of an application such as JtR. > How can we know if the RAR or ZIP is really desencrypted? The formats probably have internal checksums or well-known values that are checked post-decryption to allow validation of the key.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.