Date: Fri, 25 Jun 2010 04:55:33 +0800 (SGT) From: kristian <x_astroboyz@...oo.co.id> To: john-users@...ts.openwall.com Subject: Re: john the ripper for Kerberos Ticket Thanks for your reply I think the cipher text string I put in the file is different with the example in the KRB5_fmt.c file, I got it in the AS_REP packet from wireshark. They're different in length, I see I use freeBSD operating system which installs (almost all) software by ports, so when I patched john with your patch, and installed it manually with command : # make clean generic It's looks like succesfully installed, but when I run "./john" I got this error message : fopen: /usr/local/share/john/john.ini: No such file or directory Then I installed it again via ports (after patched ofcourse),but I got this messages when I run john : Segmentation fault: 11 (core dumped) Just like before I posted my question to this mailing list This error looks like a memory problem in freebsd Kristian W Adi Nugroho Informatics Engineering of Institut Teknologi Telkom (+6285222041990) --- Pada Jum, 25/6/10, Solar Designer <solar@...nwall.com> menulis: Dari: Solar Designer <solar@...nwall.com> Judul: Re: [john-users] john the ripper for Kerberos Ticket Kepada: john-users@...ts.openwall.com Tanggal: Jumat, 25 Juni, 2010, 1:12 AM On Mon, Jun 21, 2010 at 10:20:36AM +0800, kristian wrote: > atom:$krb5$e3649a0c63274f2f20aff89ddc2a1e8f6cac133ef8ebc6a1e28c2ee20336ea4720b437f4e676963192b8231a109656503a8bc3235c41909c28c5ef0de95c07753472ef094e6f33c113d14ee75eb60259e589fc800e695e0bae874e2471958545ee663ba1e74ea397c8b15c127df1d33972e29c7d88e2d9e253dd2a982c67c732a78603945be96061aa80e5c4d8f3fb01aa3bacf35664c94f4441b7f95108ff47592203619aa9bfb8a765f5db52d99e7ccbd3f9b98c1274858be1b67774f1cdb2e5a10322741f4dc23626d3dca408bf19acfc2e8e300b391ff9a19d852e6915163c7150c6e0b3bb2909f571561216bbe97b6160e9575e798ba7c5c4cad8d94f0d217f959446c08327881e36aa5b5ecdf86dc8627d: The above is not entirely correct, but the code in KRB5_fmt.c was not robust enough to detect that. I've just fixed the code (for the next revision of the jumbo patch). Anyway, the correct syntax is: atom:$krb5$atom$ITTELKOM.AC.ID$e3649a0c63274f2f20aff89ddc2a1e8f6cac133ef8ebc6a1e28c2ee20336ea4720b437f4e676963192b8231a109656503a8bc3235c41909c28c5ef0de95c07753472ef094e6f33c113d14ee75eb60259e589fc800e695e0bae874e2471958545ee663ba1e74ea397c8b15c127df1d33972e29c7d88e2d9e253dd2a982c67c732a78603945be96061aa80e5c4d8f3fb01aa3bacf35664c94f4441b7f95108ff47592203619aa9bfb8a765f5db52d99e7ccbd3f9b98c1274858be1b67774f1cdb2e5a10322741f4dc23626d3dca408bf19acfc2e8e300b391ff9a19d852e6915163c7150c6e0b3bb2909f571561216bbe97b6160e9575e798ba7c5c4cad8d94f0d217f959446c08327881e36aa5b5ecdf86dc8627d This includes the username and the realm (just my guess for it, probably wrong) in the ciphertext string. Here are two other examples from the KRB5_fmt.c file: test1:$krb5$oskov$ACM.UIUC.EDU$4730d7249765615d6f3652321c4fb76d09fb9cd06faeb0c31b8737f9fdfcde4bd4259c31cb1dff25df39173b09abdff08373302d99ac09802a290915243d9f0ea0313fdedc7f8d1fae0d9df8f0ee6233818d317f03a72c2e77b480b2bc50d1ca14fba85133ea00e472c50dbc825291e2853bd60a969ddb69dae35b604b34ea2c2265a4ffc72e9fb811da17c7f2887ccb17e2f87cd1f6c28a9afc0c083a9356a9ee2a28d2e4a01fc7ea90cc8836b8e25650c3a1409b811d0bad42a59aa418143291d42d7b1e6cb5b1876a4cc758d721323a762e943f774630385c9faa68df6f3a94422f97 test2:$krb5$oskov$ACM.UIUC.EDU$6cba0316d38e31ba028f87394792baade516afdfd8c5a964b6a7677adbad7815d778b297beb238394aa97a4d495adb7c9b7298ba7c2a2062fb6c9a4297f12f83755060f4f58a1ea4c7026df585cdfa02372ad619ab1a4ec617ad23e76d6e37e36268d9aa0abcf83f11fa8092b4328c5e6c577f7ec6f1c1684d9c99a309eee1f5bd764c4158a2cf311cded8794b2de83131c3dc51303d5300e563a2b7a230eac67e85b4593e561bf6b88c77b82c729e7ba7f3d2f99b8dc85b07873e40335aff4647833a87681ee557fbd1ffa1a458a5673d1bd3c1587eceeabaebf4e44c24d9a8ac8c1d89 With these three lines placed in the same file, I get two of three passwords cracked as follows: $ ./john -w=w pw-krb5 Loaded 3 password hashes with 3 different salts (Kerberos v5 TGT [krb5 3DES (des3-cbc-sha1)]) p4ssW0rd (test1) Nask0Oskov (test2) guesses: 2 time: 0:00:00:00 100.00% (ETA: Thu Jun 24 21:53:59 2010) c/s: 500 trying: Nask0Oskov $ ./john --show pw-krb5 test1:p4ssW0rd test2:Nask0Oskov 2 password hashes cracked, 1 left Yes, I had these known test passwords in the "w" wordlist file. I was not able to quickly crack "your" password, perhaps because it is not a weak one and/or because I did not guess the realm name correctly and/or because you did not provide the correct username. While testing this, I identified a memory leak in KRB5_std.c. I'll have it fixed in the next jumbo patch update. I've attached a patch with my code fixes so far. Please let the list know whether you manage to get things working for you or not - and provide some detail either way. Thanks, Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.