Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 27 Feb 2011 20:50:34 -0600
From: "jfoug" <jfoug@....net>
To: <john-users@...ts.openwall.com>
Subject: RE: md5_gen(0) broken for ages?

>> 2. This will likely only work for non-salted hashes, due to how md5_gen
>> requires the salt to be placed.
>
>Well if you know a salt, you would of course prepare the file (but only 
>once!) so the salt part is correct for md5-gen:.
>
>user:b065775a4631811715c2b83163b921a0$salt:::
>
>So it's "half-prepared" for md5_gen but it doesn't say which subformat 
>we want. Then you just try subformats using the command-line option - of 
>course picking those with one salt, as well as formats like 
>md5($u.md5($p).$s).
>
>Hopefully this will be OK with the implementation you have in mind.

The above would work for salted hashes.  At this time, there is no 
code working in md5-gen that works for the $u (username). There are 2
saltes possible.   The hash format for 2 saltes is:

md5-gen(num)hhhhhhhhhhh$salt$$2salt2

So salt begins with (but does not include) a $ char, at the 'proper' offset,
and the salt2 starts with $$2 (but does not include it), and is appended to
the first salt.  

A person can make a md5-gen format that is salted with a user_id, by using
the salt and salt2 format, so at least it 'is' doable at this time.  I
simply
have not figured out exactly how to properly pull the userid when it is
required, to get it working with md5-gen.  Likely it will need to be pulled
during the 'salt()' function, and incorporated into the salt that john would
be working with.  Then when john tells md5-gen to use a salt, the salt would
be in there, an 2nd salt (if there is one), would be there, and the proper
userid would be there, also, and be able to be properly used to perform 
the encryptions.  But so far, I have not implemented the $u

Jim.

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.