Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 20 Sep 2011 10:00:26 -0500
From: "jfoug" <jfoug@....net>
To: <john-users@...ts.openwall.com>
Subject: RE: md5(unicode($u."&".$p)) eventually working ...

>From: Nicolas RUFF [mailto:nicolas.ruff@...il.com]
>
>There were two mistakes in my sample:
>
>1/ If any kind of salt is used, *including username*, MGF_SALTED must be
>specified.

The $$Uuser, $$Fx, etc all piggyback inside the salt portion of the format
line.  Now, when you use these variables in a saltless format, such as what
you are making, there are some ambiguities.  It appears I have not worked
through all of them. I will see what I can do.   I think the first format
you entered (without the MGF_SALTED), should be adequate, or the code should
be changed so that it 'IS' adequate.  


>A valid configuration file is:
>------------------------------
>[List.Generic:md5_gen(1009)]
>Expression=md5(unicode($u."&".$p))
>Flag=MGF_USERNAME
>Flag=MGF_SALTED
>Flag=MGF_NOTSSE2Safe
>Func=MD5GenBaseFunc__clean_input
>Func=MD5GenBaseFunc__setmode_unicode
>Func=MD5GenBaseFunc__append_userid
>Func=MD5GenBaseFunc__append_input1_from_CONST1
>Func=MD5GenBaseFunc__append_keys
>Func=MD5GenBaseFunc__crypt
>CONST1=&
>Test=md5_gen(1009)ca6ebcf4d6ed610ef1fb7316f9f415db$$Uroot:casque
>------------------------------
>
>2/ Input file format must be the following:
>username1:hash$$Uusername2

This issue surprises me.  I thought that the 'prepare' function would handle
this, and deal with shoving the user name field into the hash properly.  It
may be tied to having to add the MGF_SALTED flag.  I will investigate.  It
may be that since there is not 'real' salt, the prepare is not able to
properly append the $$Uusername data.

Once you added the MGF_SALTED, would this line work?

root:md5_gen(1009)ca6ebcf4d6ed610ef1fb7316f9f415db

or this line, if you use the -format='md5_gen(1009)' on the command line  ?

root:ca6ebcf4d6ed610ef1fb7316f9f415db

I thought 'both' should work.

>* username2 is used for hash computation.
>* username1 is used for display purpose only, it can even differ from
>username2.
>
>This holds valid as of john-1.7.8-jumbo-6rc2 on Linux x86.

I will look into this.  I will see what can be done with your original
format script.

One suggestion, is to create your own script number, somewhat higher than
the last one left off in the current generic.conf file.  So, you might start
at 1350 or so, for your script number (make it your own 'private' number
range).  That way, you would not have issues later, if 1009 ends up being
used. Since there is no 'global' library of generic scripts, we have to
somehow interactively proceed.  Now that you have used 1009, it could easily
be added to the official generic.conf file. NOTE, that any format number
over 2000 will not be run in the "-test -form=md5-gen" (but doing ./john
-test -form=md5_gen(2010) WOULD test that single sub format).  

Jim.

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.