Date: Tue, 20 Sep 2011 10:00:26 -0500 From: "jfoug" <jfoug@....net> To: <john-users@...ts.openwall.com> Subject: RE: md5(unicode($u."&".$p)) eventually working ... >From: Nicolas RUFF [mailto:nicolas.ruff@...il.com] > >There were two mistakes in my sample: > >1/ If any kind of salt is used, *including username*, MGF_SALTED must be >specified. The $$Uuser, $$Fx, etc all piggyback inside the salt portion of the format line. Now, when you use these variables in a saltless format, such as what you are making, there are some ambiguities. It appears I have not worked through all of them. I will see what I can do. I think the first format you entered (without the MGF_SALTED), should be adequate, or the code should be changed so that it 'IS' adequate. >A valid configuration file is: >------------------------------ >[List.Generic:md5_gen(1009)] >Expression=md5(unicode($u."&".$p)) >Flag=MGF_USERNAME >Flag=MGF_SALTED >Flag=MGF_NOTSSE2Safe >Func=MD5GenBaseFunc__clean_input >Func=MD5GenBaseFunc__setmode_unicode >Func=MD5GenBaseFunc__append_userid >Func=MD5GenBaseFunc__append_input1_from_CONST1 >Func=MD5GenBaseFunc__append_keys >Func=MD5GenBaseFunc__crypt >CONST1=& >Test=md5_gen(1009)ca6ebcf4d6ed610ef1fb7316f9f415db$$Uroot:casque >------------------------------ > >2/ Input file format must be the following: >username1:hash$$Uusername2 This issue surprises me. I thought that the 'prepare' function would handle this, and deal with shoving the user name field into the hash properly. It may be tied to having to add the MGF_SALTED flag. I will investigate. It may be that since there is not 'real' salt, the prepare is not able to properly append the $$Uusername data. Once you added the MGF_SALTED, would this line work? root:md5_gen(1009)ca6ebcf4d6ed610ef1fb7316f9f415db or this line, if you use the -format='md5_gen(1009)' on the command line ? root:ca6ebcf4d6ed610ef1fb7316f9f415db I thought 'both' should work. >* username2 is used for hash computation. >* username1 is used for display purpose only, it can even differ from >username2. > >This holds valid as of john-1.7.8-jumbo-6rc2 on Linux x86. I will look into this. I will see what can be done with your original format script. One suggestion, is to create your own script number, somewhat higher than the last one left off in the current generic.conf file. So, you might start at 1350 or so, for your script number (make it your own 'private' number range). That way, you would not have issues later, if 1009 ends up being used. Since there is no 'global' library of generic scripts, we have to somehow interactively proceed. Now that you have used 1009, it could easily be added to the official generic.conf file. NOTE, that any format number over 2000 will not be run in the "-test -form=md5-gen" (but doing ./john -test -form=md5_gen(2010) WOULD test that single sub format). Jim.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.