Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 3 Jan 2012 06:28:39 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: SHA1 with long hash

I was hoping that someone else would respond to this...

On Mon, Dec 26, 2011 at 10:22:19AM +0100, websiteaccess@...il.com wrote:
>  This following hash is SHA1 salted  is not recognized by JTR
> xxx:$dynamic_24$6559af43d62bba45bfdc2089c4f0fac45d710ff4$3f759b9beea496251148051ed62825d6bb552d2

Besides the fact that the salt is long, it also has a non-even number of
hex characters above (39).  Perhaps you made a typo?

Anyhow, yes, it appears that dynamic_24 does not support salts this long.
JimF may want to enhance it.

>  It is possible to crack SHA1 with long salt ?

You could use the sha1-gen format for now, formatting your hash like this:

$SHA1s$salt$c88e9c67041a74e0357befdff93f87dde0904214

where you'd need to replace "salt" with your actual raw salt (not hex
characters).  So you'd have 20 weird characters there (assuming that
your actual salt was 40 hex characters), and for some other salts this
would not even work at all (as you'd get characters like linefeeds).

...or, more likely, you're mistaken and your salt is actually a string
of 40 characters - that is, the PHP app used sha1() hex output directly
as a salt.  In that case, sha1-gen will just work for you.  Since you
didn't post the actual salt (likely excluding one character from it), I
cannot easily test this hypothesis (not to mention that the specific
password might not be easily crackable).

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.