Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 7 Feb 2012 19:59:13 +0400
From: Solar Designer <>
Subject: Re: DES - not "traditional DES-based" - (VNC hash) with JtR

On Sun, Feb 05, 2012 at 01:08:34PM +0100, A BC wrote:
> I'm a new user of this mailing list, because I have a question I don't find
> an answer to : is there a way to use JtR against DES 'hashes', where :
> - you know the data to encrypt (challenge)
> - you know the data when encrypted (challenge response, server side)
> - you search the DES-password that was used to encrypt the data.
> It is a way to authenticate with VNC (
> page 14), which is reputed weak.

We have support for a few things like this in -jumbo, but not for VNC's
specifically.  We'll need to implement that.

If you want to try yourself, you may want to look at these source files
as samples for challenge/response cracking:


> So I search how easily it can be efficiently broken,

According to the PDF you referenced, easier than a Unix crypt(3) password.

> So, I wish to use JtR for its mangling rules, wordlists capabilities, (and
> maybe for its efficiency) but I can't find a way to make it do what I want.
> I have searched in the community resources (,
> in the most useful mailing lists posts (
>, I have searched in
> the direction of "How to use the 'dynamic' format within john"
> (jtr179j5/doc/DYNAMIC.txt) but I did not found what I want "DES($s,$p)", I
> searched in tutorials (, and I
> tried to look at patches (,
> but no keywords matched, nor with our best friend ggl...

We really have no support for VNC's challenge/responses now, and the
"dynamic" feature is currently for MD5 and SHA-1 only.

> I am thinking about how JtR implements its algorithms, but it seems very
> complicated.

It is not - it's just that existing implementations quickly become
complicated when they gain some optimizations.  Besides the files I
referenced above (which already got some "unnecessary" complexity), you
may look at e.g. dummy.c, rawSHA_fmt_plug.c, rawSHA256_fmt.c, and
XSHA_fmt_plug.c for simpler samples.  The last one of these is for a
salted hash type - similar to what you'll need in that aspect (you may
treat the challenge as a salt).  Then proceed with the more relevant
samples referenced above.  Also, read the comments in formats.h.

If you have specific questions on these, please bring them up on the
john-dev list.

> Otherwise, I am think about using JtR to generate the pwd to stdout, which
> I would pipe into a Python soft using PyCrypto, but I don't know if the
> pipes will react well to millions of pwds (will they stack ? will JtR wait
> for the stdout be emptied by the Python script ?).

This is more of an OS (non-)issue than JtR, but in short things will
just work.  The biggest drawbacks of this approach are worse performance
and difficulty of interrupting/restoring sessions from just the right
place (some buffered candidate passwords may be skipped).

> Is there something I missed ? Is there a solution better than another ? I
> can code in C under Win/Linux, Python, ...

You may join us on john-dev and proceed to implement this.

Oh, and please post a test vector or several (sniffed challenge/response
pairs and their corresponding known passwords).

The thing sounds so simple that I might just implement this when I feel
like it - or anyone else can. ;-)



Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.