Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 27 Mar 2012 22:20:03 +0200
From: Per Thorsheim <per@...rsheim.net>
To: john-users@...ts.openwall.com
Subject: Re: EPiServer hashes


On Tue, 2012-03-27 at 12:21 +0200, Per Thorsheim wrote:
> On Tue, 2012-03-27 at 11:27 +0400, Solar Designer wrote:
> > Hi,
> > 
> > This thread was referenced in tweets CC'ed to @Openwall:
> > 
> > http://hashcat.net/forum/thread-987-post-5151.html#pid5151
> > 
> > Maybe our EPiServer format is wrong or out of date.
> > 
> > Per - what's the status on this?  Does JtR work right for your hashes?
> > Does any change in JtR need to be made?
> > 
> > Alexander

Updated status:
Twitter/@...adel came to the rescue, revealing that the standard hash
format used by episerver - or Microsoft .NET to be exact, is sha1(salt |
utf16bytes(secret)). @hashcat has updated the forum thread with example
code that works against default config. 

@klingsen provided an interesting sidenote: with .NET 4 it defaults to
sha256.

I presume episerver will, if they haven't got it already, create a guide
for their customers on how to improve the default security provided
by .NET. After all .NET does have PBKDF2 support (raise your hands if
you know somebody who uses it!)

Given the different types of encryption and hash algorithms supported
by .NET, there's more possibilities for jumbo patches for JtR. :-)


Best regards,
Per Thorsheim



Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.