Date: Sun, 18 Nov 2012 15:45:21 +0530 From: Dhiru Kholia <dhiru.kholia@...il.com> To: john-users@...ts.openwall.com Subject: Re: cracking passwords with a kerberos traffic dump / aes256-cts-hmac-sha1-96 (18) [MS] On Sun, Nov 18, 2012 at 3:06 PM, magnum <john.magnum@...hmail.com> wrote: > On 18 Nov, 2012, at 9:00 , Dhiru Kholia <dhiru.kholia@...il.com> wrote: >> On Sun, Nov 18, 2012 at 6:59 AM, buawig <buawig@...il.com> wrote: >>>> As in standard Kerberos? It would surprise me a whole lot if >>>> Microsoft do not use the Unicode version of the password, or (even >>>> more likely) the 16 byte NT hash as input just like in mskrb5, as >>>> opposed to the plain string you use now. >>> >>> Ok, this makes it clear why I was not be able to crack it. So the >>> outcome will be a MS specific john format (mskrb5-18). >> >> I don't think that it is necessary to modify krb-ng_fmt_plug.c to >> support M$ AD specifically as M$ AD follows RFC. > > Does the RFC specify how to encode the password? Is the known plaintext string included in the RFC? RFC doesn't mention UTF anywhere it seems . Test vectors are included in https://tools.ietf.org/rfc/rfc3962.txt However [MS-KILE.PDF] document mentions usage of UTF8 to derive AES key. I don't know why and when this method is used. > This is good news but it emphasizes the need for a pcap file showing authentication with a non-ascii password. The only thing I can imagine is that Micro$oft has finally gone clever (wait... can I really imagine that?) and started using UTF-8. I can test a non-ascii with my AD setup (if I am able to figure out how to use non-ascii passwords). -- Cheers, Dhiru
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.