Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 8 Feb 2013 17:09:10 -0600
From: "jfoug" <>
To: <>
Subject: RE: Cracking SHA1 with some knowledge of password

There are going to be limitations within JtR.

I did look at code, and it appears that the x86 (i.e. non SSE) has internal
buffer lengths in dynamic that are PLAINTEXT_LENGTH_X86+96
PLAINTEXT_LENGTH_X86 is set to 124 bytes, and 1 byte needed for NULL.  So,
in theory, you could encrypt strings (internally within dynamic) up to 219
bytes, without crashing JtR.  I just tested with a format that had 80
characters appended, and 110 character prepended.  The length being
encrypted for the password openwall, is 198 bytes, well within this apparent
219 bytes max length in dynamic, but also well past JtR's 125 byte password
length.  Now, the password was really only 8 bytes long (openwall).  The
constants took up the other 190 bytes.  With this 190 byte 'const', dynamic
can only handle passwords up to 29 bytes.

Here is this format. It also shows how to force dynamic to fall back to
OpenSSL, and NOT use SSE.


And here shows building this test hash, and test runs of the 1050, and 1051
types (to see the difference in speed).

$ echo -n
34567890123456789012345678901234567890123456789" | sha1sum
546de0d2e256cb51f96a06ff54a08994f95da5d9 *-

$ ./john -test=5 -form=dynamic_1051
Benchmarking: dynamic_1051 xxxSHA1($p)yyy [32/32 128x1]... DONE
Raw:    1701K c/s real, 1701K c/s virtual

$ ./john -test=5 -form=dynamic_1050
Benchmarking: dynamic_1050 xxxSHA1($p)yyy [128/128 SSE2 10x4]... DONE
Raw:    5602K c/s real, 5601K c/s virtual

From: Lex Par [] 
>Theoretically, if I were to create a function the pads an input (ie
>password) with 120 bytes, then hashes the 120+password input to produce the
hash, this would not be crackable via the 128 byte limit (since our hard
limit not using the optimizations is somewhere in the 90~)?

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.