Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 Dec 2017 10:39:10 -0500
From: "Mark E. Haase" <>
Subject: Cracking MD5 with long, known prefix

Hey all,

I have a cookie created by the Code Igniter web framework[1] that looks
like this (wrapped for readability):

(Macintosh; In
    tel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko)
    2.94 Safari/537.36";s:13:"last_activity";i:1512923530;}

The cookie contains a serialized PHP object with an MD5 hash appended to
it. The hash is computed as follows:

    $hash =  md5($obj . $key)

Where `$obj` is the serialized object and `$key` is a secret. This hash is
verified before unserializing the object. I want to try cracking `$key`,
but I am not sure if this is even possible with John The Ripper. I tried
both mask attack and hybrid mask. The former doesn't produce an error but
silently fails to recover the key. The latter produces this error about
exceeding the maximum length for MD5 (wrapped for readability):

    $ john --mask='a:4:{s:10:"session_id";s:32:"
    (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like
Gecko) C
    hrome/62.0.3202.94 Safari/537.36";s:13:"last_
    -w=/usr/share/dict/rockyou.txt --max-length=191 --format=Raw-MD5 hashes
    Can't set max length larger than 55 for Raw-MD5 format

My research indicates that 55 is a hard limit for MD5 that cannot be
changed at runtime, and that this limit was chosen for performance reasons.
Is it possible to compile John with a long limit (expecting a major drop in
performance) or is this simply not possible at all?



Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.