Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 29 Dec 2017 14:47:55 -0500
From: "Mark E. Haase" <mehaase@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Cracking MD5 with long, known prefix

At Jim's suggestion, I experimented with treating the prefix as a salt
instead of a mask. Here is an example cookie that is "signed" with the key
"CDEF".

    $ fold -w 70 cookie
    a:5:{s:10:"session_id";s:32:"fb4344763818ee3b3db81a939e08c1f0";s:10:"i
    p_address";s:12:"XX.XXX.XX.20";s:10:"user_agent";s:0:"";s:13:"last_act
    ivity";i:1514573995;s:9:"user_data";s:0:"";}167400e41d785fab9dcdcf10eb
    e7a83a

This cookie is 184 characters long (excluding the hash appended to the
end), which exceeds the Raw-MD5 maximum mask length (55 bytes) as well as
the dynamic format maximum length (Solar Designer says its 110 bytes). But
could it work if I treated it like a salt instead of a mask?

    $ fold -w 70 hashes
    cookie:$dynamic_1017$167400e41d785fab9dcdcf10ebe7a83a$HEX$613a353a7b73
    3a31303a2273657373696f6e5f6964223b733a33323a22666234333434373633383138
    6565336233646238316139333965303863316630223b733a31303a2269705f61646472
    657373223b733a31323a2258582e5858582e58582e3230223b733a31303a2275736572
    5f6167656e74223b733a303a22223b733a31333a226c6173745f616374697669747922
    3b693a313531343537333939353b733a393a22757365725f64617461223b733a303a22
    223b7d

The format md5($s.$p) is known as dynamic_4, but it doesn't allow a salt
that is this long. I noticed that there is another similar format called
"dynamic_1017: md5($s.$p) (long salt)", so I switched to that format. Also
note that my "salt" contains colons in it, so I hex encoded it.

Here's my John session:

    $ john --pot=my.pot --mask='?u?u?u?u' --format=dynamic_1017 hashes
    Using default input encoding: UTF-8
    Loaded 1 password hash (dynamic_1017 [md5($s.$p) (long salt) 128/128
AVX 4x3])
    Warning: no OpenMP support for this hash type, consider --fork=8
    Press 'q' or Ctrl-C to abort, almost any other key for status
    CDEF             (cookie)
    1g 0:00:00:00 DONE (2017-12-29 14:34) 8.333g/s 3094Kp/s 3094Kc/s
3094KC/s CJAF..QROF
    Use the "--show" option to display all of the cracked passwords reliably
    Session completed

Wow, it worked! Thanks Jim and Solar Designer for the advice. I've omitted
a lot of details here for the sake of brevity, but I think I might write up
a blog post if anybody is interested.

Cheers,
Mark


On Thu, Dec 14, 2017 at 12:28 PM, jfoug <jfoug@...nwall.net> wrote:

> On 12/14/2017 9:50 AM, Solar Designer wrote:
>
>> On Thu, Dec 14, 2017 at 10:39:10AM -0500, Mark E. Haase wrote:
>>
>>>      Can't set max length larger than 55 for Raw-MD5 format
>>>
>>> My research indicates that 55 is a hard limit for MD5 that cannot be
>>> changed at runtime, and that this limit was chosen for performance
>>> reasons.
>>>
>> Yes.  But with current bleeding-jumbo you can get up to 110 with
>> --format=dynamic='md5($p)'.  Perhaps we should document this somewhere.
>>
>> I'm afraid there's no easy way to go beyond 110 with our current code.
>>
>> Apparently, latest hashcat can go up to 256, so you may try that.
>>
>> Jim, since in this case the prefix is constant, can it possibly be
>> provided as such in the dynamic format specification (I guess yes),
>> and would that possibly not be counted against the 110 characters
>> limit (I guess no)?
>>
>
> Mark,
>
> I think you are viewing this incorrectly. What you have is a salted hash.
> You should be searching ONLY for the password part of the hash, not the
> salt.
>
> What you have is this:
>
> ```
> md5($s.$p)
> ```
>
> In your case, $s is the salt, and it is the serialized php object.
>
> NOW, there will likely be severe limitations to this search, in that the
> serialized object is probably going to be large (> 256 bytes), so this
> would make usage in current john pretty hard to do for all items.  BUT it
> could be made to work for some of these serialized objects that are a
> little shorter.
>
> Can you post any examples (along with the password that cracks them) for
> testing?
>

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.