Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 29 Dec 2017 14:47:55 -0500
From: "Mark E. Haase" <>
Subject: Re: Cracking MD5 with long, known prefix

At Jim's suggestion, I experimented with treating the prefix as a salt
instead of a mask. Here is an example cookie that is "signed" with the key

    $ fold -w 70 cookie

This cookie is 184 characters long (excluding the hash appended to the
end), which exceeds the Raw-MD5 maximum mask length (55 bytes) as well as
the dynamic format maximum length (Solar Designer says its 110 bytes). But
could it work if I treated it like a salt instead of a mask?

    $ fold -w 70 hashes

The format md5($s.$p) is known as dynamic_4, but it doesn't allow a salt
that is this long. I noticed that there is another similar format called
"dynamic_1017: md5($s.$p) (long salt)", so I switched to that format. Also
note that my "salt" contains colons in it, so I hex encoded it.

Here's my John session:

    $ john --pot=my.pot --mask='?u?u?u?u' --format=dynamic_1017 hashes
    Using default input encoding: UTF-8
    Loaded 1 password hash (dynamic_1017 [md5($s.$p) (long salt) 128/128
AVX 4x3])
    Warning: no OpenMP support for this hash type, consider --fork=8
    Press 'q' or Ctrl-C to abort, almost any other key for status
    CDEF             (cookie)
    1g 0:00:00:00 DONE (2017-12-29 14:34) 8.333g/s 3094Kp/s 3094Kc/s
    Use the "--show" option to display all of the cracked passwords reliably
    Session completed

Wow, it worked! Thanks Jim and Solar Designer for the advice. I've omitted
a lot of details here for the sake of brevity, but I think I might write up
a blog post if anybody is interested.


On Thu, Dec 14, 2017 at 12:28 PM, jfoug <> wrote:

> On 12/14/2017 9:50 AM, Solar Designer wrote:
>> On Thu, Dec 14, 2017 at 10:39:10AM -0500, Mark E. Haase wrote:
>>>      Can't set max length larger than 55 for Raw-MD5 format
>>> My research indicates that 55 is a hard limit for MD5 that cannot be
>>> changed at runtime, and that this limit was chosen for performance
>>> reasons.
>> Yes.  But with current bleeding-jumbo you can get up to 110 with
>> --format=dynamic='md5($p)'.  Perhaps we should document this somewhere.
>> I'm afraid there's no easy way to go beyond 110 with our current code.
>> Apparently, latest hashcat can go up to 256, so you may try that.
>> Jim, since in this case the prefix is constant, can it possibly be
>> provided as such in the dynamic format specification (I guess yes),
>> and would that possibly not be counted against the 110 characters
>> limit (I guess no)?
> Mark,
> I think you are viewing this incorrectly. What you have is a salted hash.
> You should be searching ONLY for the password part of the hash, not the
> salt.
> What you have is this:
> ```
> md5($s.$p)
> ```
> In your case, $s is the salt, and it is the serialized php object.
> NOW, there will likely be severe limitations to this search, in that the
> serialized object is probably going to be large (> 256 bytes), so this
> would make usage in current john pretty hard to do for all items.  BUT it
> could be made to work for some of these serialized objects that are a
> little shorter.
> Can you post any examples (along with the password that cracks them) for
> testing?

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.