Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b18c24a9-3263-88c9-7f63-aaa534643e5d@gmail.com>
Date: Tue, 10 Sep 2019 20:59:32 +1000
From: Marcin Gębarowski <marcing.dev@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: SHA256(XOR(salt+pass, key))

On 9/09/2019 16:09, magnum wrote:
> On 2019-09-07 15:05, Marcin Gębarowski wrote:
>> Looking for help with using john to crack the hashes I got, the 
>> application creates them as follows:
>>
>> SHA256(XOR(salt + pass, key))
>>
>>
>> Salt and key are both 32 bytes long. I have the key. Hashes are stored 
>> in format:
>> base64(salt + hash)
>> but I can easily change that to anything else.
>>
>>
>> The main problem I'm having is the XOR function, which I was unable to 
>> find in dynamic scripts library. Having something like:
>> sha256(xor($s.$p, $key))
>> as dynamic script would definitely solve this...
> 
> So is key like a 2nd (fixed) salt (pepper)? What application is that? 
> I'm sure Jim could add XOR to dynamic compiler format with ease. Can you 
> post a sample or two with known pass and key that we can use as test 
> vectors?
> 
> There's a minor optimization possible - we could save state of SHA256 
> after the first 8 rounds with a given salt, and reuse that for as many 
> password candidates we like.
> 
> magnum
> 

Hi Magnum,
Unfortunately I cannot disclose the name of the application and any 
specifics about it. It's a thick client connecting to a database.
The key, whatever we call it, is used to XOR salt and the password 
(pepper kinda makes sense). I'll go through whole process below.

Credentials:
admin:SecretP@...0rd

Hash (providing both in Base64 and HEX form, the database contains 
Base64 form):
admin:JAdLh0jerQthm2tSrfFYje4/7AGvc8NIhDRNcUZldlk4HBzlWaSxwYH9v68E1O++9IWmH1oLNttA27UtKVbIIA==

or in hex form:
admin:24074B8748DEAD0B619B6B52ADF1588DEE3FEC01AF73C34884344D7146657659381C1CE559A4B1C181FDBFAF04D4EFBEF485A61F5A0B36DB40DBB52D2956C820

If above is translated into admin:salt:hash it turns into (salt is the 
first half of whole hash):
admin:24074B8748DEAD0B619B6B52ADF1588DEE3FEC01AF73C34884344D7146657659:381C1CE559A4B1C181FDBFAF04D4EFBEF485A61F5A0B36DB40DBB52D2956C820

Hardcoded XOR key:
8148e6237b1412fad5ab21c35082363b7d5f7003ae31571e16b4d66ce7cce398


To check the hash the application does the following:

1. Salt value is extracted:

0000h: 24 07 4B 87 48 DE AD 0B 61 9B 6B 52 AD F1 58 8D  $.K‡HÞ­.a›kR­ñX
0010h: EE 3F EC 01 AF 73 C3 48 84 34 4D 71 46 65 76 59  î?ì.¯sÃH„4MqFevY

2. Provided password is appended to it:

0000h: 24 07 4B 87 48 DE AD 0B 61 9B 6B 52 AD F1 58 8D  $.K‡HÞ­.a›kR­ñX
0010h: EE 3F EC 01 AF 73 C3 48 84 34 4D 71 46 65 76 59  î?ì.¯sÃH„4MqFevY
0020h: 53 65 63 72 65 74 50 40 73 73 77 30 72 64        SecretP@...0rd

3. Resulting data is XORed with hardcoded key:

0000h: A5 4F AD A4 33 CA BF F1 B4 30 4A 91 FD 73 6E B6  ¥O­¤3Ê¿ñ´0J‘ýsn¶
0010h: 93 60 9C 02 01 42 94 56 92 80 9B 1D A1 A9 95 C1  “`œ..B”V’€›.¡©•Á
0020h: D2 2D 85 51 1E 60 42 BA A6 D8 56 F3 22 E6        Ò-…Q.`Bº¦ØVó"æ

4. This goes through SHA256 giving:

381c1ce559a4b1c181fdbfaf04d4efbef485a61f5a0b36db40dbb52d2956c820

As can be seen the resulting hashes are the same.

Other credentials and their hashes (same XOR key used):

admin:admin
admin:LS2Y6dg3J6twutTSiKKNKRxwCjTYrUp0pvOxlw4/tahRg+6H0Cjx8uul+yJ3JBTPSow9d0zGz9D/38rlQLAOfw==
admin:2D2D98E9D83727AB70BAD4D288A28D291C700A34D8AD4A74A6F3B1970E3FB5A8:5183EE87D028F1F2EBA5FB22772414CF4A8C3D774CC6CFD0FFDFCAE540B00E7F

user:password
user:cevg02yNV9rG7X+tpOtOquN49D5L3auDKaMfBU0mlDkv7W10xQuTBSSixXrupUnC7XEYMT9HnSn1BQ0Axmiw0A==
user:71EBE0D36C8D57DAC6ED7FADA4EB4EAAE378F43E4BDDAB8329A31F054D269439:2FED6D74C50B930524A2C57AEEA549C2ED7118313F479D29F5050D00C668B0D0

I imagine the dynamic format for cracking these would look something like:

sha256(xor($s.$p, 
$c1)),c1=8148e6237b1412fad5ab21c35082363b7d5f7003ae31571e16b4d66ce7cce398

Please treat above as pseudocode, I'm new to the dynamic formats and not 
aware how HEX data is passed to them. Of course above could be changed into:

sha256(xor($s, $c1).xor($p, 
$c1)),c1=8148e6237b1412fad5ab21c35082363b7d5f7003ae31571e16b4d66ce7cce398

which most likely would do better performance-wise.

Let me know if you have any further questions.


Marcin

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.