Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 26 Sep 2019 17:18:25 -0400 (EDT)
From: jfoug openwall <jfoug.openwall@....net>
To: john-users@...ts.openwall.com
Subject: Re: Dynamic format & truncate

On 9/26/2019 3:14 PM, Vincent wrote:
> I'd like to create a new dynamic format using truncation but I'm a bit
> confused after checking some examples. Simple example from dynamic.conf:

Truncation works based upon placing a shorter 'flag' for input length. NOTE, if there is no flag, then the default 16 byte input (32 hex) is used.


> - How does this code know that it only needs to compare [0:31] instead of
> [0:39]?

Due to not adding a input length flag. For SHA1 (full width), it requires a

Flag=MGF_INPUT_20_BYTE

flag to be added.    The format you show has no added flag, so the 16 byte default width is used.  NOTE, this is ONLY used for determining which input values to load.
>
> - Is it possible to truncate leading instead of trailing nibbles, e.g. match
> [8:39]?


At the current time, no.  The load looks at the first part of the hash only.   But I can see your point, if dyna did allow different nibbles, then a format like the leaked linked in where there were some hashes which started out with 00000000 (but which were not 0's but the 0's overwrote the actual hash), could have been done in dynamic.

But there was no 'design' to this.  It simply was how the loader was built.  I wrote dynamic to do MD5 hashes (thus the 16 byte default). When I started adding other hashes, I added flags listing the length of the input string.   BUT if the flag was left out, the hash DID work, but simply only looked at X number of bytes.  NOTE, you could create a SHA512 hash, but use 'Flag=MGF_INPUT_20_BYTE'   In that case, it would still perform the script using sha512, BUT it would load 20 byte hashes (40 bytes hex), and would do comparison based upon that length against the completed hashes.


So here is a raw-sha512 format. The first truncates to 20 byte (i.e. first 20 bytes of hash only), the 2nd is full width raw-sha512.  As you can see from the test string, the truncated version only has the first 40 hex characters, but they are identical.  Also, if there is NO MFG_INPUT_xxx_BYTE flag, then 16 byte width is used.

[List.Generic:dynamic_4444]
Expression=sha512($p)  truncated to 20 bytes
Flag=MGF_FLAT_BUFFERS
Flag=MGF_INPUT_20_BYTE
MaxInputLen=110
MaxInputLenX86=110
Func=DynamicFunc__clean_input
Func=DynamicFunc__append_keys
Func=DynamicFunc__SHA512_crypt_input1_to_output1_FINAL
Test=$dynamic_4444$b109f3bbbc244eb82441917ed06d618b9008dd09:password

[List.Generic:dynamic_4445]
Expression=sha512($p)
Flag=MGF_FLAT_BUFFERS
Flag=MGF_INPUT_64_BYTE
MaxInputLen=110
MaxInputLenX86=110
Func=DynamicFunc__clean_input
Func=DynamicFunc__append_keys
Func=DynamicFunc__SHA512_crypt_input1_to_output1_FINAL
Test=$dynamic_4445$b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86:password

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.