Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 21 Oct 2019 20:31:55 +0200
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: Re: How to increase Max Length? / Very long passwords

On 2019-10-21 14:43, Sebastian Hudson wrote:
> Hi, so I’m aware that what I’m trying to do might actually be impossible but I still want to try and find a way because it’s just for fun so why not.
> I hope I can explain this all well.
> 
> I’m trying to crack an sha256 hash, but the password itself is an sha256 hash.
> For example:
> If the hash is e0bc614e4fd035a488619799853b075143deea596c477b8dc077e309c0fe42e9
> then the actually password would be 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.

This is not terribly weird if the target has is actually something like 
sha256(sha256(password)), and then you'd attack it like that (with 
human-generated words as input) but if it's not, it *is* terribly weird.

> The main problem I’ve come across is just the length of it. Prince mode won’t try to crack anything with a Max Length of 32 and Markov won’t try anything over 30.
> Is there a way to change the Max Length to more?

This approach is so terribly flawed I'm not sure where to start explaining.

> The reason I tried to use prince was I made a wordlist that broke up the permutations into groups of 8. Eg: aab3d7ef. If I could get it to try every combination of 8 of these (8x8=64) randomly then maybe it would just stumble on the password.

This one too.

You might want to read up on "cryptographic hash function" (try google 
or wikipedia). Pay attention to keywords like "avalanche".

> Ideally I think if there was a way to just keep hashing the last attempt over and over it might stumbled on the password too. Eg: if it tried
> e0bc614e4fd035a488619799853b075143deea596c477b8dc077e309c0fe42e9
> then
> d6a804981ea7ce374acc21c9a8bf82f50b684b0ea4bdf8b26a7a775291aaf7a6
> then
> ad376767fc04814220cc25c79b2777cd14704f23f1830318b5bd9eb97e4fedf6
> 
> perhaps that would be quicker?

Errr... but what would be your starting point (for generating that first 
hash)? In case you are attacking something like 
sha256(sha256(sha256(sha256((...)passphrase)))) it might be a good way, 
but only if the actual original password was based on a human generated 
string and you just don't know how many iterations of sha256 was used.

Good luck with this ;-)
magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.