Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 12 Mar 2020 03:10:16 +0100
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: Re: What format is used to crack a vBulletin hash with a
 fixed 30 byte salt?

On 2020-03-11 15:23, Ian Onthax wrote:
> I am trying to use john to crack a vBulletin > 3.8.5 hash, which has a fixed 30 byte salt.
> 
> I've been searching and searching, and have seen tried using format types dynamic_6 and dynamic_7, also dynamic_1007

$ ./john -list=subformats | grep -i vbulletin
UserFormat = dynamic_1007  type = dynamic_1007: md5(md5($p).$s) (vBulletin)

Yeah, should be 1007 but I'm not sure about versions.

> An example of the salt+hash I am trying to crack (changed of course):
> 50cff86a9fe4a3ccbc67e95272321dbe:_j&+jx^uzJ"S*gFn$k*s)&b=&0-~#7
> 
> I've tried replacing the colon with a percent sign and specifying the percent sign as the field separator, and keeping the colin as is.

Did you read doc/DYNAMIC? In dynamic format, the salt delimiter is $ so 
you should probably use:
50cff86a9fe4a3ccbc67e95272321dbe$_j&+jx^uzJ"S*gFn$k*s)&b=&0-~#7

Note that the above is the *ciphertext* and within it the $ is the salt 
delimiter. We also have a : field delimiter for other fields, like

username:50cff86a9fe4a3ccbc67e95272321dbe$_j&+jx^uzJ"S*gFn$k*s)&b=&0-~#7:::username@...mple.com 
(...)

If you can preserve at least the login and gecos fields from whatever 
data you have, your chance of cracking them is a whole lot better. But I 
digress...

The salt might contain nasty characters like ":" or "$" or even tabs or 
vertical spaces, so it's safest to convert to hex like so:

echo '_j&+jx^uzJ"S*gFn$k*s)&b=&0-~#7' | perl -ne 'chomp; print "HEX\$", 
unpack("H*", $_), "\n"'
HEX$5f6a262b6a785e757a4a22532a67466e246b2a732926623d26302d7e2337

And the full ciphertext becomes:
50cff86a9fe4a3ccbc67e95272321dbe$HEX$5f6a262b6a785e757a4a22532a67466e246b2a732926623d26302d7e2337

Now, for some reason john doesn't accept that (even with 
-bare-always-valid=yes which you should read about in doc/OPTIONS). 
Let's check out what Dynamic 1007 can handle:

$ ./john -form:dynamic_1007 --list=format-all-details | grep " size\b"
Binary size                          16
Salt size                            23

Apparently that format can only take up to 23 characters of salt. Maybe 
we have some other dynamic with better capacity?

$ ./john --list=subformats | grep -F 'md5(md5($p).$s)'
Format = dynamic_6   type = dynamic_6: md5(md5($p).$s)
Format = dynamic_16  type = dynamic_16: md5(md5(md5($p).$s).$s2)
UserFormat = dynamic_1007  type = dynamic_1007: md5(md5($p).$s) (vBulletin)
UserFormat = dynamic_2006  type = dynamic_2006: md5(md5($p).$s) (PW > 55 
bytes)

$ ./john -form:dynamic_2006 --list=format-all-details | grep "Salt size"
Salt size                            64

Bingo!

$ ./john test.in -format:dynamic_2006
Using default input encoding: UTF-8
Loaded 1 password hash (dynamic_2006 [md5(md5($p).$s) (PW > 55 bytes) 
256/256 AVX2 8x3])
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
(...)

Cheers,
magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.