Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 12 Mar 2020 03:10:16 +0100
From: magnum <>
Subject: Re: What format is used to crack a vBulletin hash with a
 fixed 30 byte salt?

On 2020-03-11 15:23, Ian Onthax wrote:
> I am trying to use john to crack a vBulletin > 3.8.5 hash, which has a fixed 30 byte salt.
> I've been searching and searching, and have seen tried using format types dynamic_6 and dynamic_7, also dynamic_1007

$ ./john -list=subformats | grep -i vbulletin
UserFormat = dynamic_1007  type = dynamic_1007: md5(md5($p).$s) (vBulletin)

Yeah, should be 1007 but I'm not sure about versions.

> An example of the salt+hash I am trying to crack (changed of course):
> 50cff86a9fe4a3ccbc67e95272321dbe:_j&+jx^uzJ"S*gFn$k*s)&b=&0-~#7
> I've tried replacing the colon with a percent sign and specifying the percent sign as the field separator, and keeping the colin as is.

Did you read doc/DYNAMIC? In dynamic format, the salt delimiter is $ so 
you should probably use:

Note that the above is the *ciphertext* and within it the $ is the salt 
delimiter. We also have a : field delimiter for other fields, like


If you can preserve at least the login and gecos fields from whatever 
data you have, your chance of cracking them is a whole lot better. But I 

The salt might contain nasty characters like ":" or "$" or even tabs or 
vertical spaces, so it's safest to convert to hex like so:

echo '_j&+jx^uzJ"S*gFn$k*s)&b=&0-~#7' | perl -ne 'chomp; print "HEX\$", 
unpack("H*", $_), "\n"'

And the full ciphertext becomes:

Now, for some reason john doesn't accept that (even with 
-bare-always-valid=yes which you should read about in doc/OPTIONS). 
Let's check out what Dynamic 1007 can handle:

$ ./john -form:dynamic_1007 --list=format-all-details | grep " size\b"
Binary size                          16
Salt size                            23

Apparently that format can only take up to 23 characters of salt. Maybe 
we have some other dynamic with better capacity?

$ ./john --list=subformats | grep -F 'md5(md5($p).$s)'
Format = dynamic_6   type = dynamic_6: md5(md5($p).$s)
Format = dynamic_16  type = dynamic_16: md5(md5(md5($p).$s).$s2)
UserFormat = dynamic_1007  type = dynamic_1007: md5(md5($p).$s) (vBulletin)
UserFormat = dynamic_2006  type = dynamic_2006: md5(md5($p).$s) (PW > 55 

$ ./john -form:dynamic_2006 --list=format-all-details | grep "Salt size"
Salt size                            64


$ ./john -format:dynamic_2006
Using default input encoding: UTF-8
Loaded 1 password hash (dynamic_2006 [md5(md5($p).$s) (PW > 55 bytes) 
256/256 AVX2 8x3])
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.