Date: Thu, 12 Mar 2020 03:10:16 +0100 From: magnum <john.magnum@...hmail.com> To: john-users@...ts.openwall.com Subject: Re: What format is used to crack a vBulletin hash with a fixed 30 byte salt? On 2020-03-11 15:23, Ian Onthax wrote: > I am trying to use john to crack a vBulletin > 3.8.5 hash, which has a fixed 30 byte salt. > > I've been searching and searching, and have seen tried using format types dynamic_6 and dynamic_7, also dynamic_1007 $ ./john -list=subformats | grep -i vbulletin UserFormat = dynamic_1007 type = dynamic_1007: md5(md5($p).$s) (vBulletin) Yeah, should be 1007 but I'm not sure about versions. > An example of the salt+hash I am trying to crack (changed of course): > 50cff86a9fe4a3ccbc67e95272321dbe:_j&+jx^uzJ"S*gFn$k*s)&b=&0-~#7 > > I've tried replacing the colon with a percent sign and specifying the percent sign as the field separator, and keeping the colin as is. Did you read doc/DYNAMIC? In dynamic format, the salt delimiter is $ so you should probably use: 50cff86a9fe4a3ccbc67e95272321dbe$_j&+jx^uzJ"S*gFn$k*s)&b=&0-~#7 Note that the above is the *ciphertext* and within it the $ is the salt delimiter. We also have a : field delimiter for other fields, like username:50cff86a9fe4a3ccbc67e95272321dbe$_j&+jx^uzJ"S*gFn$k*s)&b=&0-~#7:::username@...mple.com (...) If you can preserve at least the login and gecos fields from whatever data you have, your chance of cracking them is a whole lot better. But I digress... The salt might contain nasty characters like ":" or "$" or even tabs or vertical spaces, so it's safest to convert to hex like so: echo '_j&+jx^uzJ"S*gFn$k*s)&b=&0-~#7' | perl -ne 'chomp; print "HEX\$", unpack("H*", $_), "\n"' HEX$5f6a262b6a785e757a4a22532a67466e246b2a732926623d26302d7e2337 And the full ciphertext becomes: 50cff86a9fe4a3ccbc67e95272321dbe$HEX$5f6a262b6a785e757a4a22532a67466e246b2a732926623d26302d7e2337 Now, for some reason john doesn't accept that (even with -bare-always-valid=yes which you should read about in doc/OPTIONS). Let's check out what Dynamic 1007 can handle: $ ./john -form:dynamic_1007 --list=format-all-details | grep " size\b" Binary size 16 Salt size 23 Apparently that format can only take up to 23 characters of salt. Maybe we have some other dynamic with better capacity? $ ./john --list=subformats | grep -F 'md5(md5($p).$s)' Format = dynamic_6 type = dynamic_6: md5(md5($p).$s) Format = dynamic_16 type = dynamic_16: md5(md5(md5($p).$s).$s2) UserFormat = dynamic_1007 type = dynamic_1007: md5(md5($p).$s) (vBulletin) UserFormat = dynamic_2006 type = dynamic_2006: md5(md5($p).$s) (PW > 55 bytes) $ ./john -form:dynamic_2006 --list=format-all-details | grep "Salt size" Salt size 64 Bingo! $ ./john test.in -format:dynamic_2006 Using default input encoding: UTF-8 Loaded 1 password hash (dynamic_2006 [md5(md5($p).$s) (PW > 55 bytes) 256/256 AVX2 8x3]) Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status (...) Cheers, magnum
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.