[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 20 Jun 2010 01:30:08 -0400
From: "Robert Harris" <rs904c@...scape.net>
To: <john-users@...ts.openwall.com>
Subject: Issues with JtR auditing Solaris 10 Sha512 alogirthm passwords
John User community,
I seem to be having trouble running an audit on a Solaris 10 system running
passwords that are hashed with the SHA512 algorithm. (and Ubunto as well
with a version I compile).
I don't know if the following has anything to do with the issues I'm having,
but I'll explain. The way Sun originally implemented SHA512 on Solaris
systems was flawed. There are patches in order to make this work better.
Here is a little history:
A system without patch 140906-01 (i386) or 140905-01 (Sparc):
After a user changes their password, they can no longer log in with their
password.
{The shadow file show the password as a type $6$}
A system with patch 140906-01 (i386) or 140905-01 (Solaris):
(This is the 1st version of this patch, which came out in May 2009)
After a user changes their password, they can login successfully.
{The shadow file show the password as a type $6$}
John the ripper does not recognize the hash.
A system with patch 140906-02 (i386) or 140905-02 (Solaris)
(This is the 2nd version of this patch, which came out in May 2010):
Same as above.
After a user changes their password, they can login successfully.
{The shadow file show the password as a type $6$}
John the ripper does not recognize the hash.
I'm using the latest version of JtR (john-1.7.6-jumbo-3), running on
windows. I compiled it for cygwin, all thre choices mmx,sse, and any.
Here is a unshadow file, called server1, its contents is from a Solaris 10
x86 system with patch 140906-01:
test:$6$MDZEL9CQ$ZentsLbLWphRB2./B0xKv1vWPY9IBknYrcD.3SlY5RamKsnzlCSC4ImT3KW
Y8rXMbodbFA9wDrlf51DT3HgoW1:102:14::/home/test:/bin/sh
JtR Results:
C:\apps\pw>C:\apps\john-1.7.6-jumbo-3-win32\run\john server1
No password hashes loaded
Here is a unshadow file, called server1, its contents is from a Solaris 10
x86 system with patch 140906-02:
test:$6$dofn/L59$nygYCacync7RzPfYjWZ1OO6b8MZDETUzYP2SbJD0PPqXDjQ3caVlR8/O6G2
DSMh.6X0Dzwre86QPifkEU22dW/:102:14::/home/test:/bin/sh
Results:
C:\apps\pw>C:\apps\john-1.7.6-jumbo-3-win32\run\john server1
No password hashes loaded
So, I'm wondering at this point if Sun/Oracle is still doing something wrong
with their implementation of SHA256 and Sha512, since John the Ripper can't
load the hashes it produces. Or perhaps JtR needs a special mode to do
Solaris Sha512 and/or Sha256?
Attached is a PDF document the Sun/Oracle wrote about this latest patch.
I then, ran on Windows, with a password type $6$ that came from an Ubuntu
system, it did NOT get good results there either.
root@...ntu:/etc# uname -a
Linux ubuntu 2.6.28-15-generic #52-Ubuntu SMP Wed Sep 9 10:49:34 UTC 2009
i686 GNU/Linux
Content to be cracked.
robert:$6$U4dzp4gvMho3$hAUA8cpTUdHnNjuMFUtiXzd0NL85RMNihshXdks/7LD5zDVseUawK
1JIotk5JVZoyacpHy.Vuja0b9GD2gZ0J.:14527:0:99999:7:::
C:\apps\pw>C:\apps\john-1.7.6-jumbo-3-win32\run\john_sse ubuntu
No password hashes loaded
I switch to john-1.7.6 without any patches (I compiled it) and got the same
results.
Also, attached are password files server1 and ubuntu.
So, maybe I'm doing something wrong when compiling it!?
Do you guys get the same results? Help.
Thank you
P.S. All the passwords are "password" in this document
-Robert Harris
Content of type "text/html" skipped
Download attachment "SHA256 and SHA512 patch for Sparc and Intel Sun Solaris information.pdf" of type "application/pdf" (39436 bytes)
Download attachment "ubuntu" of type "application/octet-stream" (130 bytes)
Download attachment "server1" of type "application/octet-stream" (132 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
