Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <262503.4101.qm@web76014.mail.sg1.yahoo.com>
Date: Fri, 25 Jun 2010 04:55:33 +0800 (SGT)
From: kristian <x_astroboyz@...oo.co.id>
To: john-users@...ts.openwall.com
Subject: Re: john the ripper for Kerberos Ticket

Thanks for your reply
I think the cipher text string I put in the file is different with the example in the KRB5_fmt.c file, I got it in the AS_REP packet from wireshark. They're different in length, I see
I use freeBSD operating system which installs (almost all) software by ports, so when I patched john with your patch, and installed it manually with command :
# make clean generic
It's looks like succesfully installed, but when I run "./john" I got this error message :
fopen: /usr/local/share/john/john.ini: No such file or directory

Then I installed it again via ports (after patched ofcourse),but I got this messages when I run john :
Segmentation fault: 11 (core dumped)
Just like before I posted my question to this mailing list
This error looks like a memory problem in freebsd


Kristian W Adi Nugroho
Informatics Engineering of Institut Teknologi Telkom
(+6285222041990)


--- Pada Jum, 25/6/10, Solar Designer <solar@...nwall.com> menulis:

Dari: Solar Designer <solar@...nwall.com>
Judul: Re: [john-users] john the ripper for Kerberos Ticket
Kepada: john-users@...ts.openwall.com
Tanggal: Jumat, 25 Juni, 2010, 1:12 AM

On Mon, Jun 21, 2010 at 10:20:36AM +0800, kristian wrote:
> atom:$krb5$e3649a0c63274f2f20aff89ddc2a1e8f6cac133ef8ebc6a1e28c2ee20336ea4720b437f4e676963192b8231a109656503a8bc3235c41909c28c5ef0de95c07753472ef094e6f33c113d14ee75eb60259e589fc800e695e0bae874e2471958545ee663ba1e74ea397c8b15c127df1d33972e29c7d88e2d9e253dd2a982c67c732a78603945be96061aa80e5c4d8f3fb01aa3bacf35664c94f4441b7f95108ff47592203619aa9bfb8a765f5db52d99e7ccbd3f9b98c1274858be1b67774f1cdb2e5a10322741f4dc23626d3dca408bf19acfc2e8e300b391ff9a19d852e6915163c7150c6e0b3bb2909f571561216bbe97b6160e9575e798ba7c5c4cad8d94f0d217f959446c08327881e36aa5b5ecdf86dc8627d:

The above is not entirely correct, but the code in KRB5_fmt.c was not
robust enough to detect that.  I've just fixed the code (for the next
revision of the jumbo patch).  Anyway, the correct syntax is:

atom:$krb5$atom$ITTELKOM.AC.ID$e3649a0c63274f2f20aff89ddc2a1e8f6cac133ef8ebc6a1e28c2ee20336ea4720b437f4e676963192b8231a109656503a8bc3235c41909c28c5ef0de95c07753472ef094e6f33c113d14ee75eb60259e589fc800e695e0bae874e2471958545ee663ba1e74ea397c8b15c127df1d33972e29c7d88e2d9e253dd2a982c67c732a78603945be96061aa80e5c4d8f3fb01aa3bacf35664c94f4441b7f95108ff47592203619aa9bfb8a765f5db52d99e7ccbd3f9b98c1274858be1b67774f1cdb2e5a10322741f4dc23626d3dca408bf19acfc2e8e300b391ff9a19d852e6915163c7150c6e0b3bb2909f571561216bbe97b6160e9575e798ba7c5c4cad8d94f0d217f959446c08327881e36aa5b5ecdf86dc8627d

This includes the username and the realm (just my guess for it, probably
wrong) in the ciphertext string.  Here are two other examples from the
KRB5_fmt.c file:

test1:$krb5$oskov$ACM.UIUC.EDU$4730d7249765615d6f3652321c4fb76d09fb9cd06faeb0c31b8737f9fdfcde4bd4259c31cb1dff25df39173b09abdff08373302d99ac09802a290915243d9f0ea0313fdedc7f8d1fae0d9df8f0ee6233818d317f03a72c2e77b480b2bc50d1ca14fba85133ea00e472c50dbc825291e2853bd60a969ddb69dae35b604b34ea2c2265a4ffc72e9fb811da17c7f2887ccb17e2f87cd1f6c28a9afc0c083a9356a9ee2a28d2e4a01fc7ea90cc8836b8e25650c3a1409b811d0bad42a59aa418143291d42d7b1e6cb5b1876a4cc758d721323a762e943f774630385c9faa68df6f3a94422f97
test2:$krb5$oskov$ACM.UIUC.EDU$6cba0316d38e31ba028f87394792baade516afdfd8c5a964b6a7677adbad7815d778b297beb238394aa97a4d495adb7c9b7298ba7c2a2062fb6c9a4297f12f83755060f4f58a1ea4c7026df585cdfa02372ad619ab1a4ec617ad23e76d6e37e36268d9aa0abcf83f11fa8092b4328c5e6c577f7ec6f1c1684d9c99a309eee1f5bd764c4158a2cf311cded8794b2de83131c3dc51303d5300e563a2b7a230eac67e85b4593e561bf6b88c77b82c729e7ba7f3d2f99b8dc85b07873e40335aff4647833a87681ee557fbd1ffa1a458a5673d1bd3c1587eceeabaebf4e44c24d9a8ac8c1d89

With these three lines placed in the same file, I get two of three
passwords cracked as follows:

$ ./john -w=w pw-krb5
Loaded 3 password hashes with 3 different salts (Kerberos v5 TGT [krb5 3DES (des3-cbc-sha1)])
p4ssW0rd         (test1)
Nask0Oskov       (test2)
guesses: 2  time: 0:00:00:00 100.00% (ETA: Thu Jun 24 21:53:59 2010)  c/s: 500  trying: Nask0Oskov

$ ./john --show pw-krb5
test1:p4ssW0rd
test2:Nask0Oskov

2 password hashes cracked, 1 left

Yes, I had these known test passwords in the "w" wordlist file.  I was
not able to quickly crack "your" password, perhaps because it is not a
weak one and/or because I did not guess the realm name correctly and/or
because you did not provide the correct username.

While testing this, I identified a memory leak in KRB5_std.c.  I'll have
it fixed in the next jumbo patch update.

I've attached a patch with my code fixes so far.

Please let the list know whether you manage to get things working for
you or not - and provide some detail either way.

Thanks,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.