Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 27 Feb 2011 20:50:34 -0600
From: "jfoug" <jfoug@....net>
To: <john-users@...ts.openwall.com>
Subject: RE: md5_gen(0) broken for ages?

>> 2. This will likely only work for non-salted hashes, due to how md5_gen
>> requires the salt to be placed.
>
>Well if you know a salt, you would of course prepare the file (but only 
>once!) so the salt part is correct for md5-gen:.
>
>user:b065775a4631811715c2b83163b921a0$salt:::
>
>So it's "half-prepared" for md5_gen but it doesn't say which subformat 
>we want. Then you just try subformats using the command-line option - of 
>course picking those with one salt, as well as formats like 
>md5($u.md5($p).$s).
>
>Hopefully this will be OK with the implementation you have in mind.

The above would work for salted hashes.  At this time, there is no 
code working in md5-gen that works for the $u (username). There are 2
saltes possible.   The hash format for 2 saltes is:

md5-gen(num)hhhhhhhhhhh$salt$$2salt2

So salt begins with (but does not include) a $ char, at the 'proper' offset,
and the salt2 starts with $$2 (but does not include it), and is appended to
the first salt.  

A person can make a md5-gen format that is salted with a user_id, by using
the salt and salt2 format, so at least it 'is' doable at this time.  I
simply
have not figured out exactly how to properly pull the userid when it is
required, to get it working with md5-gen.  Likely it will need to be pulled
during the 'salt()' function, and incorporated into the salt that john would
be working with.  Then when john tells md5-gen to use a salt, the salt would
be in there, an 2nd salt (if there is one), would be there, and the proper
userid would be there, also, and be able to be properly used to perform 
the encryptions.  But so far, I have not implemented the $u

Jim.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.