Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <BLU0-SMTP99EBB00E82F6DB9507AD83FD140@phx.gbl>
Date: Thu, 24 Jan 2013 12:15:07 +0100
From: Frank Dittrich <frank_dittrich@...mail.com>
To: john-dev@...ts.openwall.com
Subject: PDF format incompatibility (jumbo-7 vs. jumbo-8)

I prepared 2 test files, obne freom the jumbo-7 pdf tst cases, one from
the jumbo-8 test cases (both attached).

I also built a john binary based on the jumbo-7 version (john-j7) and
one based on latest git (john-j8).

Tests start with an empty john.pot.

$ ./john-j7 pdf-test7
Loaded 4 password hashes with 4 different salts (PDF MD5 RC4 [32/64])
WHATwhatWHERE?   (WHATwhatWHERE?)
July2099         (July2099)
38r285a9         (38r285a9)
test             (test)
guesses: 4  time: 0:00:00:00 DONE (Thu Jan 24 11:57:46 2013)  c/s: 21.05
 trying: test
Use the "--show" option to display all of the cracked passwords reliably

$ ./john-j8 -show pdf-test7
test:test
July2099:July2099
WHATwhatWHERE?:WHATwhatWHERE?
38r285a9:38r285a9

4 password hashes cracked, 0 left

$ ./john-j8 --format=pdf -show pdf-test7
test:test
July2099:July2099
WHATwhatWHERE?:WHATwhatWHERE?
38r285a9:38r285a9

4 password hashes cracked, 0 left

$ ./john-j8 --format=pdf pdf-test7
Loaded 4 password hashes with 4 different salts (PDF MD5 SHA-2 RC4 / AES
[32/64])
No password hashes left to crack (see FAQ)


$ rm john.pot
$ ./john-j8 --format=pdf pdf-test7
Loaded 4 password hashes with 4 different salts (PDF MD5 SHA-2 RC4 / AES
[32/64])
guesses: 0  time: 0:00:00:00 21.44% (1) (ETA: Thu Jan 24 12:00:38 2013)
 c/s: 1626  trying: 38R285A97
guesses: 0  time: 0:00:00:01 54.25% (1) (ETA: Thu Jan 24 12:00:39 2013)
 c/s: 1815  trying: 38r285a993
guesses: 0  time: 0:00:00:03 74.30% (1) (ETA: Thu Jan 24 12:00:41 2013)
 c/s: 1818  trying: 38r285a941
guesses: 0  time: 0:00:00:04 98.33% (1) (ETA: Thu Jan 24 12:00:41 2013)
 c/s: 1877  trying: 38r285a91918
guesses: 0  time: 0:00:00:05 0.10% (2) (ETA: Thu Jan 24 13:23:58 2013)
c/s: 1426  trying: stephen
guesses: 0  time: 0:00:00:07 0.16% (2) (ETA: Thu Jan 24 13:13:32 2013)
c/s: 1296  trying: flamingo
guesses: 0  time: 0:00:00:08 0.22% (2) (ETA: Thu Jan 24 13:01:13 2013)
c/s: 1200  trying: boston
guesses: 0  time: 0:00:00:09 0.29% (2) (ETA: Thu Jan 24 12:52:20 2013)
c/s: 1125  trying: moroni
guesses: 0  time: 0:00:00:09 0.35% (2) (ETA: Thu Jan 24 12:43:29 2013)
c/s: 1066  trying: anita
guesses: 0  time: 0:00:00:13 0.58% (2) (ETA: Thu Jan 24 12:37:59 2013)
c/s: 897  trying: andrew1
Session aborted

Apparently, pfd format considered these hashes as valid, but missed to
crack them using single mode.

Now, let's use jumbo-7 again to insert these into the pot file:

$ ./john-j7 --format=pdf pdf-test7
Loaded 4 password hashes with 4 different salts (PDF MD5 RC4 [32/64])
WHATwhatWHERE?   (WHATwhatWHERE?)
July2099         (July2099)
38r285a9         (38r285a9)
test             (test)
guesses: 4  time: 0:00:00:00 DONE (Thu Jan 24 12:02:16 2013)  c/s: 20.00
 trying: test
Use the "--show" option to display all of the cracked passwords reliably

$ ./john-j8 --show pdf-test8
0 password hashes cracked, 5 left
$ ./john-j8 pdf-test8
Loaded 5 password hashes with 5 different salts (PDF MD5 SHA-2 RC4 / AES
[32/64])
openwall         (openwall)
testpassword     (testpassword)
openwall         (openwall)
testpassword     (testpassword)
test             (test)
guesses: 5  time: 0:00:00:00 DONE (Thu Jan 24 12:04:05 2013)  c/s: 22.72
 trying: test
Use the "--show" option to display all of the cracked passwords reliably

$ grep 289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f
john.pot
$pdf$Standard*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*16*34b1b6e593787af681a9b63fa8bf563b*1*1*0*1*4*128*-4*3*2:test
$pdf$2*3*128*-4*1*16*34b1b6e593787af681a9b63fa8bf563b*32*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*32*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f:test

$ grep 34b1b6e593787af681a9b63fa8bf563b john.pot
$pdf$Standard*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*16*34b1b6e593787af681a9b63fa8bf563b*1*1*0*1*4*128*-4*3*2:test
$pdf$2*3*128*-4*1*16*34b1b6e593787af681a9b63fa8bf563b*32*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*32*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f:test

$ grep badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f
john.pot
$pdf$Standard*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*16*34b1b6e593787af681a9b63fa8bf563b*1*1*0*1*4*128*-4*3*2:test
$pdf$2*3*128*-4*1*16*34b1b6e593787af681a9b63fa8bf563b*32*289ece9b5ce451a5d7064693dab3badf101112131415161718191a1b1c1d1e1f*32*badad1e86442699427116d3e5d5271bc80a27814fc5e80f815efeef839354c5f:test


Jumbo-8 doesn't recognize the hashes which were stored in john.pot by
jumbo-7.
IMHO, jumbo-8 needs a prepare() function which converts the
$pdf$Standard* hashes into the format expected by the jumbo-8 valid().

Furthermore, the jumbo-8 valid() needs to be improved.
I.e., without a prepare() which converts the jumbo-7 hashes, the jumbo-8
version should have rejected them as invalid.
(After s/:$pdf$Standard/:$pdf$St/, jumbo-8 still treats the hashes as
valid, but it shouldn't.)

Frank

View attachment "pdf-test7" of type "text/plain" (851 bytes)

View attachment "pdf-test8" of type "text/plain" (2047 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.