Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <BLU0-SMTP1082157DA021B7BBEF79E0DFD9C0@phx.gbl>
Date: Sun, 2 Jun 2013 13:29:29 +0200
From: Frank Dittrich <frank_dittrich@...mail.com>
To: john-dev@...ts.openwall.com
Subject: unable to crack previously cracked oracle hashes (unstable and bleeding)

I just wanted to experiment with the contest hashes and realized that
neither bleeding-jumbo (fetched during contest) nor latest
unstable-jumbo seem to work, even when using hashes that have been
cracked by us during the contest.

$ LC_ALL=C grep -c "^O[$]" john.pot
347

LC_ALL=C grep "^O[$]" john.pot > oracle.pot

$ ./john --pot=oracle.pot --show /home/fd/contest/hashes-canon/2.oracle.pw
0 password hashes cracked, 373 left

$ cut -d: -f 2- oracle.pot > oracle.txt
$ head -n 2 oracle.txt
HELIUMHELIUM12345
ARGONARGON12345

$ ./john ./john --wordlist=oracle.txt
/home/fd/contest/hashes-canon/2.oracle.pw
Loaded 373 password hashes with 373 different salts (Oracle 10 DES [32/64])
guesses: 0  time: 0:00:00:01 DONE (Sun Jun  2 13:07:23 2013)  c/s: 76135
 trying: {POTASSIUM'


But when I change

are.j:O$are.j#3489F74EADA123B3
anders.lindahl:O$anders.lindahl#26D17F9F921F59CF


to

are.j:3489F74EADA123B3
anders.lindahl:26D17F9F921F59CF

i.e., if I remove the user name ans # after the colon,

I can crack these hashes again, but have to specify --format=oracle to
load the hashes in the correct format.

$ ./john --wordlist=oracle.txt 2.oracle.pw --format=oracle
Loaded 373 password hashes with 373 different salts (Oracle 10 DES [32/64])
...
&PHOSPHORUS}     (c_elmroth)
{POTASSIUM'      (c_granewald)
guesses: 347  time: 0:00:00:07 DONE (Sun Jun  2 13:17:14 2013)  c/s:
9119  trying: {POTASSIUM'

$ ./john --show 2.oracle.pw --format=oracle |tail -n 3
anders.holt:#MUILLYREB

347 password hashes cracked, 26 left

(Without --format=oracle, the hashes would be treated as mysql hashes,
so the matching oracle hashes wouldn't be found in the pot file.)


So the problem is:
If the user name is already "included" in the hash, john identifies
these hashes as oracle hashes, but is unable to crack them.
John is also unable to correctly match hashes found in the pot file and
hashes to be loaded.

Frank

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.