Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <54FDDBA1.4010607@openwall.com>
Date: Mon, 09 Mar 2015 20:42:57 +0300
From: Alexander Cherepanov <ch3root@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: Crack 7z format

On 2015-03-09 18:40, Kai Zhao wrote:
> 7z_fmt_plug.c:
> https://github.com/loverszhaokai/JohnTheRipper/blob/bleeding-jumbo/src/7z_fmt_plug.c
>
> I want to test 7z format, here are what I think.
>
> 1. Use 7-zip to encrypt a file
> 2. How can I get the password file (like /ect/password and /etc/shadow)

In case of encrypted files (and in some other cases), you have to use 
2john tools bundled with john. For 7-Zip, it's 7z2john.py.

> 3. Is the password file like the format described as 7z_fmt_plug.c ?
>      "$7z$0$19$0$1122$8$d1f50227759415890000000000000000$1412385885$112$112
>       $5e5b8b734adf52a64c541a5a5369023d7cccb78bd910c0092535dfb013a5df84ac69
>       2c5311d2e7bbdc580f5b867f7b5dd43830f7b4f37e41c7277e228fb92a6dd854a3164
>       6ad117654182253706dae0c069d3f4ce46121d52b6f20741a0bb39fc61113ce14d22f
>       9184adafd6b5333fb1"

This a "hash" which embeds everything necessary for cracking. You can 
put it into a file and feed this file to john.

> 4. When I fuzzed a 7z-hash, how could I know the fuzzed hash is valid or
> not ?

I don't think there is a general simple way to do it, you have to look 
into the C code for the format. There are some hints though. It's quite 
common to separate parts of the "hash" with $, and the main part of this 
hash looks like hex.

 > By the valid() function ?

valid() function should ideally accept a hash if and only if it's valid. 
Large part of the task is to improve valid() functions.

> If a fuzzed 7z-hash passes valid() and takes a lot of time
> to crack, how should I
>      judge the fuzzed 7z-hash whether is a wrong format ?

It doesn't matter for now how much time it takes to be cracked, if it is 
cracked at all or if it is cracked incorrectly. That's all important 
questions but they are somewhat separate. Fuzzing (and the corresponding 
GSoC task) are aimed at ensuring that the hash is handled robustly in 
the process -- that all parts of the hash don't overflow any arrays, 
that all necessary variables are initialized etc.

-- 
Alexander Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.