Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <3a1aa1c90802042108n4e3f252fq6875903278ebf2e2@mail.gmail.com>
Date: Tue, 5 Feb 2008 10:38:08 +0530
From: "Dhirendra Singh Kholia" <dhiru.kholia@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: NETHALFLM patch

On 2/5/08, Solar Designer <solar@...nwall.com> wrote:
> On Mon, Feb 04, 2008 at 12:06:47PM +0530, Dhirendra Singh Kholia wrote:
> > This patch adds support for cracking first 7 characters of LM response.
>
> Thank you for the contribution!
>
> Unfortunately, something (your webmail service?) has garbled the
> whitespace within the patch.  Can you please re-post it by other means -
> e.g., using a regular mail client (SMTP) and with the patch as a
> text/plain attachment?  Note that it is important to have MIME type of
> the attachment as text/plain in order for the patch to be readily
> visible in web-based archives of the list.

Sorry for that. I don't have SMTP mail access unfortunately.

I have tried to attach the patch as text/plain attachment. In case of any issues
can you please pick it from:

http://dhiru.kholia.googlepages.com/JtR-1.7.2-all9-nethalflm.patch

>
> > + tmp = (char *) mem_alloc(7 + strlen(challenge) + strlen(nethalflm) + 1);
> > + memset(tmp, 0, 7 + strlen(challenge) + strlen(nethalflm) + 1);
> > + sprintf(tmp, "$NETHALFLM$%s$%s", challenge, nethalflm);
>
> You don't need the memset() and you have a buffer overflow with the
> sprintf() - the constant should be 12, not 7.

fixed.

>
> > +  static char out[TOTAL_LENGTH + 1];
> > +
> > +  memset(out, 0, TOTAL_LENGTH + 1);
> > +  memcpy(&out, ciphertext, TOTAL_LENGTH);
>
> You don't need the memset(), you only need:
>
> out[TOTAL_LENGTH] = 0;

fixed.

>
> > +  memset(password, 0, 7 + 1);
>
> memset() not needed since you use strncpy() below, which NUL-pads.
>
> > +  memset(output, 0, 24);
>
> Too large.

fixed.

> > +  strncpy((char *) password, saved_plain, 14);
>
> Should be 7, not 14.

fixed.
>
> > +  memset(saved_plain, 0, PLAINTEXT_LENGTH + 1);
> > +  strncpy(saved_plain, key, PLAINTEXT_LENGTH);
>
> No need for the memset() and for NUL-padding with strncpy() if you also
> use strncpy() on saved_plain later (above), but you do need
> NUL-termination for your get_key() (or you can do it there).
>

fixed. ( I think we can avoid memset and srtncpy both and instead use
the loop below for copying ??? )

> > +  /* Upper-case password */
> > +  for(i=0; i<PLAINTEXT_LENGTH; i++)
> > +    if ((saved_plain[i] >= 'a') && (saved_plain[i] <= 'z'))
> > saved_plain[i] ^= 0x20;
>
> Should exit the loop on first NUL seen.

fixed i hope.

>
> > +    FMT_8_BIT | FMT_BS | FMT_SPLIT_UNIFIES_CASE,
>
> FMT_BS is wrong here, it stands for "bitslice".

I really don't have any idea how this piece works. I have just removed
FMT_BS from the new patch.

>
> > +      fmt_default_binary_hash,
> > +      fmt_default_binary_hash,
> > +      fmt_default_binary_hash
>
> That's the special case of loader slowness that I've just mentioned in
> my previous posting...
>

Will read up on that.

> These are just some of the bugs and inefficiencies that I was able to
> spot quickly.  Yet I do appreciate contributed patches. :-)
>
> Thanks again,

Thank you Solar Designer for all the comments.

Its eighth-wonder that my patch worked at all. It was horrible, i agree :)

I hope that this version is OK enough.

Still Left:

- Speed fixes by using better DES implementation ( DES bs?)
- Cracking remaining 7chars of password by using 8->16bytes of LM response.
  (Cain and Abel does this!).
   I guess that by prefixing a random byte to the LM hash(first 7
bytes) of    password's  2nd part we can try to do it. Sound messy
though.

>
> --
> Alexander Peslyak <solar at openwall.com>
> GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15
> http://www.openwall.com - bringing security into open computing environments
>
> --
> To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
> to the automated confirmation request that will be sent to you.
>
>


-- 
dsk

Download attachment "JtR-1.7.2-all9-nethalflm.patch" of type "application/octet-stream" (9156 bytes)

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.