Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20090205204719.GA27384@openwall.com>
Date: Thu, 5 Feb 2009 23:47:19 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Problems with DES valid()?

Joshua,

On Thu, Feb 05, 2009 at 08:25:03AM -0600, Joshua J. Drake wrote:
> It seems that the DES valid() function is improperly marking some
> hashes as invalid...  I'm not 100% sure this is a valid hash, but it
> is the right length and contains the right characters.  I'm currently
> looking at a file with a thousand or so of these hashes. One such hash
> is PSdSQOAjO8IcV.
> 
> Is this hash invalid or is there something wrong with valid()?  If
> it's invalid, why?

This is a 13-character string that uses the correct character set, yet
it can't possibly be produced by the traditional DES-based crypt(3),
because it has one of the unused and "always-zero" bits set.  Those are
part of the last character of the hash encoding.

The corresponding check is this line:

	if (atoi64[ARCH_INDEX(*(pos - 1))] & 3) return 0;

in DES_fmt.c: valid().  This check is indeed correct, no bug there.

If you like, you may try commenting this line out - then JtR will load
your "hashes" - but this is unlikely to result in any of those invalid
hash encodings getting cracked.  Most likely, they're either not hashes
at all or they are not traditional DES-based crypt(3) hashes (but rather
some other unsupported hashes, which happen to use similar encoding).

If you don't mind, please post some info on the system these strings
came from - OS, version, etc.  Does JtR load some percentage of the
"hashes", and is it close to 25%?

Also, if you find out anything further (e.g., if you get any of these
cracked in whatever way), please let the list know.

Thanks,

Alexander Peslyak <solar at openwall.com>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.