|
Message-ID: <20100624181240.GA15434@openwall.com>
Date: Thu, 24 Jun 2010 22:12:40 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: john the ripper for Kerberos Ticket
On Mon, Jun 21, 2010 at 10:20:36AM +0800, kristian wrote:
> atom:$krb5$e3649a0c63274f2f20aff89ddc2a1e8f6cac133ef8ebc6a1e28c2ee20336ea4720b437f4e676963192b8231a109656503a8bc3235c41909c28c5ef0de95c07753472ef094e6f33c113d14ee75eb60259e589fc800e695e0bae874e2471958545ee663ba1e74ea397c8b15c127df1d33972e29c7d88e2d9e253dd2a982c67c732a78603945be96061aa80e5c4d8f3fb01aa3bacf35664c94f4441b7f95108ff47592203619aa9bfb8a765f5db52d99e7ccbd3f9b98c1274858be1b67774f1cdb2e5a10322741f4dc23626d3dca408bf19acfc2e8e300b391ff9a19d852e6915163c7150c6e0b3bb2909f571561216bbe97b6160e9575e798ba7c5c4cad8d94f0d217f959446c08327881e36aa5b5ecdf86dc8627d:
The above is not entirely correct, but the code in KRB5_fmt.c was not
robust enough to detect that. I've just fixed the code (for the next
revision of the jumbo patch). Anyway, the correct syntax is:
atom:$krb5$atom$ITTELKOM.AC.ID$e3649a0c63274f2f20aff89ddc2a1e8f6cac133ef8ebc6a1e28c2ee20336ea4720b437f4e676963192b8231a109656503a8bc3235c41909c28c5ef0de95c07753472ef094e6f33c113d14ee75eb60259e589fc800e695e0bae874e2471958545ee663ba1e74ea397c8b15c127df1d33972e29c7d88e2d9e253dd2a982c67c732a78603945be96061aa80e5c4d8f3fb01aa3bacf35664c94f4441b7f95108ff47592203619aa9bfb8a765f5db52d99e7ccbd3f9b98c1274858be1b67774f1cdb2e5a10322741f4dc23626d3dca408bf19acfc2e8e300b391ff9a19d852e6915163c7150c6e0b3bb2909f571561216bbe97b6160e9575e798ba7c5c4cad8d94f0d217f959446c08327881e36aa5b5ecdf86dc8627d
This includes the username and the realm (just my guess for it, probably
wrong) in the ciphertext string. Here are two other examples from the
KRB5_fmt.c file:
test1:$krb5$oskov$ACM.UIUC.EDU$4730d7249765615d6f3652321c4fb76d09fb9cd06faeb0c31b8737f9fdfcde4bd4259c31cb1dff25df39173b09abdff08373302d99ac09802a290915243d9f0ea0313fdedc7f8d1fae0d9df8f0ee6233818d317f03a72c2e77b480b2bc50d1ca14fba85133ea00e472c50dbc825291e2853bd60a969ddb69dae35b604b34ea2c2265a4ffc72e9fb811da17c7f2887ccb17e2f87cd1f6c28a9afc0c083a9356a9ee2a28d2e4a01fc7ea90cc8836b8e25650c3a1409b811d0bad42a59aa418143291d42d7b1e6cb5b1876a4cc758d721323a762e943f774630385c9faa68df6f3a94422f97
test2:$krb5$oskov$ACM.UIUC.EDU$6cba0316d38e31ba028f87394792baade516afdfd8c5a964b6a7677adbad7815d778b297beb238394aa97a4d495adb7c9b7298ba7c2a2062fb6c9a4297f12f83755060f4f58a1ea4c7026df585cdfa02372ad619ab1a4ec617ad23e76d6e37e36268d9aa0abcf83f11fa8092b4328c5e6c577f7ec6f1c1684d9c99a309eee1f5bd764c4158a2cf311cded8794b2de83131c3dc51303d5300e563a2b7a230eac67e85b4593e561bf6b88c77b82c729e7ba7f3d2f99b8dc85b07873e40335aff4647833a87681ee557fbd1ffa1a458a5673d1bd3c1587eceeabaebf4e44c24d9a8ac8c1d89
With these three lines placed in the same file, I get two of three
passwords cracked as follows:
$ ./john -w=w pw-krb5
Loaded 3 password hashes with 3 different salts (Kerberos v5 TGT [krb5 3DES (des3-cbc-sha1)])
p4ssW0rd (test1)
Nask0Oskov (test2)
guesses: 2 time: 0:00:00:00 100.00% (ETA: Thu Jun 24 21:53:59 2010) c/s: 500 trying: Nask0Oskov
$ ./john --show pw-krb5
test1:p4ssW0rd
test2:Nask0Oskov
2 password hashes cracked, 1 left
Yes, I had these known test passwords in the "w" wordlist file. I was
not able to quickly crack "your" password, perhaps because it is not a
weak one and/or because I did not guess the realm name correctly and/or
because you did not provide the correct username.
While testing this, I identified a memory leak in KRB5_std.c. I'll have
it fixed in the next jumbo patch update.
I've attached a patch with my code fixes so far.
Please let the list know whether you manage to get things working for
you or not - and provide some detail either way.
Thanks,
Alexander
View attachment "john-1.7.6-jumbo-3-krb5-1.diff" of type "text/plain" (3877 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.