|
Message-ID: <AANLkTikrUA7mwrDHzZObG-w475AvoSsNpxCEHRTRQ9gB@mail.gmail.com> Date: Tue, 8 Mar 2011 14:59:30 -0500 From: Rich Rumble <richrumble@...il.com> To: john-users@...ts.openwall.com Subject: Re: how to crack kerberos5 passwords? Sorry to write again so soon, perhaps you wanted to dump your database and crack the hashes inside? http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Dumping-a-Kerberos-Database-to-a-File.html#Dumping-a-Kerberos-Database-to-a-File I'm not sure how MIT stores the hahes and (fingers crossed) the salts, but I bet you can get at them by doing the above. I believe from reading the documentation, that the users passwords are made into key's using the master key. So you'd probably have to tell JtR the master key so it could try to encrypt wordlists etc.. using the master key to find matches of the users key. http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#keysalt >In Kerberos 4, a salt was never used. The password was the only input to the one-way hash function. This has a serious disadvantage; if a user happens to use the same password in two Kerberos realms, a key compromise in one realm would result in a key compromise in the other realm. Doesn't look like krb4 was salted, just a DES hash? I hope this helps.I also hope someone else writes to set me straight :) -rich
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.