Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <EEA789E1F5AF421BBD4A83E8E09DD2F3@D9VGLK61>
Date: Tue, 16 Aug 2011 08:58:49 -0500
From: "JimF" <jfoug@....net>
To: <john-users@...ts.openwall.com>
Subject: Re: Vbulletin hashes with more than 3 chars salt

Those will not work in a SSE2 build of john.  You can not build a string 
longer than 55 bytes in a single MD5 limb, and the above go quite a bit past 
that level.

If you want to crack these in a SSE2 build of john, add this to your 
john.conf.  This will add the flag MGF_NOTSSE32Safe.  It will force non-sse2 
processing, which should not have the length limitations (but will run 
slower).

####################################################################
# VB with long salt
####################################################################
[List.Generic:md5_gen(1100)]
Expression=md5_gen(1100) md5(md5($p).$s) [VB big salt]
# Flag needed here, is Salt.  There is no 'fixed' saltlen.
Flag=MGF_SALTED
Flag=MGF_KEYS_BASE16_IN1
Flag=MGF_NOTSSE2Safe
Flag=MGF_ColonNOTValid
# here is the optimized 'script' to perform the md5 8 times on itself.
Func=MD5GenBaseFunc__set_input_len_32
Func=MD5GenBaseFunc__append_salt
Func=MD5GenBaseFunc__crypt
Test=md5_gen(1100)3a9ae23758f05da1fe539e55a096b03b$S111XB test1

Then using -fie=" "   (john -fie=" " vb.in)

make this file.

1 
md5_gen(1100)671347ef2477b0de65b7d3090b74271f$m;O`bs]j+tl~U4+$j+Gto=YK=*g-:d
2 
md5_gen(1100)d726d8405f5e38a6452aff9e7378b4d6$>b&y/g6WDVdb:vqD[NKY7v.+&o<6#
3 
md5_gen(1100)83d1994655d58be430bfa96b1e816284$enp)t1yev,ly=R"7\>X<;0*.5+#p$j
4 
md5_gen(1100)a75604023723df61b7288380eeb9e9c4$#1:RWakb|;8!eWMqhh@...m4[UtE_E
5 
md5_gen(1100)4967093e7eb764f8652512624cf40935$@n6)`#;AVg/!^s?w_[}*Lf?")Yl?^_
6 
md5_gen(1100)ad05d8e1ae087239b366e76834f93dd9$|:yoL3L%CM@%"bb.K(7rE~>0d(4Xy%
7 
md5_gen(1100)6e36748b726aa206c3d28b8213a45f39$Fp{~P3;3d4.\u(x0jiI)cl#Gr7uo,Z
8 
md5_gen(1100)e89d6004a9633802b1a55117aee866cc$*XK4@...vuP-x29y)1emOa:QpO*"bv

I believe this should crack your data.  However, this was put together on an 
old laptop, that is not current, and that I can not debug from, so I am not 
100% sure things are correct.  I simply took the existing md5_gen(6) and put 
it into the john.conf scripting format, and added the non-sse flag, and the 
colon-not-valid.  I 'think' it works (well it passes the self test at 
least).

NOTE, the md5_gen(6) has 2 different scripts.  The one here is NOT safe to 
use in a big endian system.

Jim.

----- Original Message ----- 
From: "firstname lastname" <psykosonik_frequenz@...oo.com>
To: <john-users@...ts.openwall.com>
Sent: Tuesday, August 16, 2011 7:01 AM
Subject: [john-users] Vbulletin hashes with more than 3 chars salt


> Hi All,
>
> I want to know if there's a possibility to crack VBulletin hashes with 
> more than 3 char salt.
>
> I can use JTR to successfully crack VB hashes with a 3 char salt.
>
> From what I know, md5_gen(6) doesn't check for the salt length while 
> cracking. However, it doesn't work with salt lengths greater than 3 
> either.
>
> Some example hashes:
>
> 671347ef2477b0de65b7d3090b74271f:m;O`bs]j+tl~U4+$j+Gto=YK=*g-:d
> d726d8405f5e38a6452aff9e7378b4d6:>b&y/g6WDVdb:vqD[NKY7v.+&o<6#
> 83d1994655d58be430bfa96b1e816284:enp)t1yev,ly=R"7\>X<;0*.5+#p$j
> a75604023723df61b7288380eeb9e9c4:#1:RWakb|;8!eWMqhh@...m4[UtE_E
> 4967093e7eb764f8652512624cf40935:@n6)`#;AVg/!^s?w_[}*Lf?")Yl?^_
> ad05d8e1ae087239b366e76834f93dd9:|:yoL3L%CM@%"bb.K(7rE~>0d(4Xy%
> 6e36748b726aa206c3d28b8213a45f39:Fp{~P3;3d4.\u(x0jiI)cl#Gr7uo,Z
> e89d6004a9633802b1a55117aee866cc:*XK4@...vuP-x29y)1emOa:QpO*"bv
>
> I have the cracked hashes' passwords. So, I put those plain texts in a 
> file and used it as a wordlist to see if JTR can crack them using 
> md5_gen(6).
>
> It didn't work!
>
> Is there a patch which has been developed for these kind of VB hashes or 
> is it being developed?
>
> Thanks.
>
> Regards,
> NeonFlash 

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.