Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20110920183341.GA4070@openwall.com>
Date: Tue, 20 Sep 2011 22:33:41 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Mac OS X 10.7 Lion password hashes (salted SHA-512)

On Tue, Sep 20, 2011 at 01:19:07PM -0500, jfoug wrote:
> I think that is ideal.  A standard john tool (lion2john) to double base64
> the input file,

I could be wrong, but I think there's no _double_ base64 encoding on
actual systems.  What we see at:

http://www.frameloss.org/2011/09/05/cracking-macos-lion-passwords/

is a side-effect of the tools used.  Specifically, I think the
"plutil -convert xml1 ShadowHashData" command does base64 _encoding_ of
a component of the binary plist, to meet the requested output format.

> and then output this type line:
> 
> user:$LION$salt$base16_hash   
> 
> is probably the correct output for that tool to generate, and for the format
> to validate and use.

I think we should omit the dollar sign after the salt, because the salt
is binary and fixed-length, and because people seem to be already using
136-hex-character strings.  So we'll just prefix those strings with
$LION$ when we can, and we'll read them without the prefix as well (even
though this might end up being ambiguous at a later time).

Sounds fine?

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.