|
Message-ID: <1332879603.25919.10.camel@k>
Date: Tue, 27 Mar 2012 22:20:03 +0200
From: Per Thorsheim <per@...rsheim.net>
To: john-users@...ts.openwall.com
Subject: Re: EPiServer hashes
On Tue, 2012-03-27 at 12:21 +0200, Per Thorsheim wrote:
> On Tue, 2012-03-27 at 11:27 +0400, Solar Designer wrote:
> > Hi,
> >
> > This thread was referenced in tweets CC'ed to @Openwall:
> >
> > http://hashcat.net/forum/thread-987-post-5151.html#pid5151
> >
> > Maybe our EPiServer format is wrong or out of date.
> >
> > Per - what's the status on this? Does JtR work right for your hashes?
> > Does any change in JtR need to be made?
> >
> > Alexander
Updated status:
Twitter/@...adel came to the rescue, revealing that the standard hash
format used by episerver - or Microsoft .NET to be exact, is sha1(salt |
utf16bytes(secret)). @hashcat has updated the forum thread with example
code that works against default config.
@klingsen provided an interesting sidenote: with .NET 4 it defaults to
sha256.
I presume episerver will, if they haven't got it already, create a guide
for their customers on how to improve the default security provided
by .NET. After all .NET does have PBKDF2 support (raise your hands if
you know somebody who uses it!)
Given the different types of encryption and hash algorithms supported
by .NET, there's more possibilities for jumbo patches for JtR. :-)
Best regards,
Per Thorsheim
Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.