Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120605173935.GB19645@openwall.com>
Date: Tue, 5 Jun 2012 21:39:35 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: HTML encoding, PHP magic_quotes_gpc encoding (was: Using Twitter to build password cracking wordlist)

On Tue, Jun 05, 2012 at 10:10:53AM -0600, Stephen John Smoogen wrote:
> On a different dictionary hacking thing, I ran into last night... but
> is probably well known except to me :).

This is definitely known to some people, but is often overlooked during
actual cracking runs even by those who are aware of it.

> I found that sites that use only webapps to interact with passwords
> will sometimes "encode" all the possible dangerous characters to HTML
> code before sending it to the crypt function. So where your dictionary
> might have '123456#' the $1$ string is actually  '123456&#35;'
> 
> The bulk of them seem to be
> &#34; --> "
> &#35; --> #
> &#38; --> &
> &#39; --> '
> &#40; --> (
> &#41; --> )
> 
> with various numbers of 0's added in depending on how UTF the app is feeling :).

I think HTML entities such as &amp; are also sometimes used.  This means
that when/if we implement this in JtR, we need one-to-many translation.

Another curious conversion that we could support is matching PHP's
magic_quotes_gpc.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.