Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANO7a6whHeiBMcy4Ab3Fi9g0oU8+-5z=5+w_=K+fF2RnM7osXA@mail.gmail.com>
Date: Sat, 17 Nov 2012 12:11:14 +0530
From: Dhiru Kholia <dhiru.kholia@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: cracking passwords with a kerberos traffic dump /
 aes256-cts-hmac-sha1-96 (18)

On Sat, Nov 17, 2012 at 4:43 AM, buawig <buawig@...il.com> wrote:
>> What is the value of "Encryption type" when you view the AS-REQ
>> packet in Wireshark?
>> On my setup (which is using default values) it is 18
>> (aes256-cts-hmac-sha1-96 is being used).
>
> Yes, I noticed it too, it is aes256-cts-hmac-sha1-96 (18), which is
> probably why Cain is not able to extract ENC_TIMESTAMP from AS-REQ.
>
> Nonetheless it would be great to see an implementation for
> enc type 18 / aes256-cts-hmac-sha1-96 (from a traffic capture).
>
> Thank you for your help and numerous answers, looking forward to see
> krb5-18-traffic_fmt.c ;)

I have implemented such a format (attached) with the help of code
posted on insidepro.com forum and by asking "ghudson" numerous
questions on #krbdev . However, it is super slow due to use of PBKDF2
with 4096 iterations.

NOTE: Checksum implies last 12 bytes of PA_ENC_TIMESTAMP value in
AS-REQ packet. The total length of PA_ENC_TIMESTAMP should be 56 bytes
(after hex2bin conversion).

Lot of optimizations can be done (get rid of nfold operations, use
Lukas's PBKDF2 code, magnum's valid timestamp heuristics etc). I will
port this format to OpenCL soon.

-- 
Cheers,
Dhiru

View attachment "krb-ng_fmt_plug.c" of type "text/x-csrc" (13762 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.