Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANO7a6xEDtOA7O9xnLBM-Qp-0FgabBp28akp8aF2cwCbyWA7pA@mail.gmail.com>
Date: Sun, 18 Nov 2012 13:30:57 +0530
From: Dhiru Kholia <dhiru.kholia@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: cracking passwords with a kerberos traffic dump /
 aes256-cts-hmac-sha1-96 (18) [MS]

On Sun, Nov 18, 2012 at 6:59 AM, buawig <buawig@...il.com> wrote:
>> As in standard Kerberos? It would surprise me a whole lot if
>> Microsoft do not use the Unicode version of the password, or (even
>> more likely) the 16 byte NT hash as input just like in mskrb5, as
>> opposed to the plain string you use now.
>
> Ok, this makes it clear why I was not be able to crack it. So the
> outcome will be a MS specific john format (mskrb5-18).

I don't think that it is necessary to modify krb-ng_fmt_plug.c to
support M$ AD specifically as M$ AD follows RFC.

As I suspected, the problem turned out to be that the fast PBKDF2
doesn't handle long passwords. I have switched back to safer but
slower implementation of PBKDF2 and I can successfully crack
M$ AD long passwords (> 16 chars).

Please try attached code. M$ AD pcap files are included in
http://dl.dropbox.com/u/1522424/KerberosCapturesV2.tar.gz

-- 
Cheers,
Dhiru

View attachment "krb-ng_fmt_plug.c" of type "text/x-csrc" (14538 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.