Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <38da7e25ad18a566598bcf2a9b3b13f4@smtp.hushmail.com>
Date: Tue, 30 Aug 2016 20:40:25 +0200
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: Re: Which is the correct hash?

On 2016-08-30 09:59, Sebastian Heyn wrote:
> The file has a weird structure.
>
> backup.zip <- password encrypted
> ver 1.0 Pic.zip->Neu Textdatei.txt PKZIP Encr: cmplen=12, decmplen=0, crc=0
> ver 1.0 Pic.zip->bilder.zip PKZIP Encr: cmplen=16969698, decmplen=16969686, crc=7F501B9D  <- the file itself is also password encrypted

We can't know that. The fact it has a CRC doesn't mean it's encrypted.

> and zip2john doesn't seem to know the -m option. Do I need to enable anything when configuring it?
>
>  ./zip2john -m ../../Backup.zip >backup.hash
> ./zip2john: invalid option -- 'm'

Ouch. I see now we have a tiny little (literally, one bit!) bug there. 
Will commit a fix within minutes.

magnum




> --------------------------------------------
> magnum <john.magnum@...hmail.com> schrieb am Mo, 29.8.2016:
>
>  Betreff: Re: [john-users] Which is the correct hash?
>  An: john-users@...ts.openwall.com
>  Datum: Montag, 29. August, 2016 22:37 Uhr
>
>  On 2016-08-29 21:00,
>  Sebastian Heyn wrote:
>  > I'm trying to
>  bruteforce an old backup.zip file that i found after over 10
>  years and I wanted to have a look at. Now I obviously forgot
>  the password.
>  > My problem is that with
>  john-1.7.9 (gentoo) the zip2john script gives a pkzip hash
>  which is a 92 byte file ($PKZIP$). However when I use
>  jumbo-john from git, zip2john gives a
>  >
>  32mb hashfile containing a $PKZIP2 hash.  which is the
>  correct one? is there any known bugs in either version?
>  >
>  > -> the pkzip hash
>  brutes at 19k/sec
>  > -> the pkzip2 hash
>  brutes at 100/sec (--fork=32 gives x32 speed)
>  >
>  > any idea which is
>  correct hash to brute force?
>
>  Generic answer: Obviously the newer version.
>  The 1.7.9 version is so
>  very old you
>  shouldn't use it other than for curious comparisons. I
>
>  can't even recall all changes to this
>  format but some serious issues
>  have been
>  addressed, and quite possibly some performance
>  improvements.
>
>  A more
>  specific answer for your case is that the difference in
>  speed you
>  mention MAY be due to the older
>  version defaulting to "file magic"
>  whereas the newer does not. Does this zip file
>  contains just one (or
>  few) large file and
>  no small ones? You can use -m as in "zip2john -m
>  backup.zip > OUTFILE" to enable file
>  magic and see where that gets you.
>  Just
>  beware that resorting to file magic can be error prone (you
>  might
>  end up with false negatives) and that
>  is why we don't default to it anymore.
>
>  magnum
>
>
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.