|
Message-ID: <CALb0Rk7qVwJiBupjVve3KyD3Fcbaxu4i0+RsjDOJ9x8v0Z-V0w@mail.gmail.com> Date: Thu, 14 Dec 2017 10:39:10 -0500 From: "Mark E. Haase" <mehaase@...il.com> To: john-users@...ts.openwall.com Subject: Cracking MD5 with long, known prefix Hey all, I have a cookie created by the Code Igniter web framework[1] that looks like this (wrapped for readability): a:4:{s:10:"session_id";s:32:"8a70dfc8e6433b28ff7cf138b6d1d2 a5";s:10:"ip_addr ess";s:12:"XX.XXX.XX.20";s:10:"user_agent";s:120:"Mozilla/5.0 (Macintosh; In tel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.320 2.94 Safari/537.36";s:13:"last_activity";i:1512923530;} a680075dd6b96d4f44beb 9a9731ed722 The cookie contains a serialized PHP object with an MD5 hash appended to it. The hash is computed as follows: $hash = md5($obj . $key) Where `$obj` is the serialized object and `$key` is a secret. This hash is verified before unserializing the object. I want to try cracking `$key`, but I am not sure if this is even possible with John The Ripper. I tried both mask attack and hybrid mask. The former doesn't produce an error but silently fails to recover the key. The latter produces this error about exceeding the maximum length for MD5 (wrapped for readability): $ john --mask='a:4:{s:10:"session_id";s:32:" 8a70dfc8e6433b28ff7cf138b6d1d2a5 ";s:10:"ip_address";s:12:"XX.XXX.XX.20";s:10:"user_agent"; s:120:"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) C hrome/62.0.3202.94 Safari/537.36";s:13:"last_ activity";i:1512923530;}?w' -w=/usr/share/dict/rockyou.txt --max-length=191 --format=Raw-MD5 hashes Can't set max length larger than 55 for Raw-MD5 format My research indicates that 55 is a hard limit for MD5 that cannot be changed at runtime, and that this limit was chosen for performance reasons. Is it possible to compile John with a long limit (expecting a major drop in performance) or is this simply not possible at all? Cheers, Mark 1. https://codeigniter.com/
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.