Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <0f0bb340-d136-7cc4-352b-1b59b5698903@cox.net>
Date: Thu, 28 Feb 2019 11:00:57 -0600
From: jfoug <jfoug.openwall@....net>
To: john-users@...ts.openwall.com
Subject: Re: prepending and appending salts in dynamic formats

On 2/28/2019 10:08 AM, Royce Williams wrote:
> This Stack Exchange question:
>
> https://security.stackexchange.com/questions/204439/best-tool-for-cracking-sha-1s-with-unique-pre-and-post-salts
>
> ... led me to discover that the dynamic format language has a way to
> prepend two different salts, but apparently no explicitly append a salt?
> (Is this correct?)
>
The way dynamic is written, there is no 'generic' way to prepend 
anything.  Everything is appended to the growing string, in order.

There were a few 'enhancements' made to allow some specific appending 
for a few formats, but nothing that is 'generic'.  There are some 
'overwrite' functions, also a few length setting functions.  These 
really only work for appending, IF we have things like a fixed length 
salt, and also likely a fixed length rest of the input.   See dynamic_12 
layout (in dyanamic_preloads.c) to see an example:  
md5(md5($s).md5($p))   In this format, we store the salt as md5($s) (so 
it is only done at startup time).  Also, in this format, we have a FIXED 
size salt (32 bytes).   Also in this format, every password is exactly 
32 bytes, since it really is the md5($p)   So here, we can do an 
overwrite, and then set the length to be 64 bytes.

However, for something 'generic', for something like: sha1($s.$p.$s2) 
where $s might be 6-12 bytes, $p is arbitrary in size, then the best way 
to handle this, really is to clear the buffer, append the salt, append 
the password, then append the salt2.

There 'could' be ways to do this, BUT trying to add prepend into dynamic 
in a 'generic' manner, would greatly increase the size and complexity of 
dynamic, which already is very bloated, and very-very complex.

For making john the 'best' tool for doing sha1($s.$p.$s2), you really 
SHOULD write a custom native format.

However, a format that 'does' work (better than nothing), is:

$../run/john -test -form='dynamic=sha1($s.$p.$s2)'
Benchmarking: dynamic=sha1($s.$p.$s2) [128/128 SSE2 4x1]... DONE
Many salts:     1952K c/s real, 2823K c/s virtual
Only one salt:  1293K c/s real, 1928K c/s virtual

No code at all, simply uses the built-in john dynamic 'compiler'.  It is 
certainly not as fast as could be built, BUT all depends upon how much 
work really needs to be done with the sha1($s.$p.$s2) format. If there 
are 100's of thousands of hashes, and there will be many CPU years of 
work being done, then it would make sense to write a much faster custom 
format.  If however, there are 100's and you are simply interested in 
cracking 'some' of them, then the time required to write something 
custom, would be a waste, as the dynamic compiler format would likely 
crack them way before the custom format was written.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.