Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <3f27194d6136c03a620bc6f090bc638c@smtp.hushmail.com>
Date: Tue, 30 Jun 2020 10:13:56 +0200
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: Re: decryption without original password

On 2020-06-23 23:23, Solar Designer wrote:
> On Mon, Jun 22, 2020 at 02:50:45PM +0200, Johny Krekan wrote:
>> I have tryed Advanced office password breaker. It is product from
>> Elcomsoft which can break 40-bit encryption
>> which is used in Word/Excel versions 97/2000. It decrypts document
>> without recovering the actual password. It
>> recovers the key which is generated from the password.
>> 1. Is doing something like this possible with John on old office documents?
> 
> No.  JtR currently only supports passwords, not binary keys.

We don't attack the key directly, but we're still getting the "benefit" 
of the crippled 40-bit encryption in that we'll hit usable password 
collisions at about the same rate anyway (once in about 2**40).

Also, we actually have (at least the GPU version) some quirky means for 
exploiting the 40-bit key once we know it, but I never found it very 
interesting since the format is so weak anyway:

The format can read a "hash" with an attached known 40-bit key, 
formatted as hashcat does it (Atom calls it MITM key):

$oldoffice$0*55045061647456688860411218030058*e7e24d163fbd743992d4b8892bf3f2f7*493410dbc832557d3fe1870ace8397e2:91b2e062b9

The trailing 91b2e062b9 is the 40-bit key. If given, the format will use 
it for speedup, but we're not getting hashcat speeds (I think). Until we 
know they key, I see ~438 Mp/s on a 2080ti using mask mode. Once we hit 
the key, finding more usable passwords (given you used the 
--keep-guessing option) runs about 3x faster at ~1.3 Gp/s.

We never store the RC4 key in the potfile though, it just ends up in the 
log file. If you want to use it for future sessions, find it (grep log 
for MITM) and attach it to the original non-hash.

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.