Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <2e66a84599f9966bab9abf34582afa85@smtp.hushmail.com>
Date: Fri, 16 Oct 2020 00:56:39 +0200
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: How to attack hashes.org's md5crypt "left" list

Here's an interesting exercise:

Download all not-yet-cracked md5crypt hashes from hashes.org: 
https://hashes.org/left.php (pick md5crypt from "left lists").

At first I had the idea they would all be virtually uncrackable but many 
of them are as trivial as simply using our default tiny wordlist + 
rules.  There are over 14 million hashes, presumably attacked by a bunch 
of enthusiasts (some fairly experienced I'd presume) for quite some time 
(years), but never cracked.  However, the sheer number of salts was 
likely prohibitive and most script-kiddies don't have the slightest clue 
recognizing that, let alone how to attack it.

For example, if we can test 768 candidates per batch (eg. AVX2 running 8 
threads) and just as a ballpark example: As it takes a millisecond to 
test that batch for a single salt, trying that little batch against 12.6 
million salts would take 3 1/2 hours.  Not a good way to get somewhere.

So here's the way to do it.  Find dupe salts!

$ perl < md5crypt.txt -C0 -ne 'm/\$1\$([^\$]+)\$/; $l{$1}++; END { 
foreach $k (sort { $l{$b} <=> $l{$a} } (keys(%l))) { last if $l{$k} < 2; 
print $k, "\t(", $l{$k}, ")\n"; } }' | head
10a45ndj        (14863)
/ElmJTc/        (768)
ylUxT0Hc        (718)
OzCQggdn        (696)
ly6NWOAJ        (685)
15OWfSYp        (677)
PKPOrMhD        (675)
yfZGygxZ        (665)
4BPpE15m        (664)
qsmGo59F        (648)

Wow. 14,863 same-salts, you've gotta love that! So how do we exploit 
this using JtR?  Simple, just use eg. option "--salts=1000". What this 
means is "only load salts that have at least 1,000 hashes".  Per the 
above, only the one salt with over 14,000 hashes will be loaded. 
Unexperienced users that banged their head over this dataset before will 
now be amazed at what speed we can attack (part of) it, because the 
speed of a single salt is (naturally) the speed of an unsalted format.

If you happen to end up using --salts=400 instead (I did), you will load 
about 110,000 hashes but only 192 different salts.  What does that mean 
again?  It means you will attack 110,000 hashes, but at the speed of 
attacking a mere 192 hashes.  Recent builds of Jumbo will show the 
boost, such as "Remaining 109476 password hashes with 192 different 
salts (570.2x same-salt boost)".  Picture that, it's like having a GPU 
while you run a mediocre CPU.  Now, picture doing this while actually 
**running** on a GPU.  That's where fun begins.

I cracked about a thousand hashes in a single hour, using the very most 
basic first steps.  I wont submit them so I encourage you to do so. 
Now, practice, young Jedi!

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.