Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <654cacefef97fce31e4d6db35570c07a@smtp.hushmail.com>
Date: Fri, 3 Sep 2021 14:13:23 +0200
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: Re: Pkzip Hash

On 2021-09-03 13:42, Cameron Palmer wrote:
> I am looking at a file that contains a hash produced by zip2john
> ./file.zip$pkzip$2*2*1*0*8*24*766a*36edfc284d1b1ba0d35f068099947bb13a81d8b6ae0d62c40ae086513fa83b0827b315b6*3*0*1cd331*1d1000*80c8926f*0*39*8*1d*81f4*./file.zip*$/pkzip$
> 
> Is this an older hash type? $pkzip$

Yep, it's the oldest version of zip archives still in common use. Newer 
ones would produce something starting with $zip2$ or $zip3$. This older 
type is faster to attack. Unfortunately we do not yet have GPU support 
for that format, but hashcat has.

> The zip contains both a zImage and jffs2.img file. I assume the zImage is for Renesas SuperH processors.
> 
> I’ve tried a couple of known plain text attacks against what I thought the first 12 bytes of the jffs2.img might be, but any advice as to what I might try in terms of brute forcing?

Using guessed magic like that only works if the corresponding file in 
the attacked archive is *stored* (and encrypted), not deflated. If it is 
deflated, your "plaintext" has to be deflated as well, with the *exact 
same parameters and virtually the same version of deflate code* as the 
file in the encrypted archive. There are many moving parts and it takes 
a while to understand it all. Basically, your only chance to succeed 
with that is if one of the files is some standard and known one such as 
a GPL LICENSE file, where you have the exact same full file (confirmable 
with CRC and sizes).

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.