gmane.comp.security.openwall.john.user

SHA-3 Contest

Rich Rumble — 2010-09-02T02:52:59

Bruce Schneier, and probably other SHA-3 competitors, but more
specifically Bruce, is looking for people with FPGA and ASIC skillz.
I figure someone on the list may know someone who knows someone
with such a skill set and or interest. You can read more about it here:
http://www.schneier.com/blog/archives/2010/09/wanted_skein_ha.html

I'm just putting this out there (cleared with Solar first) to see if anyone
can help. If so contact Mr Schneier or other entrants you may favor,
and offer your help to them directly, I've posted this on my own volition.
Pass along the link if you know anyone, thanks!
-rich

Solaris Assembler Multiply Fix

Alain Espinosa — 2010-09-01T21:45:01

Hi. I have a small time and convert the assembler multiply into sum as
Solar do. The patch is apply on top the jumbo distribution. I make a
rapid test in linux and mac and works well.

saludos,
alain

Fw: Noob question: how to feed 10 alphanum char min&max incremental to aircrack when "MaxLen = 10 exceeds the compile-time limit of 8"

Mr Ex — 2010-09-01T21:18:07

Thanks for the reply.

It does need to be 10 alnum as the passphrase won't just be digits (and I'd be 
using Mac OSX). So its not possible to just do 10-10 alphanum chars on JtR as 
far as anyone knows? Given that I don't want 9, 8, 7 or less alnum chars nor 11+ 
alnum chars *just 10*, seems quite a reasonable, not too overly time-consuming 
crack to want to feed through from John, I'd be surprised if its not possible.

I take what you're saying in terms of generating a custom .chr file and have 
re-read http://www.openwall.com/john/doc/EXAMPLES.shtml but isn't that method 
merely a way of filtering, i.e. it won't actually make John do a min 10 / max 
10, or am I just not understanding it right?

-EX



----- Forwarded Message ----
From: Rich Rumble <richrumble-Re5JQEeQqe8AvxtiuMwx3w< at >public.gmane.org>
To: john-users-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8< at >public.gmane.org
Sent: Wed, 1 September, 2010 15:35:49
Subject: Re: [john-users] Noob question: how to feed 10 alphanum char min&max 
incremental to aircrack when

Noob question: how to feed 10 alphanum char min&max incremental to aircrack when "MaxLen = 10 exceeds the compile-time limit of 8"

Mr Ex — 2010-09-01T07:28:22

Hi

I'm a total noob who is trying to run a crack specified to effectively brute 
force 10 characters only and alphanumerical only (against a pcap)... I modified 
the config file; the alpha numerical bit, so that it was minimum 10, maximum 
10, as this just seemed logical from reading the help file, and then

john --stdout --incremental:alnum | aircrack-ng (etc etc...)

but then got...

"MaxLen = 10 exceeds the compile-time limit of 8

There are several good reasons why you probably don't need to raise it:
- many hash types don't support passwords (or password halves) longer than
7 or 8 characters;
- you probably don't have sufficient statistical information to generate a
charset file for lengths beyond 8;
- the limitation applies to incremental mode only."

But for what I want to do, feeding, nothing to do with hashes, 10-only and 
alphanum only seems reasonable..?

Like I say, I have read the documentation but as a novice don't wish to get too 
hopelessly lost so I wondered can anyone help... do I need to

compiled JtR 1.7.6 with the jumbo 7 and the netscreen script v2.01 patches located on the custom-builds page

Robert Harris — 2010-08-31T00:10:19

John-Users,

 

I have compiled JtR 1.7.6 with the jumbo 7 and the netscreen script v2.01
patches for:

Windows

Linux 32-bit

Linux 64-bit

 

These builds are now uploaded to

 

http://openwall.info/wiki/john/custom-builds

 

Enjoy,

 

-Robert B. harris

patch of JtR's netscreen.py script, now version 2.01

Robert Harris — 2010-08-30T22:00:03

A puzzling hash from the past

fijam 7 — 2010-08-27T08:18:07

Hello,

I recently analyzed the firmware of a certain discontinued router that
I have and managed to extract a cramfs filesystem. There, I found
/etc/shadow with a strange hash:

user:$1juTFYmn618Y:12086::99999::::

To my understanding, a DES hash should have 13 characters in base64
digits (including the salt). Any ideas why does it start with a '$'?
It appears that the firmware utilized tinylogin 0.80 and uClibc
0.9.26. I had a look at the source but found no clues.

Regards,
JM

Statistics - Real World

Rich Rumble — 2010-08-25T01:28:52

With the disscussion about "real-world" passwords going on, I thought I'd ask a
question: Is there a script or method anyone knows of that we all might use to
both collaborate and report on our real-world passwords? Is there something I
can run that looks at the pot file, the hash file and perhaps the session log
file(s), and might pull out useful information; like what rules seem to crack
passwords first, and what those passwords are made of, perhaps even their CV
patterns... CVVCDPS (d= digit p= punctuation s= special (like tilde)). Perhaps
we could get stats on password lengths, how many were alpha only, digits only
...etc. I know someone who could write something like that in PHP, but I'm sure
perl or python may be preferred. I'm just an "idea guy" and a script kiddie, so
I know next to nothing on what it would take to do something like that, but I
think if we could all work together and ascertain what real-world passes we see
and what hash types we see them in we might improve JtR that much further!

I

Small fix needed for netscreen.py and it doesn't work with python version 3

2010-08-24T20:48:46

John Users,

I found an error in my current netscreen.py.

I mistakenly have a tab in my current version of the netscreen.py, so I need to fix that.

However, I am wondering if I should update it to run in python 3.1.x.    The fixed script, won't run in python 3.1.x, since python 2.x and 3.x are not fully compatible.  

So, I'm not sure what to do,  we may need to have two different version of the script, one for python 3.x and one for python 2.x, since they are not fully compatible.

So, should I keep the script in python 2.x format (but it won't run in python 3.x) , or upgrade to python 3.x format (but it won't run in python 2.x), or have two scripts, one in each format?

-Robert Harris

Defcon18 "Crack Me If You Can" Complete Pot File

Charles Weir — 2010-08-24T04:30:56

Hey all,
    I've been playing around with the plaintext answers KoreLogic
released after the "Crack Me If You Can" competition at this year's
Defcon, and I got it into my head to use the list of words to try and
create a complete JtR .pot file from all of the hashes. There were a
couple of reason for this. First of all, I wanted to start doing
comparisons of the different teams' cracking techniques; More
specifically the techniques they used to train on the cracked NTLM
passwords to attack the other hash types. For that I needed training
and test sets. Also, I REALLY wanted to see if JtR correctly handled
those #$< at >!# Oracle10 hashes, and if so, what the plaintexts were for
them.  Since I figure other people might be interested in this as
well, I'm making the .pot file available at:

https://sites.google.com/site/reusablesec/Home/random/KoreLogic_Defcon2010.pot

As for the highlights, yes JtR does handle the Oracle passwords,
though it's no wonder no one managed to crack them in the 48 hours we
had. For exam

1.7.6-jumbo-7

Solar Designer — 2010-08-22T17:41:16

Hi,

I've just released a jumbo patch update, revision 1.7.6-jumbo-7.  The
changes since -jumbo-6 are as follows (in the order interdiff reminds me
of them):

Added external modes DateTime, Repeats, and Subsets to the default
john.conf.  These have been previously posted in here:

http://www.openwall.com/lists/john-users/2010/08/01/2
http://www.openwall.com/lists/john-users/2010/08/01/1
http://www.openwall.com/lists/john-users/2010/08/06/1

Applied Robert's updates to netscreen.py
(john-1.7.6-jumbo-6-netscreen-script-2.diff):

http://www.openwall.com/lists/john-users/2010/08/13/1

Merged in jmk's MSCHAPv2 "format" addition
(john-1.7.6-jumbo-5-jmk-mschapv2.diff):

http://www.openwall.com/lists/john-users/2010/07/20/1

Applied Alain's public domain statement updates
(john-1.7.6-jumbo-6-alain-copyright.diff):

http://www.openwall.com/lists/john-users/2010/08/11/2

Applied bartavelle's copyright statement and licensing updates from
john-1.7.6-jumbo6-intrinsics-2.diff.gz as it relates to code he had
contributed b

external username

Waylon Grange — 2010-08-18T23:41:05

Is there a way to access the user name from within an external function?  I
have a db that stores the password as sha1(username+password) and would
rather not make a world list of all user name and word list combinations.

change vowels and consonant with others.

2010-08-13T12:46:55

Hi

 I try new way to crack fastly passes.

 This my wordlist :

CCVC
CVCV
CVCC
VCVC
VCCV
CCVV
CVVC
VCCC
VVCC
VVCV
VCVV
CVVV
VVVC
CCCV

 How to change all occurences "C" with consonant [bcdfghjklmnpqrstvwxz] 
and "V" with [aeiouy].
 The wordlist is only here to show where consonant and vowels are 
located in the word.

 for example :

 CCVC become bric, croc, broc, choc, etc...

 I don't have enough knowledge with rules to do this myself.

 Thanks,

 W.A.

SSE intrinsics patch update

2010-08-13T09:14:22

I've updated my patch on the Wiki. I hope it is working, as it has been
done hastily. It is to be applied over john-1.7.6-jumbo6. It includes
the following changes :
* Some copyright clarifications, which could be included in the jumbo patch
* SSE intrinsics code for the raw MD5 function, raw SHA1 and MD5 crypt
* format updates to use these functions in raw-md5, md5, raw-sha1
* new salted-sha format, to be used with LDAP SSHA hashes. It is
probably not working as expected because I just wrote the set_key function
* new targets for 64 bit icc and clang

It is recommanded to use this patch with icc, or clang if icc is not an
option. Using it with gcc should result in decreased performance over
"vanilla" jumbo.

To be downloaded here :

http://openwall.info/wiki/_media/john/john-1.7.6-jumbo6-intrinsics-2.diff.gz

patch of JtR's netscreen.py script

Robert Harris — 2010-08-12T23:12:02

team john-users writeup

Solar Designer — 2010-08-12T19:50:48

Hi,

Here's our team's "Crack Me If You Can" DEFCON 2010 contest writeup.
I wrote it with input from others on our team.  Unfortunately, this
resulted in the writeup being somewhat focused on what I did vs. what
other did during the contest.  This is partially compensated for by
Simon (team bartavelle) and Matt having posted their own writeups, which
I refer to.

Warning: this writeup is lengthy!  Sorry about that. ;-)

---
Thanks (brief).

We'd like to thank:

KoreLogic, and Minga and Hank in particular - for the contest;
Team bartavelle and Frank Dittrich - for their contributions;
Team CrackHeads - for several things (see end of this writeup);
Fyodor - for volunteering to (co-)represent us at DEFCON;
Alain Espinosa - for the NTLM hashing code (in JtR jumbo patch).

We would also like to thank and apologize to team smelly_weigand for
failing to use their offered contribution.

Please refer to the full "Thanks" section at the end of this writeup for
more detail.  (It was too long to start the writeup with

Consonant Vowel Patterns

Brad Tilley — 2010-08-12T13:17:40

I wanted to ask if others had experimented with consonant vowel patterns
in password cracking? Perhaps others know this approach by a different
name? I believe the proper term is phonology (I may be wrong on that).
Here is an example pattern:

CVCCVC

That pattern is common and found in many words. Here are some words
based on it:

batman
badguy
bigboy
(catfig)ht
(barfig)ht
(Falcon)s
bullet
defcon
...

That is just one common pattern, there are many others. One thing I like
about these patterns is that they are cheap to compute and once
computed, you have all passwords that fit that pattern.

The C list is only consonants and the V list is only vowels. N is only
numbers while S is only special chars.

C = 30s-40s (drop chars that are seldom used z,x,j if you like)
V = aeiouAEIOU
N = 1234567890
S = 30s (less if you only want the commonly used chars)

So any variation of batmanNN would be cracked by CVCCVCNN and it only
takes 40 * 10 * 40 * 40 * 10 * 40 * 10 * 10 = 25,600,000,000:

BATMAN78
Batman01
bAtMaN00
.

WEP cracking

Meyer, Bruce — 2010-08-11T17:54:06

I was provided a WEP Key and asked to see if I can crack it.
From what I have been reading, it seems the only way to crack a WEP key is to have traffic from that keys network to capture with a util that is trying to crack the key. Once the util has seen enough data, it is then able to crack the wep key.

Am I wrong? Is it possible to just crack a WEP key with nothing but the key, and something like JTR, and no supporting traffic, or do I need to run a tool like aircrack that can sniff the networks traffic for a while in order to perform the crack?

change copyright

Alain Espinosa — 2010-08-11T14:14:49

Hi. Attached a diff applied on top of the last jumbo patch modifying
the copyright of NTLM and MSCASH formats following the new guidelines.

Best Regards,
alain

Crack Me If You Can Challenge Writeup

Charles Weir — 2010-08-11T11:32:42

I had the pleasure recently in competing alongside the john_user's
group in KoreLogic's Crack Me If You Can Challenge. I'd like to start
off by first thanking KoreLogic who not only devoted their time to set
up the contest, but also staffed the contest booth throughout the
challenge, (and put up with our crazy submissions). I'd also like to
thank Solar for organizing all of us, and from what I can tell from
the timestamps on the e-mails he sent out, devoting a sleepless
weekend to this contest.

Overview:
Since I was attending Defcon at the time, I along with Fyord
represented the john_users group. The downside of this was that it was
very hard for me to keep up with what the rest of the team was doing
since I was hesitant to check my webmail on the secure wireless setup,
and my AT&T data coverage was spotty at best, (since several thousand
other people were checking their I-Phones at the same time). That
being said, I had a great time hanging around the Kore booth and
finding out what techniques other peopl

"bartavelle" team writeup for the Defcon 2010 password cracking contest

2010-08-10T12:03:19

Here is the writeup for team "bartavelle", which contributed its results
to the john-users team.

[MEMBERS]
The "active" members were me and a couple friends. Another one handled
the LM hashes part. Quite a few people helped us by running our software
on computers they owned. Thanks to them !

[PRE-CONTEST]
Me and one of the team members have been working for a few weeks on a
automated password cracking system. This system would also provide
statistics, graphics that could be copied and pasted into reports,
automatic analysis and stuff like that. It could also be used to perform
other computing tasks.

While the "interface" part of the system is quite mature by now, the
actual cracking part was not truly tested. Early tests, a week before
the contest, highlighted design errors that absolutely needed to be
addressed for it to scale for this contest. We spent the days before the
contest rewriting part of the system, and doing not much else.

Some early advertising was also done so that people would join our
"c