using John to crack MD5 password with more than 13 characters

Hello everybody,

I have an web application that uses MD5 and base64
encoding to protect users passwords. I would like to
run john against these passwords and check for weak
ones.

The problem is, when I try to simulate something like
the Linux shadow file, john complains that no password
was loaded.

I decided to make some testing using Perl:

C:\Documents and Settings\br04196>perl -MDigest::MD5
-e "$ctx=Digest::MD5->new;
$ctx->add('bunda'); print $ctx->b64digest"
VbDIbtdTJqQrekjD+/Z7rw

Then I created a new file with:

smithj:VbDIbtdTJqQrekjD+/Z7rw:10063:0:99999:7:::

It didn't work either. I tried using "hexdigest" and
"digest" from the same module, with the same result.

There is any way to use John the Ripper to help with
that?

Thanks,

Re: using John to crack MD5 password with more than 13 characters

On Thu, Jun 02, 2005 at 12:03:33PM -0300, Alceu R. de Freitas Jr. wrote:
> Hello everybody,

Hi,

> I have an web application that uses MD5 and base64
> encoding to protect users passwords. I would like to
> run john against these passwords and check for weak
> ones.
[...]
> There is any way to use John the Ripper to help with
> that?

By default john only knows about "Unix'md5" not raw md5. You have to apply
the raw-md5 patch and try with --format=rawMD5.

The format of the password should be the same as the one from openssl :
$ echo -n bunda | openssl md5
55b0c86ed75326a42b7a48c3fbf67baf

Have fun,

Denis.

--

-- 
http://www.groar.org/enough/bushit.jpg

Re: using John to crack MD5 password with more than 13 characters

Re: using John to crack MD5 password with more than 13 characters

Re: using John to crack MD5 password with more than 13 characters

Administrivia - Fredrick Regnery and other Hotmail and Yahoo clowns

Hi,

I've unsubscribed Fredrick and added his two e-mail addresses to the
deny list.  Currently, only subscribers can post to john-users,
postings from non-subscribers will be submitted to me for moderation.
Feel free to educate Fredrick of some netiquette via private e-mail.

Let me also use this opportunity to share some curious statistics.
Those only interested in John the Ripper itself rather than in the way
this mailing list is run are free to not read any further. 

This list has existed since May 11th.  There're currently 56 subscribers.

There have been some 300+ subscription _attempts_ via the web interface
alone.  Most of these attempts (200+) were with Hotmail and Yahoo e-mail
addresses.  Out of the 200+ Hotmail/Yahoo addresses, only 20 have
correctly confirmed their subscriptions (and 19 of those are currently
on the list, with Fredrick removed).  Hotmail is actually somewhat
worse than Yahoo: only 5 out of 100+ people have confirmed their
subscriptions.  At first, I suspected that there's a technical
problem with Hotmail, so I've even tried registering for an account
myself.  Yes, there's a problem, kind of, -- the confirmation e-mail
address in the message body is not correctly hyperlinked.  However,
simply clicking Reply, then Send gets the subscription confirmed.  So
the problem is primarily with the Hotmail users.  I suspect that the
same applies to Yahoo.

Essentially, we've got a trivial IQ test for prospective subscribers,
and perhaps this is actually quite good for a discussion list.  A few
clowns will still pass this "test" (it is trivial, after all), but
most are rejected right away.

Another curious detail is that most Hotmail users who attempted to
subscribe to Openwall mailing lists are from APNIC countries.  Perhaps
Hotmail is simply more popular there than it is in the US or Europe.
I'm not sure why this is so.

--

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

On Thu, Jun 02, 2005 at 12:48:27PM -0700, Fredrick Regnery wrote:
> Hi Denis,
> Any luck on finding the password for mon_hl@...
> Thanks,
> Fred

Re: using John to crack MD5 password with more than 13 characters

Denis has already provided the correct answer to this question, so
I'll only comment on some other related issues:

On Thu, Jun 02, 2005 at 12:03:33PM -0300, Alceu R. de Freitas Jr. wrote:
> I have an web application that uses MD5 and base64
> encoding to protect users passwords.

MD5 (as well as SHA1, etc.) is not intended to be used for password
hashing, and it is quite bad at that, -- unless you wrap it in a
higher-level algorithm which implements salts and multiple iterations
(thousands to millions, -- preferably with the number encoded along
with the hashes).

For applications written in PHP, you can use my PHP password hashing
framework:

	http://www.openwall.com/phpass/

If you've been using plain MD5 and haven't been enforcing very
complicated passwords/passphrases, you should expect 90-99% of the
hashes to be cracked (e.g., with the contributed "raw MD5" support
patch for John), -- because these hashes are really that weak.

--

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

Patches

Ok, a real basic question here.  If I install multiple
patches for john, do they work together or is there no
guarantee?

Thanks.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Patches

There is no guarantee that all the patches will apply.  I had to do  
several by hand.  Here is a link to my 1.6.38 all-patches diff.

http://www.macunix.net/JTR/john-1.6.38-all.diff

I applied all the patches from Openwall plus some from the mscash  
pages.  Give it a try.

On Jun 3, 2005, at 9:47 PM, Whom Ever wrote:

> Ok, a real basic question here.  If I install multiple
> patches for john, do they work together or is there no
> guarantee?
>
> Thanks.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>

Re: Patches

> There is no guarantee that all the patches will
> apply.  I had to do  
> several by hand.  Here is a link to my 1.6.38
> all-patches diff.
> 
> http://www.macunix.net/JTR/john-1.6.38-all.diff
> 
> I applied all the patches from Openwall plus some
> from the mscash  
> pages.  Give it a try.

Thanks.  Seems to compile on a generic 1.6.38 just
fine.  Testing some of the options now.

		
__________________________________ 
Discover Yahoo! 
Stay in touch with email, IM, photo sharing and more. Check it out! 
http://discover.yahoo.com/stayintouch.html