Skip to content

Commit

Permalink
New formats: KRB5-18 and KRB5-23
Browse files Browse the repository at this point in the history
  • Loading branch information
@commial @magnumripper
commial authored and magnumripper committed Sep 6, 2012
1 parent ca28023 commit 0442fcc
Show file tree
Hide file tree
Showing 5 changed files with 626 additions and 1 deletion.
53 changes: 53 additions & 0 deletions doc/README-krb5-18-23
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
================================================================================
This patch is Copyright © 2012, Mougey Camille (CEA/DAM), Lalet Pierre (CEA/DAM)
and it is hereby released to the general public under the following terms:
Redistribution and use in source and binary forms, with or without modification,
are permitted.
================================================================================

The package contains:

+ README:
This file.

+ kdcdump.patch:
A patch for MIT Kerberos 5 kdb5_util tool. Run it on a KDC server as
root to export the realm database unencrypted.

+ kdcdump2john.py:
Converts the output of the previous tool in a JohnTheRipper
understandable format.

+ john.krb5-18-23_fmt.patch:
Provide the format "krb5-18" (Kerberos5 aes256-cts-hmac-sha1-96) and
"krb5-23" (arcfour-hmac) for JohnTheRipper software. Tested on 1.7.9-jumbo-6.

================================================================================

Example:

>kdb5_util.patched
...
test/admin@OLYMPE.OL
18,fc77e6ffc07b469ba90ad4a979bcbb64709177c74af7f8eceaada0cdc84c1117
23,1667b5ee168fc31fba85ffb8f925fb70
16,52d5670752073ee6644a578945ada45efd2cc149a1620ea4
...

>kdb5_util.patched > dump; python kdcdump2john.py dump;
...
test/admin@OLYMPE.OL:$krb18$OLYMPE.OLtestadmin$fc77e6ffc07b469ba90ad4a979bcbb647
09177c74af7f8eceaada0cdc84c1117
test/admin@OLYMPE.OL:$krb23$1667b5ee168fc31fba85ffb8f925fb70
...

>python kdcump2john.py dump > job; john job --format=krb5-23;
...
aqzsedrf (test/admin@OLYMPE.OL)

================================================================================


Note:
If the KDC server is not properly configured and provide the both
format, prefer the Arcfour-hmac format.
36 changes: 36 additions & 0 deletions run/kdcdump2john.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
#! /usr/bin/env python
#
# Kdcdump patch output translation for JtR
# August of 2012 by Mougey Camille
#
# This software is Copyright C 2012, Mougey Camille
# and it is hereby released to the general public under the following terms:
# Redistribution and use in source and binary forms, with or without modification,
# are permitted.

import sys

def usage():
print """
Usage :
%s\t[dump]
""" % sys.argv[0]

if (len(sys.argv) < 2):
usage()
exit()

dump_f = open(sys.argv[1], "r")
name = "unknown"
for l in dump_f.readlines():
i = l.split(",");
if (len(i) == 1):
if (l.strip()):
name = l.strip()
if (i[0] == "23"):
print "%s:$krb23$%s" % (name, i[1].strip())
elif (i[0] == "18"):
salt = name.split("@")[1] + name.split("@")[0].replace("/", "")
print "%s:$krb18$%s$%s" % (name, salt, i[1].strip())

dump_f.close()
2 changes: 1 addition & 1 deletion src/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ CFLAGS = -c -Wall -O2 -fomit-frame-pointer -Wdeclaration-after-statement -I/usr/
# CFLAGS for use on the main john.c file only
CFLAGS_MAIN = $(CFLAGS)
ASFLAGS = -c $(JOHN_CFLAGS) $(OMPFLAGS)
LDFLAGS = -s -L/usr/local/lib -L/usr/local/ssl/lib -lssl -lcrypto -lm -lz $(JOHN_CFLAGS) $(OMPFLAGS) $(NSS_LDFLAGS) $(GMP_LDFLAGS)
LDFLAGS = -s -L/usr/local/lib -L/usr/local/ssl/lib -lssl -lcrypto -lk5crypto -lm -lz $(JOHN_CFLAGS) $(OMPFLAGS) $(NSS_LDFLAGS) $(GMP_LDFLAGS)
# -lskey
LDFLAGS_SOLARIS = -lrt -lnsl -lsocket -lm -lz -lcrypto -lssl
LDFLAGS_MKV = -s -lm
Expand Down
282 changes: 282 additions & 0 deletions src/krb5-18_fmt_plug.c
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,282 @@
/*
* KRB5 - Enctype 18 (aes256-cts-hmac-sha1-96) cracker patch for JtR
* Created on August of 2012 by Mougey Camille (CEA/DAM) & Lalet Pierre (CEA/DAM)
*
* This format is one of formats saved in KDC database and used during the authentication part
*
* This software is Copyright © 2012, Mougey Camille (CEA/DAM)
* Lalet Pierre (CEA/DAM)
* and it is hereby released to the general public under the following terms:
* Redistribution and use in source and binary forms, with or without modification,
* are permitted.
*
* Input Format :
* - user:$krb18$REALMname$hash
* - user:REALMname$hash
*/
#include <string.h>
#include <assert.h>
#include <errno.h>
#include "arch.h"
#include "misc.h"
#include "common.h"
#include "formats.h"
#include "params.h"
#include "options.h"
#include <krb5.h>
#ifdef _OPENMP
#include <omp.h>
#define OMP_SCALE 64
#endif

#define FORMAT_LABEL "krb5-18"
#define FORMAT_NAME "KRB5 aes256-cts-hmac-sha1-96"

#define FORMAT_TAG "$krb18$"
#define TAG_LENGTH 7

#if !defined(USE_GCC_ASM_IA32) && defined(USE_GCC_ASM_X64)
#define ALGORITHM_NAME "64/64"
#else
#define ALGORITHM_NAME "32/" ARCH_BITS_STR
#endif

#define BENCHMARK_COMMENT ""
#define BENCHMARK_LENGTH -1
#define PLAINTEXT_LENGTH 64
#define CIPHERTEXT_LENGTH 64
#define BINARY_SIZE 32
#define SALT_SIZE CIPHERTEXT_LENGTH
#define MIN_KEYS_PER_CRYPT 1
#define MAX_KEYS_PER_CRYPT 1

extern krb5_error_code KRB5_CALLCONV
krb5_c_string_to_key_with_params(krb5_context context, krb5_enctype enctype,
const krb5_data *string,
const krb5_data *salt,
const krb5_data *params, krb5_keyblock *key);

static struct fmt_tests kinit_tests[] = {
{"OLYMPE.OLtest$214bb89cf5b8330112d52189ab05d9d05b03b5a961fe6d06203335ad5f339b26", "password"},
{FORMAT_TAG "OLYMPE.OLtest$214bb89cf5b8330112d52189ab05d9d05b03b5a961fe6d06203335ad5f339b26",
"password"},
{NULL}
};

static char (*saved_key)[PLAINTEXT_LENGTH + 1];
static char saved_salt[SALT_SIZE];
static ARCH_WORD_32 (*crypt_out)[16];

static krb5_error_code ret;
static krb5_data string;
static krb5_keyblock key;
static krb5_data salt;
static krb5_enctype enctype;

static void init(struct fmt_main *pFmt)
{
#ifdef _OPENMP
int omp_t = omp_get_max_threads();
pFmt->params.min_keys_per_crypt *= omp_t;
omp_t *= OMP_SCALE;
pFmt->params.max_keys_per_crypt *= omp_t;
#endif
salt.data = "";
salt.length = 0;
enctype = 18; /* arcfour-hmac */

saved_key = mem_calloc_tiny(sizeof(*saved_key) *
pFmt->params.max_keys_per_crypt, MEM_ALIGN_NONE);
crypt_out = mem_calloc_tiny(sizeof(*crypt_out) *
pFmt->params.max_keys_per_crypt, MEM_ALIGN_WORD);
}

static int valid(char *ciphertext, struct fmt_main *pFmt)
{
char *p, *q;

p = ciphertext;

if (!strncmp(p, FORMAT_TAG, TAG_LENGTH))
p += TAG_LENGTH;

p = strstr(p, "$");
if(p == NULL)
return 0;

q = ++p;

while (atoi16[ARCH_INDEX(*q)] != 0x7F) {
if (*q >= 'A' && *q <= 'F') /* support lowercase only */
return 0;
q++;
}

return !*q && q - p == CIPHERTEXT_LENGTH;
}


static char *split(char *ciphertext, int index)
{
static char out[TAG_LENGTH + CIPHERTEXT_LENGTH + SALT_SIZE + 1];

if (!strncmp(ciphertext, FORMAT_TAG, TAG_LENGTH))
return ciphertext;

memcpy(out, FORMAT_TAG, TAG_LENGTH);
memcpy(out + TAG_LENGTH, ciphertext, CIPHERTEXT_LENGTH + SALT_SIZE + 1);
return out;
}

static void *get_salt(char *ciphertext)
{
static char out[SALT_SIZE];
char *p, *q;

p = ciphertext + TAG_LENGTH;
q = strstr(p, "$");
strncpy(out, p, q-p);
out[q-p] = 0;

return out;
}

static void set_salt(void *salt)
{
strcpy(saved_salt, salt);
}

static void *get_binary(char *ciphertext)
{
static unsigned char *out;
char *p;
int i = 0;
p = ciphertext;

if (!out) out = mem_alloc_tiny(BINARY_SIZE, MEM_ALIGN_WORD);

if (!strncmp(ciphertext, FORMAT_TAG, TAG_LENGTH))
p += TAG_LENGTH;
p = strstr(p, "$") + 1;

for (; i < BINARY_SIZE; i++) {
out[i] =
(atoi16[ARCH_INDEX(*p)] << 4) |
atoi16[ARCH_INDEX(p[1])];
p += 2;
}

return out;
}

static void crypt_all(int count)
{
int index = 0;
int i;

#ifdef _OPENMP
#pragma omp parallel for
for (index = 0; index < count; index++)
#endif
{

salt.data = saved_salt;
salt.length = strlen(salt.data);
string.data = saved_key[index];
string.length = strlen(saved_key[index]);
ret = krb5_c_string_to_key_with_params(NULL,
enctype,
&string,
&salt,
NULL,
&key);
for(i = 0; i < key.length / 4; i++){
crypt_out[index][i] = (key.contents[4 * i]) |
(key.contents[4 * i + 1] << 8) |
(key.contents[4 * i + 2] << 16) |
(key.contents[4 * i + 3] << 24);
}
}
}

static int cmp_all(void *binary, int count)
{
int index = 0;

for (; index < count; index++)
if (crypt_out[index][0] == *(ARCH_WORD_32*)binary)
return 1;

return 0;
}

static int cmp_one(void *binary, int index)
{
return !memcmp(binary, crypt_out[index], BINARY_SIZE);
}

static int cmp_exact(char *source, int index)
{
return 1;
}

static void set_key(char *key, int index)
{
int saved_key_length = strlen(key);
if (saved_key_length > PLAINTEXT_LENGTH)
saved_key_length = PLAINTEXT_LENGTH;
memcpy(saved_key[index], key, saved_key_length);
saved_key[index][saved_key_length] = 0;
}

static char *get_key(int index)
{
return saved_key[index];
}

struct fmt_main fmt_krb5_18 = {
{
FORMAT_LABEL,
FORMAT_NAME,
ALGORITHM_NAME,
BENCHMARK_COMMENT,
BENCHMARK_LENGTH,
PLAINTEXT_LENGTH,
BINARY_SIZE,
SALT_SIZE,
MIN_KEYS_PER_CRYPT,
MAX_KEYS_PER_CRYPT,
FMT_CASE | FMT_8_BIT | FMT_OMP,
kinit_tests
}, {
init,
fmt_default_prepare,
valid,
split,
get_binary,
get_salt,
{
fmt_default_binary_hash,
fmt_default_binary_hash,
fmt_default_binary_hash,
fmt_default_binary_hash,
fmt_default_binary_hash
},
fmt_default_salt_hash,
set_salt,
set_key,
get_key,
fmt_default_clear_keys,
crypt_all,
{
fmt_default_get_hash,
fmt_default_get_hash,
fmt_default_get_hash,
fmt_default_get_hash,
fmt_default_get_hash
},
cmp_all,
cmp_one,
cmp_exact,
}
};
Loading

0 comments on commit 0442fcc

Please sign in to comment.