-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
ca28023
commit 0442fcc
Showing
5 changed files
with
626 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
================================================================================ | ||
This patch is Copyright © 2012, Mougey Camille (CEA/DAM), Lalet Pierre (CEA/DAM) | ||
and it is hereby released to the general public under the following terms: | ||
Redistribution and use in source and binary forms, with or without modification, | ||
are permitted. | ||
================================================================================ | ||
|
||
The package contains: | ||
|
||
+ README: | ||
This file. | ||
|
||
+ kdcdump.patch: | ||
A patch for MIT Kerberos 5 kdb5_util tool. Run it on a KDC server as | ||
root to export the realm database unencrypted. | ||
|
||
+ kdcdump2john.py: | ||
Converts the output of the previous tool in a JohnTheRipper | ||
understandable format. | ||
|
||
+ john.krb5-18-23_fmt.patch: | ||
Provide the format "krb5-18" (Kerberos5 aes256-cts-hmac-sha1-96) and | ||
"krb5-23" (arcfour-hmac) for JohnTheRipper software. Tested on 1.7.9-jumbo-6. | ||
|
||
================================================================================ | ||
|
||
Example: | ||
|
||
>kdb5_util.patched | ||
... | ||
test/admin@OLYMPE.OL | ||
18,fc77e6ffc07b469ba90ad4a979bcbb64709177c74af7f8eceaada0cdc84c1117 | ||
23,1667b5ee168fc31fba85ffb8f925fb70 | ||
16,52d5670752073ee6644a578945ada45efd2cc149a1620ea4 | ||
... | ||
|
||
>kdb5_util.patched > dump; python kdcdump2john.py dump; | ||
... | ||
test/admin@OLYMPE.OL:$krb18$OLYMPE.OLtestadmin$fc77e6ffc07b469ba90ad4a979bcbb647 | ||
09177c74af7f8eceaada0cdc84c1117 | ||
test/admin@OLYMPE.OL:$krb23$1667b5ee168fc31fba85ffb8f925fb70 | ||
... | ||
|
||
>python kdcump2john.py dump > job; john job --format=krb5-23; | ||
... | ||
aqzsedrf (test/admin@OLYMPE.OL) | ||
|
||
================================================================================ | ||
|
||
|
||
Note: | ||
If the KDC server is not properly configured and provide the both | ||
format, prefer the Arcfour-hmac format. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
#! /usr/bin/env python | ||
# | ||
# Kdcdump patch output translation for JtR | ||
# August of 2012 by Mougey Camille | ||
# | ||
# This software is Copyright C 2012, Mougey Camille | ||
# and it is hereby released to the general public under the following terms: | ||
# Redistribution and use in source and binary forms, with or without modification, | ||
# are permitted. | ||
|
||
import sys | ||
|
||
def usage(): | ||
print """ | ||
Usage : | ||
%s\t[dump] | ||
""" % sys.argv[0] | ||
|
||
if (len(sys.argv) < 2): | ||
usage() | ||
exit() | ||
|
||
dump_f = open(sys.argv[1], "r") | ||
name = "unknown" | ||
for l in dump_f.readlines(): | ||
i = l.split(","); | ||
if (len(i) == 1): | ||
if (l.strip()): | ||
name = l.strip() | ||
if (i[0] == "23"): | ||
print "%s:$krb23$%s" % (name, i[1].strip()) | ||
elif (i[0] == "18"): | ||
salt = name.split("@")[1] + name.split("@")[0].replace("/", "") | ||
print "%s:$krb18$%s$%s" % (name, salt, i[1].strip()) | ||
|
||
dump_f.close() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,282 @@ | ||
/* | ||
* KRB5 - Enctype 18 (aes256-cts-hmac-sha1-96) cracker patch for JtR | ||
* Created on August of 2012 by Mougey Camille (CEA/DAM) & Lalet Pierre (CEA/DAM) | ||
* | ||
* This format is one of formats saved in KDC database and used during the authentication part | ||
* | ||
* This software is Copyright © 2012, Mougey Camille (CEA/DAM) | ||
* Lalet Pierre (CEA/DAM) | ||
* and it is hereby released to the general public under the following terms: | ||
* Redistribution and use in source and binary forms, with or without modification, | ||
* are permitted. | ||
* | ||
* Input Format : | ||
* - user:$krb18$REALMname$hash | ||
* - user:REALMname$hash | ||
*/ | ||
#include <string.h> | ||
#include <assert.h> | ||
#include <errno.h> | ||
#include "arch.h" | ||
#include "misc.h" | ||
#include "common.h" | ||
#include "formats.h" | ||
#include "params.h" | ||
#include "options.h" | ||
#include <krb5.h> | ||
#ifdef _OPENMP | ||
#include <omp.h> | ||
#define OMP_SCALE 64 | ||
#endif | ||
|
||
#define FORMAT_LABEL "krb5-18" | ||
#define FORMAT_NAME "KRB5 aes256-cts-hmac-sha1-96" | ||
|
||
#define FORMAT_TAG "$krb18$" | ||
#define TAG_LENGTH 7 | ||
|
||
#if !defined(USE_GCC_ASM_IA32) && defined(USE_GCC_ASM_X64) | ||
#define ALGORITHM_NAME "64/64" | ||
#else | ||
#define ALGORITHM_NAME "32/" ARCH_BITS_STR | ||
#endif | ||
|
||
#define BENCHMARK_COMMENT "" | ||
#define BENCHMARK_LENGTH -1 | ||
#define PLAINTEXT_LENGTH 64 | ||
#define CIPHERTEXT_LENGTH 64 | ||
#define BINARY_SIZE 32 | ||
#define SALT_SIZE CIPHERTEXT_LENGTH | ||
#define MIN_KEYS_PER_CRYPT 1 | ||
#define MAX_KEYS_PER_CRYPT 1 | ||
|
||
extern krb5_error_code KRB5_CALLCONV | ||
krb5_c_string_to_key_with_params(krb5_context context, krb5_enctype enctype, | ||
const krb5_data *string, | ||
const krb5_data *salt, | ||
const krb5_data *params, krb5_keyblock *key); | ||
|
||
static struct fmt_tests kinit_tests[] = { | ||
{"OLYMPE.OLtest$214bb89cf5b8330112d52189ab05d9d05b03b5a961fe6d06203335ad5f339b26", "password"}, | ||
{FORMAT_TAG "OLYMPE.OLtest$214bb89cf5b8330112d52189ab05d9d05b03b5a961fe6d06203335ad5f339b26", | ||
"password"}, | ||
{NULL} | ||
}; | ||
|
||
static char (*saved_key)[PLAINTEXT_LENGTH + 1]; | ||
static char saved_salt[SALT_SIZE]; | ||
static ARCH_WORD_32 (*crypt_out)[16]; | ||
|
||
static krb5_error_code ret; | ||
static krb5_data string; | ||
static krb5_keyblock key; | ||
static krb5_data salt; | ||
static krb5_enctype enctype; | ||
|
||
static void init(struct fmt_main *pFmt) | ||
{ | ||
#ifdef _OPENMP | ||
int omp_t = omp_get_max_threads(); | ||
pFmt->params.min_keys_per_crypt *= omp_t; | ||
omp_t *= OMP_SCALE; | ||
pFmt->params.max_keys_per_crypt *= omp_t; | ||
#endif | ||
salt.data = ""; | ||
salt.length = 0; | ||
enctype = 18; /* arcfour-hmac */ | ||
|
||
saved_key = mem_calloc_tiny(sizeof(*saved_key) * | ||
pFmt->params.max_keys_per_crypt, MEM_ALIGN_NONE); | ||
crypt_out = mem_calloc_tiny(sizeof(*crypt_out) * | ||
pFmt->params.max_keys_per_crypt, MEM_ALIGN_WORD); | ||
} | ||
|
||
static int valid(char *ciphertext, struct fmt_main *pFmt) | ||
{ | ||
char *p, *q; | ||
|
||
p = ciphertext; | ||
|
||
if (!strncmp(p, FORMAT_TAG, TAG_LENGTH)) | ||
p += TAG_LENGTH; | ||
|
||
p = strstr(p, "$"); | ||
if(p == NULL) | ||
return 0; | ||
|
||
q = ++p; | ||
|
||
while (atoi16[ARCH_INDEX(*q)] != 0x7F) { | ||
if (*q >= 'A' && *q <= 'F') /* support lowercase only */ | ||
return 0; | ||
q++; | ||
} | ||
|
||
return !*q && q - p == CIPHERTEXT_LENGTH; | ||
} | ||
|
||
|
||
static char *split(char *ciphertext, int index) | ||
{ | ||
static char out[TAG_LENGTH + CIPHERTEXT_LENGTH + SALT_SIZE + 1]; | ||
|
||
if (!strncmp(ciphertext, FORMAT_TAG, TAG_LENGTH)) | ||
return ciphertext; | ||
|
||
memcpy(out, FORMAT_TAG, TAG_LENGTH); | ||
memcpy(out + TAG_LENGTH, ciphertext, CIPHERTEXT_LENGTH + SALT_SIZE + 1); | ||
return out; | ||
} | ||
|
||
static void *get_salt(char *ciphertext) | ||
{ | ||
static char out[SALT_SIZE]; | ||
char *p, *q; | ||
|
||
p = ciphertext + TAG_LENGTH; | ||
q = strstr(p, "$"); | ||
strncpy(out, p, q-p); | ||
out[q-p] = 0; | ||
|
||
return out; | ||
} | ||
|
||
static void set_salt(void *salt) | ||
{ | ||
strcpy(saved_salt, salt); | ||
} | ||
|
||
static void *get_binary(char *ciphertext) | ||
{ | ||
static unsigned char *out; | ||
char *p; | ||
int i = 0; | ||
p = ciphertext; | ||
|
||
if (!out) out = mem_alloc_tiny(BINARY_SIZE, MEM_ALIGN_WORD); | ||
|
||
if (!strncmp(ciphertext, FORMAT_TAG, TAG_LENGTH)) | ||
p += TAG_LENGTH; | ||
p = strstr(p, "$") + 1; | ||
|
||
for (; i < BINARY_SIZE; i++) { | ||
out[i] = | ||
(atoi16[ARCH_INDEX(*p)] << 4) | | ||
atoi16[ARCH_INDEX(p[1])]; | ||
p += 2; | ||
} | ||
|
||
return out; | ||
} | ||
|
||
static void crypt_all(int count) | ||
{ | ||
int index = 0; | ||
int i; | ||
|
||
#ifdef _OPENMP | ||
#pragma omp parallel for | ||
for (index = 0; index < count; index++) | ||
#endif | ||
{ | ||
|
||
salt.data = saved_salt; | ||
salt.length = strlen(salt.data); | ||
string.data = saved_key[index]; | ||
string.length = strlen(saved_key[index]); | ||
ret = krb5_c_string_to_key_with_params(NULL, | ||
enctype, | ||
&string, | ||
&salt, | ||
NULL, | ||
&key); | ||
for(i = 0; i < key.length / 4; i++){ | ||
crypt_out[index][i] = (key.contents[4 * i]) | | ||
(key.contents[4 * i + 1] << 8) | | ||
(key.contents[4 * i + 2] << 16) | | ||
(key.contents[4 * i + 3] << 24); | ||
} | ||
} | ||
} | ||
|
||
static int cmp_all(void *binary, int count) | ||
{ | ||
int index = 0; | ||
|
||
for (; index < count; index++) | ||
if (crypt_out[index][0] == *(ARCH_WORD_32*)binary) | ||
return 1; | ||
|
||
return 0; | ||
} | ||
|
||
static int cmp_one(void *binary, int index) | ||
{ | ||
return !memcmp(binary, crypt_out[index], BINARY_SIZE); | ||
} | ||
|
||
static int cmp_exact(char *source, int index) | ||
{ | ||
return 1; | ||
} | ||
|
||
static void set_key(char *key, int index) | ||
{ | ||
int saved_key_length = strlen(key); | ||
if (saved_key_length > PLAINTEXT_LENGTH) | ||
saved_key_length = PLAINTEXT_LENGTH; | ||
memcpy(saved_key[index], key, saved_key_length); | ||
saved_key[index][saved_key_length] = 0; | ||
} | ||
|
||
static char *get_key(int index) | ||
{ | ||
return saved_key[index]; | ||
} | ||
|
||
struct fmt_main fmt_krb5_18 = { | ||
{ | ||
FORMAT_LABEL, | ||
FORMAT_NAME, | ||
ALGORITHM_NAME, | ||
BENCHMARK_COMMENT, | ||
BENCHMARK_LENGTH, | ||
PLAINTEXT_LENGTH, | ||
BINARY_SIZE, | ||
SALT_SIZE, | ||
MIN_KEYS_PER_CRYPT, | ||
MAX_KEYS_PER_CRYPT, | ||
FMT_CASE | FMT_8_BIT | FMT_OMP, | ||
kinit_tests | ||
}, { | ||
init, | ||
fmt_default_prepare, | ||
valid, | ||
split, | ||
get_binary, | ||
get_salt, | ||
{ | ||
fmt_default_binary_hash, | ||
fmt_default_binary_hash, | ||
fmt_default_binary_hash, | ||
fmt_default_binary_hash, | ||
fmt_default_binary_hash | ||
}, | ||
fmt_default_salt_hash, | ||
set_salt, | ||
set_key, | ||
get_key, | ||
fmt_default_clear_keys, | ||
crypt_all, | ||
{ | ||
fmt_default_get_hash, | ||
fmt_default_get_hash, | ||
fmt_default_get_hash, | ||
fmt_default_get_hash, | ||
fmt_default_get_hash | ||
}, | ||
cmp_all, | ||
cmp_one, | ||
cmp_exact, | ||
} | ||
}; |
Oops, something went wrong.