Permalink
Browse files

New formats: KRB5-18 and KRB5-23

  • Loading branch information...
1 parent ca28023 commit 0442fcc332492d1a26813ad1cd0474785a8bddba @commial commial committed with Sep 6, 2012
Showing with 626 additions and 1 deletion.
  1. +53 −0 doc/README-krb5-18-23
  2. +36 −0 run/kdcdump2john.py
  3. +1 −1 src/Makefile
  4. +282 −0 src/krb5-18_fmt_plug.c
  5. +254 −0 src/krb5-23_fmt_plug.c
View
@@ -0,0 +1,53 @@
+================================================================================
+This patch is Copyright © 2012, Mougey Camille (CEA/DAM), Lalet Pierre (CEA/DAM)
+and it is hereby released to the general public under the following terms:
+Redistribution and use in source and binary forms, with or without modification,
+are permitted.
+================================================================================
+
+The package contains:
+
++ README:
+ This file.
+
++ kdcdump.patch:
+ A patch for MIT Kerberos 5 kdb5_util tool. Run it on a KDC server as
+root to export the realm database unencrypted.
+
++ kdcdump2john.py:
+ Converts the output of the previous tool in a JohnTheRipper
+understandable format.
+
++ john.krb5-18-23_fmt.patch:
+ Provide the format "krb5-18" (Kerberos5 aes256-cts-hmac-sha1-96) and
+"krb5-23" (arcfour-hmac) for JohnTheRipper software. Tested on 1.7.9-jumbo-6.
+
+================================================================================
+
+Example:
+
+>kdb5_util.patched
+...
+test/admin@OLYMPE.OL
+18,fc77e6ffc07b469ba90ad4a979bcbb64709177c74af7f8eceaada0cdc84c1117
+23,1667b5ee168fc31fba85ffb8f925fb70
+16,52d5670752073ee6644a578945ada45efd2cc149a1620ea4
+...
+
+>kdb5_util.patched > dump; python kdcdump2john.py dump;
+...
+test/admin@OLYMPE.OL:$krb18$OLYMPE.OLtestadmin$fc77e6ffc07b469ba90ad4a979bcbb647
+09177c74af7f8eceaada0cdc84c1117
+test/admin@OLYMPE.OL:$krb23$1667b5ee168fc31fba85ffb8f925fb70
+...
+
+>python kdcump2john.py dump > job; john job --format=krb5-23;
+...
+aqzsedrf (test/admin@OLYMPE.OL)
+
+================================================================================
+
+
+Note:
+ If the KDC server is not properly configured and provide the both
+format, prefer the Arcfour-hmac format.
View
@@ -0,0 +1,36 @@
+#! /usr/bin/env python
+#
+# Kdcdump patch output translation for JtR
+# August of 2012 by Mougey Camille
+#
+# This software is Copyright C 2012, Mougey Camille
+# and it is hereby released to the general public under the following terms:
+# Redistribution and use in source and binary forms, with or without modification,
+# are permitted.
+
+import sys
+
+def usage():
+ print """
+ Usage :
+ %s\t[dump]
+ """ % sys.argv[0]
+
+if (len(sys.argv) < 2):
+ usage()
+ exit()
+
+dump_f = open(sys.argv[1], "r")
+name = "unknown"
+for l in dump_f.readlines():
+ i = l.split(",");
+ if (len(i) == 1):
+ if (l.strip()):
+ name = l.strip()
+ if (i[0] == "23"):
+ print "%s:$krb23$%s" % (name, i[1].strip())
+ elif (i[0] == "18"):
+ salt = name.split("@")[1] + name.split("@")[0].replace("/", "")
+ print "%s:$krb18$%s$%s" % (name, salt, i[1].strip())
+
+dump_f.close()
View
@@ -68,7 +68,7 @@ CFLAGS = -c -Wall -O2 -fomit-frame-pointer -Wdeclaration-after-statement -I/usr/
# CFLAGS for use on the main john.c file only
CFLAGS_MAIN = $(CFLAGS)
ASFLAGS = -c $(JOHN_CFLAGS) $(OMPFLAGS)
-LDFLAGS = -s -L/usr/local/lib -L/usr/local/ssl/lib -lssl -lcrypto -lm -lz $(JOHN_CFLAGS) $(OMPFLAGS) $(NSS_LDFLAGS) $(GMP_LDFLAGS)
+LDFLAGS = -s -L/usr/local/lib -L/usr/local/ssl/lib -lssl -lcrypto -lk5crypto -lm -lz $(JOHN_CFLAGS) $(OMPFLAGS) $(NSS_LDFLAGS) $(GMP_LDFLAGS)
# -lskey
LDFLAGS_SOLARIS = -lrt -lnsl -lsocket -lm -lz -lcrypto -lssl
LDFLAGS_MKV = -s -lm
View
@@ -0,0 +1,282 @@
+/*
+ * KRB5 - Enctype 18 (aes256-cts-hmac-sha1-96) cracker patch for JtR
+ * Created on August of 2012 by Mougey Camille (CEA/DAM) & Lalet Pierre (CEA/DAM)
+ *
+ * This format is one of formats saved in KDC database and used during the authentication part
+ *
+ * This software is Copyright © 2012, Mougey Camille (CEA/DAM)
+ * Lalet Pierre (CEA/DAM)
+ * and it is hereby released to the general public under the following terms:
+ * Redistribution and use in source and binary forms, with or without modification,
+ * are permitted.
+ *
+ * Input Format :
+ * - user:$krb18$REALMname$hash
+ * - user:REALMname$hash
+ */
+#include <string.h>
+#include <assert.h>
+#include <errno.h>
+#include "arch.h"
+#include "misc.h"
+#include "common.h"
+#include "formats.h"
+#include "params.h"
+#include "options.h"
+#include <krb5.h>
+#ifdef _OPENMP
+#include <omp.h>
+#define OMP_SCALE 64
+#endif
+
+#define FORMAT_LABEL "krb5-18"
+#define FORMAT_NAME "KRB5 aes256-cts-hmac-sha1-96"
+
+#define FORMAT_TAG "$krb18$"
+#define TAG_LENGTH 7
+
+#if !defined(USE_GCC_ASM_IA32) && defined(USE_GCC_ASM_X64)
+#define ALGORITHM_NAME "64/64"
+#else
+#define ALGORITHM_NAME "32/" ARCH_BITS_STR
+#endif
+
+#define BENCHMARK_COMMENT ""
+#define BENCHMARK_LENGTH -1
+#define PLAINTEXT_LENGTH 64
+#define CIPHERTEXT_LENGTH 64
+#define BINARY_SIZE 32
+#define SALT_SIZE CIPHERTEXT_LENGTH
+#define MIN_KEYS_PER_CRYPT 1
+#define MAX_KEYS_PER_CRYPT 1
+
+extern krb5_error_code KRB5_CALLCONV
+krb5_c_string_to_key_with_params(krb5_context context, krb5_enctype enctype,
+ const krb5_data *string,
+ const krb5_data *salt,
+ const krb5_data *params, krb5_keyblock *key);
+
+static struct fmt_tests kinit_tests[] = {
+ {"OLYMPE.OLtest$214bb89cf5b8330112d52189ab05d9d05b03b5a961fe6d06203335ad5f339b26", "password"},
+ {FORMAT_TAG "OLYMPE.OLtest$214bb89cf5b8330112d52189ab05d9d05b03b5a961fe6d06203335ad5f339b26",
+ "password"},
+ {NULL}
+};
+
+static char (*saved_key)[PLAINTEXT_LENGTH + 1];
+static char saved_salt[SALT_SIZE];
+static ARCH_WORD_32 (*crypt_out)[16];
+
+static krb5_error_code ret;
+static krb5_data string;
+static krb5_keyblock key;
+static krb5_data salt;
+static krb5_enctype enctype;
+
+static void init(struct fmt_main *pFmt)
+{
+#ifdef _OPENMP
+ int omp_t = omp_get_max_threads();
+ pFmt->params.min_keys_per_crypt *= omp_t;
+ omp_t *= OMP_SCALE;
+ pFmt->params.max_keys_per_crypt *= omp_t;
+#endif
+ salt.data = "";
+ salt.length = 0;
+ enctype = 18; /* arcfour-hmac */
+
+ saved_key = mem_calloc_tiny(sizeof(*saved_key) *
+ pFmt->params.max_keys_per_crypt, MEM_ALIGN_NONE);
+ crypt_out = mem_calloc_tiny(sizeof(*crypt_out) *
+ pFmt->params.max_keys_per_crypt, MEM_ALIGN_WORD);
+}
+
+static int valid(char *ciphertext, struct fmt_main *pFmt)
+{
+ char *p, *q;
+
+ p = ciphertext;
+
+ if (!strncmp(p, FORMAT_TAG, TAG_LENGTH))
+ p += TAG_LENGTH;
+
+ p = strstr(p, "$");
+ if(p == NULL)
+ return 0;
+
+ q = ++p;
+
+ while (atoi16[ARCH_INDEX(*q)] != 0x7F) {
+ if (*q >= 'A' && *q <= 'F') /* support lowercase only */
+ return 0;
+ q++;
+ }
+
+ return !*q && q - p == CIPHERTEXT_LENGTH;
+}
+
+
+static char *split(char *ciphertext, int index)
+{
+ static char out[TAG_LENGTH + CIPHERTEXT_LENGTH + SALT_SIZE + 1];
+
+ if (!strncmp(ciphertext, FORMAT_TAG, TAG_LENGTH))
+ return ciphertext;
+
+ memcpy(out, FORMAT_TAG, TAG_LENGTH);
+ memcpy(out + TAG_LENGTH, ciphertext, CIPHERTEXT_LENGTH + SALT_SIZE + 1);
+ return out;
+}
+
+static void *get_salt(char *ciphertext)
+{
+ static char out[SALT_SIZE];
+ char *p, *q;
+
+ p = ciphertext + TAG_LENGTH;
+ q = strstr(p, "$");
+ strncpy(out, p, q-p);
+ out[q-p] = 0;
+
+ return out;
+}
+
+static void set_salt(void *salt)
+{
+ strcpy(saved_salt, salt);
+}
+
+static void *get_binary(char *ciphertext)
+{
+ static unsigned char *out;
+ char *p;
+ int i = 0;
+ p = ciphertext;
+
+ if (!out) out = mem_alloc_tiny(BINARY_SIZE, MEM_ALIGN_WORD);
+
+ if (!strncmp(ciphertext, FORMAT_TAG, TAG_LENGTH))
+ p += TAG_LENGTH;
+ p = strstr(p, "$") + 1;
+
+ for (; i < BINARY_SIZE; i++) {
+ out[i] =
+ (atoi16[ARCH_INDEX(*p)] << 4) |
+ atoi16[ARCH_INDEX(p[1])];
+ p += 2;
+ }
+
+ return out;
+}
+
+static void crypt_all(int count)
+{
+ int index = 0;
+ int i;
+
+#ifdef _OPENMP
+#pragma omp parallel for
+ for (index = 0; index < count; index++)
+#endif
+ {
+
+ salt.data = saved_salt;
+ salt.length = strlen(salt.data);
+ string.data = saved_key[index];
+ string.length = strlen(saved_key[index]);
+ ret = krb5_c_string_to_key_with_params(NULL,
+ enctype,
+ &string,
+ &salt,
+ NULL,
+ &key);
+ for(i = 0; i < key.length / 4; i++){
+ crypt_out[index][i] = (key.contents[4 * i]) |
+ (key.contents[4 * i + 1] << 8) |
+ (key.contents[4 * i + 2] << 16) |
+ (key.contents[4 * i + 3] << 24);
+ }
+ }
+}
+
+static int cmp_all(void *binary, int count)
+{
+ int index = 0;
+
+ for (; index < count; index++)
+ if (crypt_out[index][0] == *(ARCH_WORD_32*)binary)
+ return 1;
+
+ return 0;
+}
+
+static int cmp_one(void *binary, int index)
+{
+ return !memcmp(binary, crypt_out[index], BINARY_SIZE);
+}
+
+static int cmp_exact(char *source, int index)
+{
+ return 1;
+}
+
+static void set_key(char *key, int index)
+{
+ int saved_key_length = strlen(key);
+ if (saved_key_length > PLAINTEXT_LENGTH)
+ saved_key_length = PLAINTEXT_LENGTH;
+ memcpy(saved_key[index], key, saved_key_length);
+ saved_key[index][saved_key_length] = 0;
+}
+
+static char *get_key(int index)
+{
+ return saved_key[index];
+}
+
+struct fmt_main fmt_krb5_18 = {
+ {
+ FORMAT_LABEL,
+ FORMAT_NAME,
+ ALGORITHM_NAME,
+ BENCHMARK_COMMENT,
+ BENCHMARK_LENGTH,
+ PLAINTEXT_LENGTH,
+ BINARY_SIZE,
+ SALT_SIZE,
+ MIN_KEYS_PER_CRYPT,
+ MAX_KEYS_PER_CRYPT,
+ FMT_CASE | FMT_8_BIT | FMT_OMP,
+ kinit_tests
+ }, {
+ init,
+ fmt_default_prepare,
+ valid,
+ split,
+ get_binary,
+ get_salt,
+ {
+ fmt_default_binary_hash,
+ fmt_default_binary_hash,
+ fmt_default_binary_hash,
+ fmt_default_binary_hash,
+ fmt_default_binary_hash
+ },
+ fmt_default_salt_hash,
+ set_salt,
+ set_key,
+ get_key,
+ fmt_default_clear_keys,
+ crypt_all,
+ {
+ fmt_default_get_hash,
+ fmt_default_get_hash,
+ fmt_default_get_hash,
+ fmt_default_get_hash,
+ fmt_default_get_hash
+ },
+ cmp_all,
+ cmp_one,
+ cmp_exact,
+ }
+};
Oops, something went wrong.

0 comments on commit 0442fcc

Please sign in to comment.