-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Always store a raw hash if possible #1469
Comments
I'm dynamic_1. I get this hash
and then I read the pot file and see this hash
I see it's the same hash, so I'll bite. I know my salt is appended and is "ripper" so I strip that from the pot entry's string, and use the remainder of it: "john". |
Given that some formats "hexify" their salts when they contain certain problematic characters, this can get messy. |
Sure (and john-users is probably better) but that doesn't usually add anything. We're still just toying with the ideas. |
This is a valid concern. I agree but I still think this is interesting. I'll ponder it for a while. |
@magnumripper How to parse just hashes and passwords out of john.pot file? Can I reliably drop everything between first $ and second $? |
@davidbolvansky At the moment john stores unambiguous hash plus password in .pot file. Hash and password are separated by Unambiguous hash means that it is possible to infer hash format from the string correctly. We call it canonical form. I.e. john loading hashes in such form understands format right always. There might be multiple formats to load this hash, but all of them should be able to crack this hash with the given password (the only exception is confusion between We use word "tag" regarding prefixes like
We call bare 32 hex digits a bare hash. Particularly 32 hex digits could be The problem is that conversion from some form into the canonical form is a one way road. There is no code in john to do reverse conversion. So you have a few options:
|
Let me explain my situation..
Now john cracked one hash. so in john.pot file:
So what I need is direct mapping hash <--> found password. Yes, I was thinking about username trick, could work. Your presented --show=formats looks also useful:
I am interested in any john hash type, so I need to find some general solution to properly match hash (input from me) to newly found password. |
To print hash + password, it might be possible to copy hash as username. It would be elegant:
But there is a problem: some formats use original username. john encodes username into canonical form, so it is possible to replace username after that. But the trick above will not work.
So it looks like the only generic and reliable way is to use (BTW inline dynamic= formats do not match named formats, e.g. Back to the topic of this issue, formats with |
That's incorrect: john picks new username again, at least for ad-hoc dynamic formats. There is one more nuance parsing .pot files: some formats can split original hash into multiple. Most notable such format is LM: original hash is 32 hex digits, but it is split into independent halves. That's why "canonHash" in Incorrect synthetic LM hash can have left half with password shorter than 7 chars. john will not pick it as cracked.
|
I think we should implement this logic for hashes lacking a login |
Here's an idea from #1463
Any format that isn't using UTF-16 or something like that, and that is raw or "salted raw", could store its hash as raw. On loading pot file, it would then need to look for raw hashes of the correct type, and apply some logic to it.
Here's an example:
With clever handling (and perhaps a revision of john.pot format) any of the formats would be able to use any one of the lines to produce a correct --show figure from an input hash.
For example, you load the hash
$dynamic_1$488911ea30ce711dca20bf7413fc49cc$ripper
. The format finds the line$dynamic_4$488911ea30ce711dca20bf7413fc49cc$john:ripper
in john.pot and draws the conclusion the proper plaintext for dynamic_1 is "john".But taking it a step further, all those formats (as well as the thick raw-md5's) should store their hash like this:
And then they'd have to apply logic to it when reading the pot file back. This would be simpler (and more efficient) than trying to parse all other formats.
The text was updated successfully, but these errors were encountered: