|
Message-ID: <000001cb1039$a5512550$eff36ff0$@net> Date: Sun, 20 Jun 2010 01:30:08 -0400 From: "Robert Harris" <rs904c@...scape.net> To: <john-users@...ts.openwall.com> Subject: Issues with JtR auditing Solaris 10 Sha512 alogirthm passwords John User community, I seem to be having trouble running an audit on a Solaris 10 system running passwords that are hashed with the SHA512 algorithm. (and Ubunto as well with a version I compile). I don't know if the following has anything to do with the issues I'm having, but I'll explain. The way Sun originally implemented SHA512 on Solaris systems was flawed. There are patches in order to make this work better. Here is a little history: A system without patch 140906-01 (i386) or 140905-01 (Sparc): After a user changes their password, they can no longer log in with their password. {The shadow file show the password as a type $6$} A system with patch 140906-01 (i386) or 140905-01 (Solaris): (This is the 1st version of this patch, which came out in May 2009) After a user changes their password, they can login successfully. {The shadow file show the password as a type $6$} John the ripper does not recognize the hash. A system with patch 140906-02 (i386) or 140905-02 (Solaris) (This is the 2nd version of this patch, which came out in May 2010): Same as above. After a user changes their password, they can login successfully. {The shadow file show the password as a type $6$} John the ripper does not recognize the hash. I'm using the latest version of JtR (john-1.7.6-jumbo-3), running on windows. I compiled it for cygwin, all thre choices mmx,sse, and any. Here is a unshadow file, called server1, its contents is from a Solaris 10 x86 system with patch 140906-01: test:$6$MDZEL9CQ$ZentsLbLWphRB2./B0xKv1vWPY9IBknYrcD.3SlY5RamKsnzlCSC4ImT3KW Y8rXMbodbFA9wDrlf51DT3HgoW1:102:14::/home/test:/bin/sh JtR Results: C:\apps\pw>C:\apps\john-1.7.6-jumbo-3-win32\run\john server1 No password hashes loaded Here is a unshadow file, called server1, its contents is from a Solaris 10 x86 system with patch 140906-02: test:$6$dofn/L59$nygYCacync7RzPfYjWZ1OO6b8MZDETUzYP2SbJD0PPqXDjQ3caVlR8/O6G2 DSMh.6X0Dzwre86QPifkEU22dW/:102:14::/home/test:/bin/sh Results: C:\apps\pw>C:\apps\john-1.7.6-jumbo-3-win32\run\john server1 No password hashes loaded So, I'm wondering at this point if Sun/Oracle is still doing something wrong with their implementation of SHA256 and Sha512, since John the Ripper can't load the hashes it produces. Or perhaps JtR needs a special mode to do Solaris Sha512 and/or Sha256? Attached is a PDF document the Sun/Oracle wrote about this latest patch. I then, ran on Windows, with a password type $6$ that came from an Ubuntu system, it did NOT get good results there either. root@...ntu:/etc# uname -a Linux ubuntu 2.6.28-15-generic #52-Ubuntu SMP Wed Sep 9 10:49:34 UTC 2009 i686 GNU/Linux Content to be cracked. robert:$6$U4dzp4gvMho3$hAUA8cpTUdHnNjuMFUtiXzd0NL85RMNihshXdks/7LD5zDVseUawK 1JIotk5JVZoyacpHy.Vuja0b9GD2gZ0J.:14527:0:99999:7::: C:\apps\pw>C:\apps\john-1.7.6-jumbo-3-win32\run\john_sse ubuntu No password hashes loaded I switch to john-1.7.6 without any patches (I compiled it) and got the same results. Also, attached are password files server1 and ubuntu. So, maybe I'm doing something wrong when compiling it!? Do you guys get the same results? Help. Thank you P.S. All the passwords are "password" in this document -Robert Harris Content of type "text/html" skipped Download attachment "SHA256 and SHA512 patch for Sparc and Intel Sun Solaris information.pdf" of type "application/pdf" (39436 bytes) Download attachment "ubuntu" of type "application/octet-stream" (130 bytes) Download attachment "server1" of type "application/octet-stream" (132 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.