Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAJ9ii1GfdHC_z04EuFyUh1kvsm0-nG-oCDwtpvm-g__Q2DE+NA@mail.gmail.com>
Date: Fri, 17 Aug 2012 09:21:26 -0400
From: Matt Weir <cweir@...edu>
To: john-users@...ts.openwall.com
Subject: Re: Cracking Gauss using dynamic

Dough, the loop in the python code should have just been to 9999 since
there's an extra round at the end...
That's of course assuming that it was working though ;p

Matt

On Fri, Aug 17, 2012 at 9:06 AM, Matt Weir <cweir@...edu> wrote:
> I've been having some problems getting the correct hash to be
> generated. First of all I've been using a bash script from the website
> to generate expected values.
>
> --------file hex. This is for the input word "secret" with salt------------
> 73656372657497486CAA225FE877C035CC0373236D51
> --------end file-------------------------------------------------------------------------
>
> -------Bash script-------------------------------------------------------------------------
> #!/bin/bash
> declare -i count
>
> a=$(cat hex | xxd -p -r | md5 -r | awk '{print $1}')
> for (( count = 0 ; count < 10000; count++))
>
> do
> a=$(echo -en "$a" | xxd -p -r | md5 -r | awk '{print $1}')
> done
> echo " done"
> echo "$a"
> exit 0
> ---------------------end bash script--------------------------------------
>
>
> Also rather than paste all 10k lines (x 3-4) here is a python script
> that generates the dynamic conf
>
> ---------------python script---------------------------------------------
> print "#######################################################################"
> print "# Dynamic Type for algorithm used in gauss malware
> md5(md5(path.file.$s))^^10000"
> print "#######################################################################"
> print "[List.Generic:dynamic_2033]"
> print "# Flag needed here, is Salt"
> print "Flag=MGF_SALTED"
> #print "SaltLen=16"
> print "Func=DynamicFunc__clean_input"
> print "Func=DynamicFunc__append_keys"
> print "Func=DynamicFunc__append_salt"
> print "Func=DynamicFunc__crypt_md5"
>
> print "Func=DynamicFunc__clean_input2"
> print "Func=DynamicFunc__append_from_last_output_to_input2_as_base16"
> for i in range(10000):
>         print "Func=DynamicFunc__crypt2_md5"
>         print "Func=DynamicFunc__clean_input2_kwik"
>         print "Func=DynamicFunc__append_from_last_output2_as_base16"
> print "Func=DynamicFunc__crypt_md5_in2_to_out1"
> #print "Test=$dynamic_2033$23d7b45123f84ffb713569c22ebd7230$HEX$97486CAA225FE877C035CC0373236D51:test"
> #print "Test=$dynamic_2033$7f6d15c16720a432493ba0fb1556e0a3$HEX$97486CAA225FE877C035CC0373236D51:test"
> print "Test=$dynamic_2033$6d7affd7203134e7c13dad602a9b4282$HEX$97486CAA225FE877C035CC0373236D51:secret"
>
> ------------------End python
> scrip--------------------------------------------------
>
> So as you can see, I've been running some other tests as well. For a
> single round of hashing everything works ok, but when I try to re-hash
> it the self check fails vs. the output generated by the bash script,
> (with me limiting the bash script to 1 rehash as well).
>
> Note, one other issue that eventually will have to be dealt with is
> how the input string is encoded with the real data. aka instead of
> C:\Program Files..... it has a null '00' between each character so
> you'll have to try C.:.\.P.r.o.g.r.a.m...F.i.l.e.s.....
>
> 2nd Note: I'm also using "test" and "secret" right now for my test
> hashes since I haven't been able to figure out how to get the sample
> on the website to work correctly in the dynamic config since it has a
> ":" in it.
>
> I'm actually going camping in a couple of minutes so I apologize if I
> don't respond to e-mails for the rest of the weekend, but I wanted to
> post my current status before I left.
>
> Thanks,
> Matt
>
>
> On Fri, Aug 17, 2012 at 8:41 AM,  <jfoug@....net> wrote:
>>
>> On Fri, Aug 17, 2012 at 7:31 AM, jfoug@....net wrote:
>>
>>> On Fri, Aug 17, 2012 at 12:40 AM, Solar Designer wrote:
>>>>
>>>> I thought that maybe the implementation of phpass in the dynamic
>>>> format was generic enough - but it is not.  Its loop is hardcoded in
>>>> DynamicFunc__PHPassCrypt().  So it seems like the current dynamic format
>>>> is incapable of arbitrary loops.  This may be something for JimF to
>>>> enhance - not for this specific target, but in general.
>>>
>>>
>>> There is no looping, or variables, or much of any other 'fancy' things in
>>> dynamic.  Mostly, it is an array of very simple function pointers, such as:
>>> clear-this-buffer, append-this-string, crypt-this-buffer,
>>> convert-this-to-base-16-and-append-to-buffer, etc, etc.  Those are not the
>>> real function names, but that is pretty much 'what' they do, and how much
>>> smarts they have.
>>>
>>> So if you wanted to (with current dynamic), do 10k crypt of the crypt, you
>>> would simply have to build a format with whatever initialization code was
>>> needed to get things 'started', and then 10k of these (well, 9999 of the 2nd
>>> part):
>>>
>>> DynamicFunc__crypt_md5_in1_to_out2
>>> DynamicFunc__clean_input2
>>> DynamicFunc__append_from_last_output2_as_raw
>>> DynamicFunc__crypt2_md5()
>>> DynamicFunc__clean_input2_kwik
>>> DynamicFunc__append_from_last_output2_as_raw
>>> DynamicFunc__crypt2_md5()
>>> DynamicFunc__clean_input2_kwik
>>> DynamicFunc__append_from_last_output2_as_raw
>>>
>>> // 9996 more of the:
>>> DynamicFunc__clean_input2_kwik
>>> DynamicFunc__overwrite_from_last_output2_as_base16_no_size_fix
>>
>>
>> Sorry, wrong, code, should have been
>> DynamicFunc__append_from_last_output2_as_raw
>>
>> That was cut/paste from some code that did not match this problem.
>>
>>
>>> DynamicFunc__crypt2_md5()
>>>
>>> // then a final
>>> DynamicFunc__clean_input2_kwik
>>> DynamicFunc__overwrite_from_last_output2_as_base16_no_size_fix
>>
>>
>> Same problem here, should have been
>> DynamicFunc__append_from_last_output2_as_raw
>>
>>> DynamicFunc__crypt_md5_in2_to_out1
>>
>>
>> ....
>>
>>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.