Cracking APEX Hashes with John, Long Salts

Cracking APEX hashes with john the ripper doesn’t often cause me any bother but I’ve come across two instances where john would not crack the hashes provided, this turned out to be due to the user name and workspace it uses as a salt being too long.

The easiest way to obtain the hashes with access to the database is using dump-apex-hashes.sql while making sure to alter the schema to match the version you are using. After this we can reformat with apex2john.py and crack away. The semi automated process along with the manual process is described well here.

The john input we might end up with after following the above steps is:

$dynamic_1$f96d32cbb2fbe17732c3bbab91c14f3a$10ADMIN

Cracking this APEX hash with john results in the following:

Loaded 1 password hash (dynamic_1: md5($p.$s) (joomla) [128/128 SSE2 intrinsics 10x4x3])
password (?)

The above hash uses the trailing 10ADMIN string as the salt. This salt is made up of the workspace name plus the user name, to demonstrate this we can see the following example matches the hash cracked as “password” above:

>>> print hashlib.md5("password" + "10" + "ADMIN").hexdigest()
f96d32cbb2fbe17732c3bbab91c14f3a

Where I’ve had a problem is when the workspace name plus the user name is greater than 31 characters, quite why someone would pick such a long workspace name I don’t know but they do!

When this salt ends up over 31 characters we run in to a problem, john no longer picks it up as valid:

cat apex;./john apex 
$dynamic_1$98d706b82b654265e71ea7db05eccbfa$4782602601579360ABCDEFGHIJKLMNOPQ
No password hashes loaded (see FAQ)

Adding the following dedicated APEX configuration to john’s dynamic.conf file will allow us to use dynamic_1011 to crack the hashes, the main difference with this one being it doesn’t have a maximum “Saltlen”.

####################################################################
# Crack APEX hashes with long salts - Radwire
####################################################################
[List.Generic:dynamic_1011]
Expression=md5($p.$s) (APEX long salts)
Flag=MGF_SALTED
Func=DynamicFunc__clean_input
Func=DynamicFunc__append_keys
Func=DynamicFunc__append_salt
Func=DynamicFunc__crypt_md5
Test=$dynamic_1011$B932A7CB1C06A03310921989DACBA3F7$4782602601579360ABCDEFGHIJKLMNO:password

Now when we try again after substituting dynamic_1 with dynamic_1011 we see the hash that wasn’t picked up before works okay:

cat apex;./john apex
$dynamic_1011$98d706b82b654265e71ea7db05eccbfa$4782602601579360ABCDEFGHIJKLMNOPQ
Loaded 1 password hash (dynamic_1011 md5($p.$s) (APEX long salts) [128/128 SSE2 intrinsics 10x4x3])
password1        (?)
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s