search

bkerler / opencl_brute

MD5,SHA1,SHA256,SHA512,HMAC,PBKDF2,SCrypt Bruteforcing tools using OpenCL (GPU, yay!) and Python
MIT License
163 stars 44 forks source link

Password length exceeds the input buffer #6

Closed henshin closed 5 years ago

henshin commented 5 years ago

I was trying this module with a large wordlist such as rockyou.txt and it seems it can't handle long passwords. This is the error I'm getting:

Traceback (most recent call last):
  File ".\md5test.py", line 95, in <module>
    main(sys.argv)
  File ".\md5test.py", line 89, in main
    md5_test(opencl_algos,passwordlist)
  File ".\md5test.py", line 43, in md5_test
    clresult=opencl_algo.cl_md5(ctx,passwordlist)
  File "C:\tests\opencl_brute-master\Library\opencl.py", line 471, in cl_md5
    return self.concat(self.opencl_ctx.run(bufStructs, func, iter(passwordlist), b"", self.mdPadLenFunc))
  File "C:\tests\opencl_brute-master\Library\opencl.py", line 435, in concat
    return [obj for l in ll for obj in l]
  File "C:\tests\opencl_brute-master\Library\opencl.py", line 435, in <listcomp>
    return [obj for l in ll for obj in l]
  File "C:\tests\opencl_brute-master\Library\opencl.py", line 180, in run
    "password #" + str(i) + ", '" + pw.decode() + "' (length " + str(pwLen) + ") exceeds the input buffer (length " + str(inBufSize_bytes) + ") when padded"
AssertionError: password #1020, 'lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll' (length 165) exceeds the input buffer (length 128) when padded

Didn't look too much into the code but maybe just doubling the buffer sizes could solve it.

bkerler commented 5 years ago

the max pw size is currently set at 128 bytes and the max salt size is currently 32. It could be increased, but it may slow down your gpu or your memory bus also might not be able to handle more.

bkerler commented 5 years ago

As it's very unlikely for a user password or regular hash to be longer than 128 bytes (especially for mobile usage), I'm closing this issue.

henshin commented 5 years ago

Thanks for your feedback. Makes sense actually. As a suggestion, instead of throwing an exception in these cases, the program could truncate that password or ignore it and continue on to the next one.

r3ndd commented 4 years ago

What about the instance where passwords were hashed twice using sha512? In that case the output of one sha512 hash will be too long to hash again.

Edit: Actually, you said max 128 bytes, which I assume includes 128 bytes, in which case there is an error in the padding calculations because 128 bytes does not work.

henshin commented 4 years ago

This issue was regarding the limitation of the processing plaintext passwords longer than 128 bytes as they come from the wordlist and before they are hashed.