openwall / john-tests

Test Suite for John the Ripper
24 stars 15 forks source link

same salt bug in rar not detected #25

Closed jfoug closed 9 years ago

jfoug commented 9 years ago

https://github.com/magnumripper/JohnTheRipper/issues/868

TS says all is clear, since jtr says it cracked all items. However, not all were cracked, and there is issues where jtr was thinking there were dupe salts when there should not be.

To work around this (or possibly show OTHER issues), I will re-run JtR after each test, simply to make sure it says no passwords are left.

NOTE This MAY be a problem for formats that are not precise (CRC32, etc). But I can think of no other way to detect this type bug, and it is POSSIBLE that other formats also list that they cracked X number of hashes when in actually they did not.

jfoug commented 9 years ago

Here is a run showing the 'bug' (i.e. prior to adding hash of buffer to the salt)

$ ../run/john -w=pw30.dic rar_tst.in -pot=tst.pot -form=rar
Loaded 130 password hashes with 19 different salts (rar, RAR3 [SHA1 AES 32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Bert$ErnIE       (test069.rar)
Bert$ErnIE       (test068.rar)
Bert$ErnIE       (test067.rar)
Bert$ErnIE       (test066.rar)
Bert$ErnIE       (test065.rar)
Bert$ErnIE       (test064.rar)
Bert$ErnIE       (test063.rar)
Bert$ErnIE       (test062.rar)
Bert$ErnIE       (test061.rar)
Bert$ErnIE       (test060.rar)
Bert$ErnIE       (test029.rar)
Bert$ErnIE       (test028.rar)
Bert$ErnIE       (test027.rar)
Bert$ErnIE       (test026.rar)
Bert$ErnIE       (test025.rar)
Bert$ErnIE       (test024.rar)
Bert$ErnIE       (test023.rar)
Bert$ErnIE       (test022.rar)
Bert$ErnIE       (test021.rar)
Bert$ErnIE       (test020.rar)
Bert$ErnIE       (test089.rar)
Bert$ErnIE       (test088.rar)
Bert$ErnIE       (test087.rar)
Bert$ErnIE       (test086.rar)
Bert$ErnIE       (test085.rar)
Bert$ErnIE       (test084.rar)
Bert$ErnIE       (test083.rar)
Bert$ErnIE       (test082.rar)
Bert$ErnIE       (test081.rar)
Bert$ErnIE       (test080.rar)
Bert$ErnIE       (test009.rar)
Bert$ErnIE       (test008.rar)
Bert$ErnIE       (test007.rar)
Bert$ErnIE       (test006.rar)
Bert$ErnIE       (test005.rar)
Bert$ErnIE       (test004.rar)
Bert$ErnIE       (test003.rar)
Bert$ErnIE       (test002.rar)
Bert$ErnIE       (test001.rar)
Bert$ErnIE       (test000.rar)
Bert$ErnIE       (test039.rar)
Bert$ErnIE       (test038.rar)
Bert$ErnIE       (test037.rar)
Bert$ErnIE       (test036.rar)
Bert$ErnIE       (test035.rar)
Bert$ErnIE       (test034.rar)
Bert$ErnIE       (test033.rar)
Bert$ErnIE       (test032.rar)
Bert$ErnIE       (test031.rar)
Bert$ErnIE       (test030.rar)
Bert$ErnIE       (test079.rar)
Bert$ErnIE       (test078.rar)
Bert$ErnIE       (test077.rar)
Bert$ErnIE       (test076.rar)
Bert$ErnIE       (test075.rar)
Bert$ErnIE       (test074.rar)
Bert$ErnIE       (test073.rar)
Bert$ErnIE       (test072.rar)
Bert$ErnIE       (test071.rar)
Bert$ErnIE       (test070.rar)
Bert$ErnIE       (test019.rar)
Bert$ErnIE       (test018.rar)
Bert$ErnIE       (test017.rar)
Bert$ErnIE       (test016.rar)
Bert$ErnIE       (test015.rar)
Bert$ErnIE       (test014.rar)
Bert$ErnIE       (test013.rar)
Bert$ErnIE       (test012.rar)
Bert$ErnIE       (test011.rar)
Bert$ErnIE       (test010.rar)
Bert$ErnIE       (test109.rar)
Bert$ErnIE       (test108.rar)
Bert$ErnIE       (test107.rar)
Bert$ErnIE       (test106.rar)
Bert$ErnIE       (test105.rar)
Bert$ErnIE       (test104.rar)
Bert$ErnIE       (test103.rar)
Bert$ErnIE       (test102.rar)
Bert$ErnIE       (test101.rar)
Bert$ErnIE       (test100.rar)
Bert$ErnIE       (test059.rar)
Bert$ErnIE       (test058.rar)
Bert$ErnIE       (test057.rar)
Bert$ErnIE       (test056.rar)
Bert$ErnIE       (test055.rar)
Bert$ErnIE       (test054.rar)
Bert$ErnIE       (test053.rar)
Bert$ErnIE       (test052.rar)
Bert$ErnIE       (test051.rar)
Bert$ErnIE       (test050.rar)
Bert$ErnIE       (test118.rar)
Bert$ErnIE       (test117.rar)
Bert$ErnIE       (test116.rar)
Bert$ErnIE       (test115.rar)
Bert$ErnIE       (test114.rar)
Bert$ErnIE       (test113.rar)
Bert$ErnIE       (test112.rar)
Bert$ErnIE       (test111.rar)
Bert$ErnIE       (test110.rar)
password         (test099.rar)
password         (test098.rar)
password         (test097.rar)
password         (test096.rar)
password         (test095.rar)
password         (test094.rar)
test             (test049.rar)
test             (test048.rar)
test             (test047.rar)
test             (test046.rar)
test             (test045.rar)
Bert$ErnIE       (test044.rar)
Bert$ErnIE       (test043.rar)
Bert$ErnIE       (test042.rar)
Bert$ErnIE       (test041.rar)
Bert$ErnIE       (test040.rar)
Bert$ErnIE       (test126.rar)
Bert$ErnIE       (test124.rar)
Bert$ErnIE       (test122.rar)
Bert$ErnIE       (test121.rar)
Bert$ErnIE       (test120.rar)
Bert$ErnIE       (test093.rar)
Bert$ErnIE       (test092.rar)
Bert$ErnIE       (test091.rar)
Bert$ErnIE       (test090.rar)
1                (test125.rar)
1                (test123.rar)
ttttttttttt      (test129.rar)
ttttttttttt      (test127.rar)
dffffffffffff    (test128.rar)
alsfdkja;        (test119.rar)
130g 0:00:00:05 DONE (2014-12-04 13:05) 24.57g/s 6.048p/s 114.9c/s 786.2C/s Skippin▒ an▒*..qwert12345
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Here is the -show output:

$ ../run/john -show rar_tst.in -pot=tst.pot -form=rar
test009.rar:Bert$ErnIE:1::.gitignore
test019.rar:Bert$ErnIE:1::.gitignore
test029.rar:Bert$ErnIE:1::.gitignore
test039.rar:Bert$ErnIE:1::.gitignore
test044.rar:Bert$ErnIE:1::.gitignore
test049.rar:test:1::.gitignore
test059.rar:Bert$ErnIE:1::.gitignore
test069.rar:Bert$ErnIE:1::.gitignore
test079.rar:Bert$ErnIE:1::.gitignore
test089.rar:Bert$ErnIE:1::.gitignore
test093.rar:Bert$ErnIE:1::.gitignore
test099.rar:password:1::.gitignore
test109.rar:Bert$ErnIE:1::.gitignore
test118.rar:Bert$ErnIE:1::.gitignore
test119.rar:alsfdkja;:1::.gitignore
test125.rar:1:0::::test.rar
test126.rar:Bert$ErnIE:0::::test.rar
test128.rar:dffffffffffff:0::::test.rar
test129.rar:ttttttttttt:0::::test.rar

19 password hashes cracked, 111 left

So it appears that --show SHOULD catch this issue. I have to re-think logic.

jfoug commented 9 years ago

Ok, added this code (for testing)

        } elsif ($ret_val == 0) {
            my $str = sprintf("form=%-28.28s guesses: %4.4s $crack_xx[3] $crack_xx[4]  [PASSED]\n", $ar[4], $orig_crack_cnt);
            ScreenOutSemi($str);
+           if ($orig_crack_cnt != $orig_show_cnt) {
+               my $str = sprintf(" form=%-28.28s !!! guesses: %4.4s --show: %4.4s !!!            \n", $ar[4], $orig_crack_cnt, $orig_show_cnt);
+               ScreenOutAlways($str);
            }
        } else {

here are the results (note, did not do FULL formats).

$ ./jtrts.pl -q
-------------------------------------------------------------------------------
- JtR-TestSuite (jtrts). Version 1.12.18, Oct 31, 2014.  By, Jim Fougeron & others
- Testing:  John the Ripper password cracker, version 1.8.0.2-bleeding-jumbo_omp [cygwin 64-bit AVX-autoconf]
--------------------------------------------------------------------------------
 form=dynamic_0                    !!! guesses: 1500 --show: 1502 !!!
 form=dynamic_71                   !!! guesses: 1500 --show: 1502 !!!
 form=crc32_dups                   !!! guesses: 1500 --show:   50 !!!
 form=crc32_dups2                  !!! guesses: 1500 --show:   50 !!!
 form=crc32_dups_read_file         !!! guesses: 1500 --show:   50 !!!
 form=crc32_dups2_read_file        !!! guesses: 1500 --show:   50 !!!
 form=lm                           !!! guesses: 1500 --show: 3000 !!!
 form=pwdump_lm                    !!! guesses:  986 --show: 2760 !!!
form=odf_1                        guesses: 1489 -show=1489 0:00:00:06 DONE : Expected count(s) (1500)  [!!!FAILED!!!]
Some tests had Errors. Performed 282 tests.  1 errors
Time used was 431 seconds
jfoug commented 9 years ago

Fixed:

$ ./jtrts.pl rar
-------------------------------------------------------------------------------
- JtR-TestSuite (jtrts). Version 1.12.18, Oct 31, 2014.  By, Jim Fougeron & others
- Testing:  John the Ripper password cracker, version 1.8.0.2-bleeding-jumbo_omp [cygwin 64-bit AVX-autoconf]
--------------------------------------------------------------------------------

John Jumbo build detected.

form=rar                          guesses:  130 -show=19   0:00:00:05 DONE : Expected count(s) (130)  [!!!FAILED!!!]
.pot CHK:rar                      guesses:  130 0:00:00:00 DONE  [PASSED]

3f31fe7

All things were tested, and the dyna, crc and lm hashes ALREADY had (-show1502), etc in them. This is just a final check. Before showing [PASSED], we check to see if shown count is different than guess count. If it is, we then validate that there is not a (-show###) value. If there is and it passes, we still show [PASSED]. Otherwise we show the message like above.