Support for Azure AD password sync. hashes

[kholia]

http://www.openwall.com/lists/john-users/2015/10/18/3

[kholia]

Please feel free to grab this ticket.

[jfoug]

Added to pass_gen.pl:

6a48df3

An example (taken right from the page https://www.dsinternals.com/en/how-azure-active-directory-connect-syncs-passwords/

$ ../run/pass_gen.pl azuread

Enter words to hash, one per line.
Pa$$w0rd
u0:v1;PPH1_MD4,317ee9d1dec6508fa510,100,f4a257ffec53809081a605ce8ddedfbc9df9777b80256763bc0a6dd895ef404f;:0:0:Pa$$w0rd:

[jfoug]

https://github.com/magnumripper/JohnTheRipper/commit/504471bb331fa5ad07e2a00755a710c5bf261343

The set_key could be 'optimized' some, but my tests show that the speed is almost exactly 200x raw-sha256, so I really think there is little to be gained by optimizing that function (much less than 1%), AND the readability of the 'reference' implementation of set_key makes it very easy to see just wtf is happening. When we move this code to GPU, we certainly will need to look at optimization of that code. With just 100 iterations of PBKDF2, if we did this type stuff in oSSL in the CPU, we would see a much larger impact. In the GPU code, we likely would make a 'keys_dirty' if block in the crypt_all call, to load the 64 byte utf-16 nt hex string.

[jfoug]

WootWoot ! Works on BE without modifications :)

[magnumripper]

Fixed algo name in 5afa94e

[magnumripper]

Hmmm actually the algo name should be PBKDF2-SHA256, no?

[jfoug]

Yes, probably PBKDF2-HMACSHA256+MD4

[jfoug]

They use all sorts of strange mixed stuff. MD4, UTF-16 (twice), Hexing, Upcasing, etc, and then a PBKDF2-hmacSHA256, but with too few iterations to really be safe.

Look at setkey for the algorithm (or better yet, the new code in pass_gen.pl). The function is easy, but it does a few things that dynamic could not have done. The way I wrote it, it should be somewhat easy to port to GPU. Also, the layout, where the 'real' type hash has the iteration count, and a version number in it, makes it look like this will quickly transform into a v2 hash.

[jfoug]

But 99% of the time (or more), is spent in the pbkdf2 code, so that really 'should' be the algorithm listed. It is like mscash2 It uses NT hash also, BUT that is just an insignificant part of the whole overall function time.

[kholia]

@magnumripper @jfoug can we close this issue now?

[magnumripper]

I guess

[jfoug]

Are we not going to have a GPU version?

[magnumripper]

I haven't ever heard of Azure AD so I have no incentive to write one. OTOH it looks simple enough - we have all the bits needed.

[kholia]

I can take this one, @jfoug has a bigger fish to fry ;)

[jfoug]

It's Micro$oft cloud active directory. It is possible this may be a 'big' thing.

[magnumripper]

@kholia if you base it on krb5pa-md5-opencl, you'll get full encoding support for free.

[kholia]

I am returning this issue back to the queue. Azure AD GPU support needs to be implemented to fix this issue.