PHDays Hashrunner challenge 2015 - Writeup
#11
(05-22-2015, 05:12 AM)gearjunkie Wrote: I had a similar issue. If you downloaded the Window pre-compiled binary then you are unlikely to be using the latest bleeding jumbo. Try this command below and check the results:

Code:
john --list=format-tests --format=scrypt

If the result from the last line looks similar to the output below then it is not the latest bleeding jumbo.
Code:
scrypt  10    SCRYPT:16384:8:1:VHRuaXZOZ05INWJs:JjrOzA8pdPhLvLh8sY64fLLaAjFUwY
CXMmS16NXcn0BhlHpZJ3J2jcozCDM7t+sfjkgQ894R+f+ldVWM5atlkA==      password
Well, I first get 2 error message saying the Test scrypt 1 plaintext and ciphertext contains line feed and then I get the following output:
Code:
scrypt    0    $7$C6..../....SodiumChloride$kBGj9fHznVYFQMEn/qDCfrDevf9YDtcDdKvEqHJLV8D    pleaseletmein
scrypt    1
scrypt    2    $7$2/..../....$rNxJWVHNv/mCNcgE/f6/L4zO6Fos5c2uTzhyzoisI62    
scrypt    3    $7$86....E....NaCl$xffjQo7Bm/.SKRS4B2EuynbOLjAmXU5AbDbRXhoBl64    password
So I guess that it's not the proper version of the bleeding jumbo. I downloaded the latest pre-compiled that I found (John the Ripper v1.8.0.2-bleeding-jumbo-2014-09-28) but it's probably too old.
#12
The latest is 1.8.0.4-jumbo-1. You will see that the format has changed when you list the test format.

Code:
./john --list=format-tests --format=scrypt
scrypt  0       $7$C6..../....SodiumChloride$kBGj9fHznVYFQMEn/qDCfrDevf9YDtcDdKvEqHJLV8D        pleaseletmein
Test scrypt 1: plaintext contains line feed
Test scrypt 1: ciphertext contains line feed or separator character '   '
scrypt  2       $7$2/..../....$rNxJWVHNv/mCNcgE/f6/L4zO6Fos5c2uTzhyzoisI62
scrypt  3       $7$86....E....NaCl$xffjQo7Bm/.SKRS4B2EuynbOLjAmXU5AbDbRXhoBl64  password
scrypt  4       $9$nhEmQVczB7dqsO$X.HsgL6x1il0RxkOSSvyQYwucySCt7qFm4v7pqCxkKM   cisco
scrypt  5       $9$cvWdfQlRRDKq/U$VFTPha5VHTCbSgSUAo.nPoh50ZiXOw1zmljEjXkaq1g   123456
scrypt  6       $9$X9fA8mypebLFVj$Klp6X9hxNhkns0kwUIinvLRSIgWOvCwDhVTZqjsycyU   JtR
scrypt  7       $ScryptKDF.pm$16384*8*1*VHRuaXZOZ05INWJs*JjrOzA8pdPhLvLh8sY64fLLaAjFUwYCXMmS16NXcn0A=   password
scrypt  8       $ScryptKDF.pm$16384*8*1*bjZkemVmZ3lWVi42*cmBflTPsqGIbg9ZIJRTQdbic8OCUH+904TFmNPBkuEA=   test123
scrypt  9       $ScryptKDF.pm$16384*8*1*VlVYUzBhQmlNbk5J*bJhm6VUS2UQRwMRqLTvSsljDeq193Ge4aqQDtb94bKg=   hello
scrypt  10      $ScryptKDF.pm$16384*8*1*VHRuaXZOZ05INWJs*JjrOzA8pdPhLvLh8sY64fLLaAjFUwYCXMmS16NXcn0BhlHpZJ3J2jcozCDM7t+sfjkgQ894R+f+ldVWM5atlkA==        password
#13
(05-22-2015, 03:50 PM)gearjunkie Wrote: The latest is 1.8.0.4-jumbo-1. You will see that the format has changed when you list the test format.

Code:
./john --list=format-tests --format=scrypt
scrypt  0       $7$C6..../....SodiumChloride$kBGj9fHznVYFQMEn/qDCfrDevf9YDtcDdKvEqHJLV8D        pleaseletmein
Test scrypt 1: plaintext contains line feed
Test scrypt 1: ciphertext contains line feed or separator character '   '
scrypt  2       $7$2/..../....$rNxJWVHNv/mCNcgE/f6/L4zO6Fos5c2uTzhyzoisI62
scrypt  3       $7$86....E....NaCl$xffjQo7Bm/.SKRS4B2EuynbOLjAmXU5AbDbRXhoBl64  password
scrypt  4       $9$nhEmQVczB7dqsO$X.HsgL6x1il0RxkOSSvyQYwucySCt7qFm4v7pqCxkKM   cisco
scrypt  5       $9$cvWdfQlRRDKq/U$VFTPha5VHTCbSgSUAo.nPoh50ZiXOw1zmljEjXkaq1g   123456
scrypt  6       $9$X9fA8mypebLFVj$Klp6X9hxNhkns0kwUIinvLRSIgWOvCwDhVTZqjsycyU   JtR
scrypt  7       $ScryptKDF.pm$16384*8*1*VHRuaXZOZ05INWJs*JjrOzA8pdPhLvLh8sY64fLLaAjFUwYCXMmS16NXcn0A=   password
scrypt  8       $ScryptKDF.pm$16384*8*1*bjZkemVmZ3lWVi42*cmBflTPsqGIbg9ZIJRTQdbic8OCUH+904TFmNPBkuEA=   test123
scrypt  9       $ScryptKDF.pm$16384*8*1*VlVYUzBhQmlNbk5J*bJhm6VUS2UQRwMRqLTvSsljDeq193Ge4aqQDtb94bKg=   hello
scrypt  10      $ScryptKDF.pm$16384*8*1*VHRuaXZOZ05INWJs*JjrOzA8pdPhLvLh8sY64fLLaAjFUwYCXMmS16NXcn0BhlHpZJ3J2jcozCDM7t+sfjkgQ894R+f+ldVWM5atlkA==        password

Can you confirm the below hashcat example load? Have tried bleeding and 1.8.0-jumbo1 neither will load. I must be doing something wrong.

Code:
SCRYPT:1024:1:1:MDIwMzMwNTQwNDQyNQ==:5FW+zWivLxgCWj7qLiQbeC8zaNQ+qdO0NUinvqyFcfo=
#14
Can you confirm the below hashcat example load? Have tried bleeding and 1.8.0-jumbo1 neither will load. I must be doing something wrong.

Code:
SCRYPT:1024:1:1:MDIwMzMwNTQwNDQyNQ==:5FW+zWivLxgCWj7qLiQbeC8zaNQ+qdO0NUinvqyFcfo=
[/quote]

The format above does not work even though it is listed the test example. You will have to get 1.8.0.4-jumbo-1-bleeding and use the format below:

Code:
$ScryptKDF.pm$16384*8*1*VHRuaXZOZ05INWJs*JjrOzA8pdPhLvLh8sY64fLLaAjFUwYCXMmS16NXcn0BhlHpZJ3J2jcozCDM7t+sfjkgQ894R+f+ldVWM5atlkA==
#15
If you want to crack SCRYPT with hashcat just check out the latest beta version.