MD5: Need Advice
#11
Maybe you can post an example hash-plaintext pair that we can use to test.
#12
Sure. Here's one.

Here's the resulting MD5 that is written to file after the process. Process was replicated in C# by taking the string of the username and password, encoding both as UTF8 byte arrays, md5 both byte arrays and then concatenating the byte arrays of the resulting md5s and md5 that value. Basically MD5(MD5(username)MD5(password)) as outlined above.

The full resulting string is below with the username used to make it next to that, and yes, I made the hash below using the username "username". The password is 123456 for the example below, so you can replicate if you'd like.

b29a511163a1869c6f15299a35f81875:username

If there's any more information I can supply, please let me know.

Additionally, I tried to use the process I outlined earlier with an account for which I know all the information, but doesn't have the right access. I was not able to retrieve the password though.
#13
Well, I guess if we agree that the algorithm is MD5(MD5_raw ($salt) . MD5_raw ($pass)) you could convert those hashes to just MD5 ($salt_new . MD5_raw ($pass)) where $salt_new is the precomputed MD5 digest.

Since hashcat currently does not support the MD5_raw () part for -m 3710, you could just patch the kernels (OpenCL/m03710_a0.cl for -a 0, OpenCL/m03710_a1.cl for -a 1 and OpenCL/m03710_a3.cl for -a 3) as simple as this:

removing the uint_to_hex_lower8 () function calls (https://github.com/hashcat/hashcat/blob/...#L182-L205) and replacing the resulting buffer (w0_t[x] - w3_t[x]) with the raw output of MD5 (a, b, c, d) + setting 0x80 correctly (w1_t[0] = 0x80) + updating the final length https://github.com/hashcat/hashcat/blob/..._a3.cl#L64 (should be 16 + salt_len) ... these changes need to be done for all places where you find uint_to_hex_lower8 () calls and "const u32 pw_salt_len".

This should be very trivial. You just need to make sure that:
1. you have no cached kernels (in the kernels/ folder), remove it whenever you make changes to the kernels
2. that you carefully test your changes with both single and multiple hash list + all attack types (a0, a1, a3)
3. that you remember that you made these changes and possibly rename the hashcat root folder name accordingly so you do not confuse your modified 3710 hashcat "installation" with an unmodified one (because your new 3710 kernels now would not crack normal 3710 hashes anymore!)
4. that you converted the usernames correctly to their MD5 counterpart and that you do not forget to always use --hex-salt!
#14
Thanks philsmd for the information. I'm a little out of my element here, can you please clarify this: "and replacing the resulting buffer (w0_t[x] - w3_t[x]) with the raw output of MD5 (a, b, c, d)".

Do you mean replacing the lines right below where the "uint_to_hex_lower8() functions were? I'm not sure how the replaced lines should look. Like this?

w0_t[0] |= a;
w0_t[1] |= b;
w0_t[2] |= c;
w0_t[3] |= d;
w1_t[0] |= a;
w1_t[1] |= b;
w1_t[2] |= c;
w1_t[3] |= d;
w2_t[0] |= a;
w2_t[1] |= b;
w2_t[2] |= c;
w2_t[3] |= d;
w3_t[0] |= a;
w3_t[1] |= b;
w3_t[2] |= c;
w3_t[3] |= d;

Also, just to clarify, should I be replacing the uint_to_hex_lower8() calls everywhere in the files, or just in the section of code you highlighted in the first github link?

I have made the other modifications.
#15
a, b, c, d, 0x80 and the remaining buffers are all 0 (that should be very obvious if you think about it, it must get shorter if we do not use hex but binary instead, it will be halved i.e. 32/2 = 16).

and I already answered the 2nd question (yeah, all hex conversions must be removed and the binary version/buffer must be used instead):
Quote:these changes need to be done for all places where you find uint_to_hex_lower8 () calls
#16
(05-15-2017, 07:23 PM)philsmd Wrote: a, b, c, d, 0x80 and the remaining buffers are all 0 (that should be very obvious if you think about it, it must get shorter if we do not use hex but binary instead, it will be halved i.e. 32/2 = 16).

and I already answered the 2nd question (yeah, all hex conversions must be removed and the binary version/buffer must be used instead):
Quote:these changes need to be done for all places where you find uint_to_hex_lower8 () calls
Thank you philsmd, sorry I didn't read that thoroughly I guess. I've changed it to look like this. Does this look correct?

 /**
     * prepend salt
     */

    switch_buffer_by_offset_le (w0_t, w1_t, w2_t, w3_t, salt_len);

    w3_t[2] = pw_salt_len * 8;
    w3_t[3] = 0;

    w0_t[0] |= a;
    w0_t[1] |= b;
    w0_t[2] |= c;
    w0_t[3] |= d;
    w1_t[0] |= 0x80;
    w1_t[1] |= salt_buf1[1];
    w1_t[2] |= salt_buf1[2];
    w1_t[3] |= salt_buf1[3];
    w2_t[0] |= salt_buf2[0];
    w2_t[1] |= salt_buf2[1];
    w2_t[2] |= salt_buf2[2];
    w2_t[3] |= salt_buf2[3];
    w3_t[0] |= salt_buf3[0];
    w3_t[1] |= salt_buf3[1];
    w3_t[2] |= salt_buf3[2];
    w3_t[3] |= salt_buf3[3];

Thank you again!
#17
Nope, not at all!

I just wrote:
Quote:the remaining buffers are all 0

0 means zero and not something else (like insert the salt buffer etc, I didn't write that).

I can't help you more than that, you need to read carefully and try to understand what others tell you, otherwise it won't work!
#18
(05-15-2017, 07:56 PM)philsmd Wrote: Nope, not at all!

I just wrote:
Quote:the remaining buffers are all 0

0 means zero and not something else (like insert the salt buffer etc, I didn't write that).

I can't help you more than that, you need to read carefully and try to understand what others tell you, otherwise it won't work!

Thanks philsmd - I am trying very hard to understand, but this is my first time looking at code like this, in this language.

I think I got it now, but I was more concerned about whether I was modifying the right lines, not so much the content. I have corrected the rest with 0s and done that in all the spots those lines relating to prepending the salt are in the files. 

I appreciate your assistance and patience.

Edit: I ran a test with two different values using this command line:

c:\hashcat-3.5.0>hashcat64.exe -m 3710 -a 3 -1 ?l?d --hex-salt --gpu-temp-disable --session=all -p: --status --status-timer=5 -w 2 b29a511163a1869c6f15299a35f81875:14c4b06b824ec593239362517f538b29 ?d?d?d?d?d?d

This is the known provided test account from above, passing in the hex md5 hash of the username as the salt. I tried this with my account as well, and neither found the matching password, just all exhausted.

This is a link to my modified a3.cl file. I did clear out the kernels folder as well, prior to running for the first time.

https://pastebin.com/AxLafqGV

Thank you again for the help!
#19
Yeah, I figured that it might be very new to you to read C (or OpenCL code), but I really do not get why you use code like "w0_t[0] |= a;" when it should be just "w0_t[0] = a;" etc... (i.e. replace the "|=" you changed/added to just assignments "=").

Well, hopefully now you got it... otherwise I guess it would be easier for us to implement a new hash type, add host code and kernels for it test it and ship it (compared to time to answer all these - noob - coding questions and hand holding).
#20
(05-15-2017, 08:27 PM)philsmd Wrote: Yeah, I figured that it might be very new to you to read C (or OpenCL code), but I really do not get why you use code like "w0_t[0] |= a;" when it should be just "w0_t[0] = a;" etc... (i.e. replace the "|=" you changed/added to just assignments "=").

Well, hopefully now you got it... otherwise I guess it would be easier for us to implement a new hash type, add host code and kernels for it test it and ship it (compared to time to answer all these - noob - coding questions and hand holding).

I may have modified the wrong spot then. The version I started with was hashcat 3.5 for Windows. I uploaded a link to a full copy of one of the files I modified. Sorry, I am definitely in the noob category when it comes to C. I am fluent in C#, Java and VB.NET, but not C. The link to the modified file is below as well.

https://pastebin.com/AxLafqGV

Edit: Yes, I think I see now, I was modifying the wrong section. I will correct after I get back from lunch. You are saying modify the same lines that had the uint_to_hex_lower8. Sorry, again!