Mark E. Haase
2017-12-14 15:39:10 UTC
Hey all,
I have a cookie created by the Code Igniter web framework[1] that looks
like this (wrapped for readability):
a:4:{s:10:"session_id";s:32:"8a70dfc8e6433b28ff7cf138b6d1d2
a5";s:10:"ip_addr
ess";s:12:"XX.XXX.XX.20";s:10:"user_agent";s:120:"Mozilla/5.0
(Macintosh; In
tel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/62.0.320
2.94 Safari/537.36";s:13:"last_activity";i:1512923530;}
a680075dd6b96d4f44beb
9a9731ed722
The cookie contains a serialized PHP object with an MD5 hash appended to
it. The hash is computed as follows:
$hash = md5($obj . $key)
Where `$obj` is the serialized object and `$key` is a secret. This hash is
verified before unserializing the object. I want to try cracking `$key`,
but I am not sure if this is even possible with John The Ripper. I tried
both mask attack and hybrid mask. The former doesn't produce an error but
silently fails to recover the key. The latter produces this error about
exceeding the maximum length for MD5 (wrapped for readability):
$ john --mask='a:4:{s:10:"session_id";s:32:"
8a70dfc8e6433b28ff7cf138b6d1d2a5
";s:10:"ip_address";s:12:"XX.XXX.XX.20";s:10:"user_agent";
s:120:"Mozilla/5.0
(Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like
Gecko) C
hrome/62.0.3202.94 Safari/537.36";s:13:"last_
activity";i:1512923530;}?w'
-w=/usr/share/dict/rockyou.txt --max-length=191 --format=Raw-MD5 hashes
Can't set max length larger than 55 for Raw-MD5 format
My research indicates that 55 is a hard limit for MD5 that cannot be
changed at runtime, and that this limit was chosen for performance reasons.
Is it possible to compile John with a long limit (expecting a major drop in
performance) or is this simply not possible at all?
Cheers,
Mark
1. https://codeigniter.com/
I have a cookie created by the Code Igniter web framework[1] that looks
like this (wrapped for readability):
a:4:{s:10:"session_id";s:32:"8a70dfc8e6433b28ff7cf138b6d1d2
a5";s:10:"ip_addr
ess";s:12:"XX.XXX.XX.20";s:10:"user_agent";s:120:"Mozilla/5.0
(Macintosh; In
tel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/62.0.320
2.94 Safari/537.36";s:13:"last_activity";i:1512923530;}
a680075dd6b96d4f44beb
9a9731ed722
The cookie contains a serialized PHP object with an MD5 hash appended to
it. The hash is computed as follows:
$hash = md5($obj . $key)
Where `$obj` is the serialized object and `$key` is a secret. This hash is
verified before unserializing the object. I want to try cracking `$key`,
but I am not sure if this is even possible with John The Ripper. I tried
both mask attack and hybrid mask. The former doesn't produce an error but
silently fails to recover the key. The latter produces this error about
exceeding the maximum length for MD5 (wrapped for readability):
$ john --mask='a:4:{s:10:"session_id";s:32:"
8a70dfc8e6433b28ff7cf138b6d1d2a5
";s:10:"ip_address";s:12:"XX.XXX.XX.20";s:10:"user_agent";
s:120:"Mozilla/5.0
(Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like
Gecko) C
hrome/62.0.3202.94 Safari/537.36";s:13:"last_
activity";i:1512923530;}?w'
-w=/usr/share/dict/rockyou.txt --max-length=191 --format=Raw-MD5 hashes
Can't set max length larger than 55 for Raw-MD5 format
My research indicates that 55 is a hard limit for MD5 that cannot be
changed at runtime, and that this limit was chosen for performance reasons.
Is it possible to compile John with a long limit (expecting a major drop in
performance) or is this simply not possible at all?
Cheers,
Mark
1. https://codeigniter.com/