my $MAX_LEN = 55;
-my @modes = (0, 10, 11, 12, 20, 21, 22, 23, 30, 40, 50, 60, 100, 101, 110, 111, 112, 120, 121, 122, 125, 130, 131, 132, 133, 140, 141, 150, 160, 190, 200, 300, 400, 500, 900, 1000, 1100, 1400, 1410, 1420, 1430, 1440, 1441, 1450, 1460, 1500, 1600, 1700, 1710, 1711, 1720, 1730, 1740, 1722, 1731, 1750, 1760, 1800, 2100, 2400, 2410, 2500, 2600, 2611, 2612, 2711, 2811, 3000, 3100, 3200, 3710, 3711, 3300, 3500, 3610, 3720, 3800, 3910, 4010, 4110, 4210, 4300, 4400, 4500, 4600, 4700, 4800, 4900, 5000, 5100, 5300, 5400, 5500, 5600, 5700, 5800, 6000, 6100, 6300, 6400, 6500, 6600, 6700, 6800, 6900, 7100, 7200, 7300, 7400, 7500, 7600, 7700, 7800, 7900, 8000, 8100, 8200, 8300, 8400, 8500, 8600, 8700, 8900, 9100, 9200, 9300, 9400, 9500, 9600, 9700, 9800, 9900, 10000, 10100, 10200, 10300, 10400, 10500, 10600, 10700, 10800, 10900, 11000, 11100, 11200, 11300, 11400, 11500, 11600, 11900, 12000, 12100, 12200, 12300, 12400, 12600, 12700, 12800, 12900, 13000, 13100, 13200, 13300, 13400, 13500, 13600, 13800);
+my @modes = (0, 10, 11, 12, 20, 21, 22, 23, 30, 40, 50, 60, 100, 101, 110, 111, 112, 120, 121, 122, 125, 130, 131, 132, 133, 140, 141, 150, 160, 200, 300, 400, 500, 900, 1000, 1100, 1400, 1410, 1420, 1430, 1440, 1441, 1450, 1460, 1500, 1600, 1700, 1710, 1711, 1720, 1730, 1740, 1722, 1731, 1750, 1760, 1800, 2100, 2400, 2410, 2500, 2600, 2611, 2612, 2711, 2811, 3000, 3100, 3200, 3710, 3711, 3300, 3500, 3610, 3720, 3800, 3910, 4010, 4110, 4210, 4300, 4400, 4500, 4600, 4700, 4800, 4900, 5000, 5100, 5300, 5400, 5500, 5600, 5700, 5800, 6000, 6100, 6300, 6400, 6500, 6600, 6700, 6800, 6900, 7100, 7200, 7300, 7400, 7500, 7600, 7700, 7800, 7900, 8000, 8100, 8200, 8300, 8400, 8500, 8600, 8700, 8900, 9100, 9200, 9300, 9400, 9500, 9600, 9700, 9800, 9900, 10000, 10100, 10200, 10300, 10400, 10500, 10600, 10700, 10800, 10900, 11000, 11100, 11200, 11300, 11400, 11500, 11600, 11900, 12000, 12100, 12200, 12300, 12400, 12600, 12700, 12800, 12900, 13000, 13100, 13200, 13300, 13400, 13500, 13600, 13800);
my %is_unicode = map { $_ => 1 } qw(30 40 130 131 132 133 140 141 1000 1100 1430 1440 1441 1730 1740 1731 5500 5600 8000 9400 9500 9600 9700 9800 11600 13500 13800);
my %less_fifteen = map { $_ => 1 } qw(500 1600 1800 2400 2410 3200 6300 7400 10500 10700);
# remember always do "exists ($db->{$hash_in})" checks as soon as possible and don't forget it
# unsalted
- if ($mode == 0 || $mode == 100 || $mode == 101 || $mode == 133 || $mode == 190 || $mode == 200 || $mode == 300 || $mode == 900 || $mode == 1000 || $mode == 1400 || $mode == 1700 || $mode == 2400 || $mode == 2600 || $mode == 3000 || $mode == 3500 || $mode == 4300 || $mode == 4400 || $mode == 4500 || $mode == 4600 || $mode == 4700 || $mode == 5000 || $mode == 5100 || $mode == 5700 || $mode == 6000 || $mode == 6100 || $mode == 6900 || $mode == 8600 || $mode == 9900 || $mode == 10800 || $mode == 11500)
+ if ($mode == 0 || $mode == 100 || $mode == 101 || $mode == 133 || $mode == 200 || $mode == 300 || $mode == 900 || $mode == 1000 || $mode == 1400 || $mode == 1700 || $mode == 2400 || $mode == 2600 || $mode == 3000 || $mode == 3500 || $mode == 4300 || $mode == 4400 || $mode == 4500 || $mode == 4600 || $mode == 4700 || $mode == 5000 || $mode == 5100 || $mode == 5700 || $mode == 6000 || $mode == 6100 || $mode == 6900 || $mode == 8600 || $mode == 9900 || $mode == 10800 || $mode == 11500)
{
my $index = index ($line, ":");
next unless (exists ($db->{$hash_line}) and (! defined ($db->{$hash_line})));
}
- elsif ($mode == 13100 )
+ elsif ($mode == 13100)
{
($hash_in, $word) = split ":", $line;
next unless (length ($checksum) == 32);
next unless (length ($edata2) >= 64);
- $salt = $user . '$' . $realm . '$' . $spn . '$' . substr ($edata2, 0, 16);
+ $salt = $user . '$' . $realm . '$' . $spn . '$';
+
+ $param = $checksum;
+ $param2 = $edata2;
next unless (exists ($db->{$hash_in}) and (! defined ($db->{$hash_in})));
}
next unless scalar @data == 5;
- shift @data;
-
my $signature = shift @data;
my $version = shift @data;
my $iteration = shift @data;
next unless (length ($mysalt) == 32);
next unless (length ($digest) == 48);
- $salt = $iteration . '*' . $mysalt;
+ $salt = $iteration . '*' . $mysalt;
+ $param = $digest;
next unless (exists ($db->{$hash_in}) and (! defined ($db->{$hash_in})));
}
next unless (length ($keyfile) == $keyfile_len);
}
- $salt = substr ($hash_in, length ("*keepass*") + 1, length ($hash_in));
+ $salt = substr ($hash_in, length ("*keepass*") + 1);
+ $param = 1; # distinguish between encrypting vs decrypting
next unless (exists ($db->{$hash_in}) and (! defined ($db->{$hash_in})));
}
return unless (substr ($line, 0, $len) eq $hash_out);
}
- elsif ($mode == 190)
- {
- $hash_out = gen_hash ($mode, $word, $salt, $iter, 0);
-
- $len = length $hash_out; # == length $alternative
-
- if (substr ($line, 0, $len) ne $hash_out)
- {
- my $alternative = gen_hash ($mode, $word, $salt, $iter, 1);
-
- return unless (substr ($line, 0, $len) eq $alternative);
- }
- }
elsif ($mode == 3300)
{
$hash_out = gen_hash ($mode, $word, $salt, $iter, $param);
}
elsif ($mode == 13100)
{
- $hash_out = gen_hash ($mode, $word, $salt);
+ $hash_out = gen_hash ($mode, $word, $salt, $iter, $param, $param2);
$len = length $hash_out;
}
elsif ($mode == 13200)
{
- $hash_out = gen_hash ($mode, $word, $salt);
+ $hash_out = gen_hash ($mode, $word, $salt, $iter, $param);
$len = length $hash_out;
}
elsif ($mode == 13400)
{
- $hash_out = gen_hash ($mode, $word, $salt);
+ $hash_out = gen_hash ($mode, $word, $salt, $iter, $param);
$len = length $hash_out;
my $tmp_hash;
- if ($mode == 0 || $mode == 100 || $mode == 101 || $mode == 133 || $mode == 190 || $mode == 200 || $mode == 300 || $mode == 600 || $mode == 900 || $mode == 1000 || $mode == 1400 || $mode == 1700 || $mode == 2400 || $mode == 2600 || $mode == 3500 || $mode == 4300 || $mode == 4400 || $mode == 4500 || $mode == 4600 || $mode == 4700 || $mode == 5000 || $mode == 5100 || $mode == 6000 || $mode == 6100 || $mode == 6900 || $mode == 5700 || $mode == 9900 || $mode == 10800 || $mode == 11500 || $mode == 13300)
+ if ($mode == 0 || $mode == 100 || $mode == 101 || $mode == 133 || $mode == 200 || $mode == 300 || $mode == 600 || $mode == 900 || $mode == 1000 || $mode == 1400 || $mode == 1700 || $mode == 2400 || $mode == 2600 || $mode == 3500 || $mode == 4300 || $mode == 4400 || $mode == 4500 || $mode == 4600 || $mode == 4700 || $mode == 5000 || $mode == 5100 || $mode == 6000 || $mode == 6100 || $mode == 6900 || $mode == 5700 || $mode == 9900 || $mode == 10800 || $mode == 11500 || $mode == 13300)
{
$tmp_hash = gen_hash ($mode, $word_buf, "");
}
{
my $mode = $modes[$j];
- if ($mode == 0 || $mode == 100 || $mode == 101 || $mode == 133 || $mode == 190 || $mode == 200 || $mode == 300 || $mode == 600 || $mode == 900 || $mode == 1000 || $mode == 1400 || $mode == 1700 || $mode == 2400 || $mode == 2600 || $mode == 3500 || $mode == 4300 || $mode == 4400 || $mode == 4500 || $mode == 4600 || $mode == 4700 || $mode == 5000 || $mode == 5100 || $mode == 5300 || $mode == 5400 || $mode == 6000 || $mode == 6100 || $mode == 6600 || $mode == 6900 || $mode == 5700 || $mode == 8200 || $mode == 8300 || $mode == 9900 || $mode == 10800 || $mode == 11500 || $mode == 13300)
+ if ($mode == 0 || $mode == 100 || $mode == 101 || $mode == 133 || $mode == 200 || $mode == 300 || $mode == 600 || $mode == 900 || $mode == 1000 || $mode == 1400 || $mode == 1700 || $mode == 2400 || $mode == 2600 || $mode == 3500 || $mode == 4300 || $mode == 4400 || $mode == 4500 || $mode == 4600 || $mode == 4700 || $mode == 5000 || $mode == 5100 || $mode == 5300 || $mode == 5400 || $mode == 6000 || $mode == 6100 || $mode == 6600 || $mode == 6900 || $mode == 5700 || $mode == 8200 || $mode == 8300 || $mode == 9900 || $mode == 10800 || $mode == 11500 || $mode == 13300)
{
for (my $i = 1; $i < 32; $i++)
{
$tmp_hash = sprintf ("%s:%s", $hash_buf, $salt_buf);
}
- elsif ($mode == 190)
- {
- $hash_buf = sha1_hex ($word_buf);
-
- my $variant = int (rand (2));
-
- if (defined ($additional_param))
- {
- $variant = $additional_param;
- }
-
- if ($variant == 1)
- {
- substr ($hash_buf, 0, 5) = "00000";
- }
-
- $tmp_hash = sprintf ("%s", $hash_buf);
- }
elsif ($mode == 200)
{
my $ppr = Authen::Passphrase::MySQL323->new (passphrase => $word_buf);
my $spn = $salt_arr[2];
- my $nonce = $salt_arr[3];
+ my $k = md4 (encode ("UTF-16LE", $word_buf));
+
+ my $k1 = hmac_md5 ("\x02\x00\x00\x00", $k);
my $cleartext_ticket = '6381b03081ada00703050050a00000a11b3019a003020117a1'.
- '12041058e0d77776e8b8e03991f2966939222aa2171b154d594b5242544553542e434f4e5'.
- '44f534f2e434f4da3133011a003020102a10a30081b067472616e6365a40b3009a0030201'.
- '01a1020400a511180f32303136303231353134343735305aa611180f32303136303231353'.
- '134343735305aa711180f32303136303231363030343735305aa811180f32303136303232'.
- '323134343735305a';
+ '12041058e0d77776e8b8e03991f2966939222aa2171b154d594b5242544553542e434f4e5'.
+ '44f534f2e434f4da3133011a003020102a10a30081b067472616e6365a40b3009a0030201'.
+ '01a1020400a511180f32303136303231353134343735305aa611180f32303136303231353'.
+ '134343735305aa711180f32303136303231363030343735305aa811180f32303136303232'.
+ '323134343735305a';
- $cleartext_ticket = $nonce . $cleartext_ticket;
+ my $checksum = "";
- my $k = md4 (encode ("UTF-16LE", $word_buf));
+ if (defined $additional_param)
+ {
+ $checksum = pack ("H*", $additional_param);
+ }
+ else
+ {
+ my $nonce = $salt_arr[3];
- my $k1 = hmac_md5 ("\x02\x00\x00\x00", $k);
+ $cleartext_ticket = $nonce . $cleartext_ticket;
- my $checksum = hmac_md5 (pack ("H*", $cleartext_ticket), $k1);
+ $checksum = hmac_md5 (pack ("H*", $cleartext_ticket), $k1);
+ }
my $k3 = hmac_md5 ($checksum, $k1);
+ my $edata2 = "";
+
+ if (defined $additional_param2)
+ {
+ $edata2 = $additional_param2;
+
+ my $cipher_decrypt = Crypt::RC4->new ($k3);
+
+ my $ticket_decrypt = unpack ("H*", $cipher_decrypt->RC4 (pack ("H*", $edata2)));
+
+ my $check_correct = ((substr ($ticket_decrypt, 16, 4) eq "6381" && substr ($ticket_decrypt, 22, 2) eq "30") ||
+ (substr ($ticket_decrypt, 16, 4) eq "6382")) &&
+ ((substr ($ticket_decrypt, 32, 6) eq "030500") ||
+ (substr ($ticket_decrypt, 32, 8) eq "050307A0"));
+
+ if ($check_correct == 1)
+ {
+ $cleartext_ticket = $ticket_decrypt;
+ }
+ else # validation failed
+ {
+ # fake/wrong ticket (otherwise if we just decrypt/encrypt we end up with false positives all the time)
+ $cleartext_ticket = "0" x (length ($cleartext_ticket) + 16);
+ }
+ }
+
my $cipher = Crypt::RC4->new ($k3);
- my $edata2 = $cipher->RC4 (pack ("H*", $cleartext_ticket));
+ $edata2 = $cipher->RC4 (pack ("H*", $cleartext_ticket));
$tmp_hash = sprintf ('$krb5tgs$23$*%s$%s$%s*$%s$%s', $user, $realm, $spn, unpack ("H*", $checksum), unpack ("H*", $edata2));
}
{
my @salt_arr = split ('\*', $salt_buf);
- my $iteration = $salt_arr[0];
+ my $iteration = $salt_arr[0];
my $mysalt = $salt_arr[1];
$mysalt = pack ("H*", $mysalt);
- my $DEK = randbytes (16);
-
my $iv = "a6a6a6a6a6a6a6a6";
- my $KEK = sha1($word_buf);
+ my $KEK = sha1 ($word_buf);
$KEK = substr ($KEK ^ $mysalt, 0, 16);
my $aes = Crypt::Mode::ECB->new ('AES');
- my @R = ('', substr(pack ("H*",$DEK),0,8), substr(pack ("H*",$DEK),8,16));
-
my $B;
- my $A = pack ("H*", $iv);
+ my $A;
+
+ my @R = ();
+
+ if (defined $additional_param)
+ {
+ $additional_param = pack ("H*", $additional_param);
+
+ $A = substr ($additional_param, 0, 8);
+ $B = 0x00 x 8;
+
+ $R[1] = substr ($additional_param, 8, 8);
+ $R[2] = substr ($additional_param, 16, 8);
+
+ for (my $j = $iteration - 1; $j >= 0; $j--)
+ {
+ $A = substr ($A, 0, 8) ^ pack ("l", (2 * $j + 2));
+
+ $B = $R[2];
+
+ $A = $aes->decrypt ($A . $B . "\x00" x 16, $KEK);
+
+ $R[2] = substr ($A, 8, 16);
+
+ $A = substr ($A, 0, 8) ^ pack ("l", (2 * $j + 1));
+
+ $B = $R[1];
+
+ $A = $aes->decrypt ($A . $B . "\x00" x 16, $KEK);
+
+ $R[1] = substr ($A, 8, 16);
+ }
+
+ # check if valid
+ if (index ($A, "\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6") != 0)
+ {
+ # fake wrong @R and $A values
+
+ @R = ('', "\x00" x 8, "\x00" x 8);
+
+ $A = "\x00" x 16;
+ }
+ }
+ else
+ {
+ my $DEK = randbytes (16);
+
+ @R = ('', substr (pack ("H*", $DEK), 0, 8), substr (pack ("H*", $DEK), 8, 16));
+
+ $A = pack ("H*", $iv);
+ }
for (my $j = 0; $j < $iteration; $j++)
{
{
my @salt_arr = split ('\*', $salt_buf);
- my $version = $salt_arr[0];
+ my $version = $salt_arr[0];
- my $iteration = $salt_arr[1];
+ my $iteration = $salt_arr[1];
- my $algorithm = $salt_arr[2];
+ my $algorithm = $salt_arr[2];
my $final_random_seed = $salt_arr[3];
if ($version == 1)
{
$contents_hash = $salt_arr[6];
+
$contents_hash = pack ("H*", $contents_hash);
$inline_flag = $salt_arr[7];
+
$contents_len = $salt_arr[8];
+
$contents = $salt_arr[9];
+
$contents = pack ("H*", $contents);
# keyfile handling
. "*" . $keyfile_content;
$intermediate_hash = $intermediate_hash . pack ("H*", $keyfile_content);
+
$intermediate_hash = sha256 ($intermediate_hash);
}
}
. "*" . $keyfile_content;
}
+
$intermediate_hash = sha256 ($intermediate_hash);
}
if ($version == 1)
{
- $contents_hash = sha256 ($contents);
+ if (defined $additional_param)
+ {
+ # if we try to verify the crack, we need to decrypt the contents instead of only encrypting it:
+
+ $contents = $cipher->decrypt ($contents);
+
+ # and check the output
+
+ my $contents_hash_old = $contents_hash;
+
+ $contents_hash = sha256 ($contents);
+
+ if ($contents_hash_old ne $contents_hash)
+ {
+ # fake content
+ $contents = "\x00" x length ($contents);
+ }
+ }
+ else
+ {
+ $contents_hash = sha256 ($contents);
+ }
- $contents = $cipher->encrypt($contents);
+ $contents = $cipher->encrypt ($contents);
$tmp_hash = sprintf ('$keepass$*%d*%d*%d*%s*%s*%s*%s*%d*%d*%s%s',
$version,
}
if ($version == 2)
{
- $expected_bytes = $salt_arr[6];
+ $expected_bytes = $salt_arr[6];
$contents_hash = $salt_arr[7];
$contents_hash = pack ("H*", $contents_hash);
- $expected_bytes = $cipher->decrypt($contents_hash);
+ $expected_bytes = $cipher->decrypt ($contents_hash);
$tmp_hash = sprintf ('$keepass$*%d*%d*%d*%s*%s*%s*%s*%s%s',
$version,
my $realm = "realm";
my $spn = "test/spn";
- my $salt_buf = $user . "\$" . $realm . "\$" . $spn . "\$" . unpack ("H*",$nonce);
+ my $salt_buf = $user . "\$" . $realm . "\$" . $spn . "\$" . unpack ("H*", $nonce);
return $salt_buf;
}