From 3ba02f11ea331b9cb3d74774046c673e084727aa Mon Sep 17 00:00:00 2001 From: Michael Kruger Date: Mon, 2 Aug 2021 11:40:14 +0200 Subject: [PATCH] Expect Hex input, removed OPTS_TYPE_PT_ALWAYS_HEXIFY, added benchmark mask. --- OpenCL/m27000-pure.cl | 137 ++++++++++++++++++++--------------- OpenCL/m27100-pure.cl | 142 +++++++++++++++++++++++-------------- src/modules/module_27000.c | 20 +++--- src/modules/module_27100.c | 20 +++--- 4 files changed, 190 insertions(+), 129 deletions(-) diff --git a/OpenCL/m27000-pure.cl b/OpenCL/m27000-pure.cl index a5ce12cff..a35d2e039 100644 --- a/OpenCL/m27000-pure.cl +++ b/OpenCL/m27000-pure.cl @@ -493,6 +493,23 @@ DECLSPEC void transform_netntlmv1_key (const u32 w0, const u32 w1, u32 *out) | ((k[7] & 0xff) << 24); } +#ifdef KERNEL_STATIC +DECLSPEC u8 hex_convert (const u8 c) +{ + return (c & 15) + (c >> 6) * 9; +} + +DECLSPEC u8 hex_to_u8 (const u8 *hex) +{ + u8 v = 0; + + v |= ((u8) hex_convert (hex[1]) << 0); + v |= ((u8) hex_convert (hex[0]) << 4); + + return (v); +} +#endif + typedef struct netntlm { u32 user_len; @@ -527,23 +544,52 @@ KERNEL_FQ void m27000_init (KERN_ATTR_TMPS_ESALT (netntlm_tmp_t, netntlm_t)) * salt */ - tmps[gid].digest_buf[0] = pws[gid].i[ 0]; - tmps[gid].digest_buf[1] = pws[gid].i[ 1]; - tmps[gid].digest_buf[2] = pws[gid].i[ 2]; - tmps[gid].digest_buf[3] = pws[gid].i[ 3]; + u32 in[16]; + + in[ 0] = pws[gid].i[ 0]; + in[ 1] = pws[gid].i[ 1]; + in[ 2] = pws[gid].i[ 2]; + in[ 3] = pws[gid].i[ 3]; + in[ 4] = pws[gid].i[ 4]; + in[ 5] = pws[gid].i[ 5]; + in[ 6] = pws[gid].i[ 6]; + in[ 7] = pws[gid].i[ 7]; + + u8 *in_ptr = (u8 *) in; + + u32 out[4]; + + u8 *out_ptr = (u8 *) out; + + for (int i = 0, j = 0; i < 16; i += 1, j += 2) + { + out_ptr[i] = hex_to_u8 (in_ptr + j); + } + + tmps[gid].digest_buf[0] = out[ 0]; + tmps[gid].digest_buf[1] = out[ 1]; + tmps[gid].digest_buf[2] = out[ 2]; + tmps[gid].digest_buf[3] = out[ 3]; } KERNEL_FQ void m27000_loop (KERN_ATTR_TMPS_ESALT (netntlm_tmp_t, netntlm_t)) { - /** +} + +KERNEL_FQ void m27000_comp (KERN_ATTR_TMPS_ESALT (netntlm_tmp_t, netntlm_t)) +{ + /** * modifier */ - const u64 lid = get_local_id (0); const u64 gid = get_global_id (0); + if (gid >= gid_max) return; + + const u64 lid = get_local_id (0); + /** * sbox, kbox */ @@ -598,77 +644,52 @@ KERNEL_FQ void m27000_loop (KERN_ATTR_TMPS_ESALT (netntlm_tmp_t, netntlm_t)) const u32 c = tmps[gid].digest_buf[2]; const u32 d = tmps[gid].digest_buf[3]; - /** - * loop - */ - - for (u32 i = 0; i < loop_cnt; i++) - { - - // if ((d >> 16) != s2) continue; - - /** - * DES1 - */ - - u32 key[2]; - - transform_netntlmv1_key (a, b, key); - - u32 Kc[16]; - u32 Kd[16]; - - _des_crypt_keysetup (key[0], key[1], Kc, Kd, s_skb); + // I believe this matches the last 2 bytes and throws away. + // Taken from 5500. + if ((d >> 16) != s2) return; - u32 data[2]; + /** + * DES1 + */ - data[0] = s0; - data[1] = s1; + u32 key[2]; - u32 out1[2]; + transform_netntlmv1_key (a, b, key); - _des_crypt_encrypt (out1, data, Kc, Kd, s_SPtrans); + u32 Kc[16]; + u32 Kd[16]; - /** - * DES2 - */ + _des_crypt_keysetup (key[0], key[1], Kc, Kd, s_skb); - transform_netntlmv1_key (((b >> 24) | (c << 8)), ((c >> 24) | (d << 8)), key); + u32 data[2]; - _des_crypt_keysetup (key[0], key[1], Kc, Kd, s_skb); + data[0] = s0; + data[1] = s1; - u32 out2[2]; + u32 out1[2]; - _des_crypt_encrypt (out2, data, Kc, Kd, s_SPtrans); + _des_crypt_encrypt (out1, data, Kc, Kd, s_SPtrans); + /** + * DES2 + */ - tmps[gid].digest_buf[0] = out1[0]; - tmps[gid].digest_buf[1] = out1[1]; - tmps[gid].digest_buf[2] = out2[0]; - tmps[gid].digest_buf[3] = out2[1]; - } -} + transform_netntlmv1_key (((b >> 24) | (c << 8)), ((c >> 24) | (d << 8)), key); -KERNEL_FQ void m27000_comp (KERN_ATTR_TMPS_ESALT (netntlm_tmp_t, netntlm_t)) -{ - /** - * modifier - */ - - const u64 gid = get_global_id (0); + _des_crypt_keysetup (key[0], key[1], Kc, Kd, s_skb); - if (gid >= gid_max) return; + u32 out2[2]; - const u64 lid = get_local_id (0); + _des_crypt_encrypt (out2, data, Kc, Kd, s_SPtrans); /** * digest */ - const u32 r0 = tmps[gid].digest_buf[0]; - const u32 r1 = tmps[gid].digest_buf[1]; - const u32 r2 = tmps[gid].digest_buf[2]; - const u32 r3 = tmps[gid].digest_buf[3]; + const u32 r0 = out1[0]; + const u32 r1 = out1[1]; + const u32 r2 = out2[0]; + const u32 r3 = out2[1]; #define il_pos 0 diff --git a/OpenCL/m27100-pure.cl b/OpenCL/m27100-pure.cl index 7259c2973..d34355187 100644 --- a/OpenCL/m27100-pure.cl +++ b/OpenCL/m27100-pure.cl @@ -20,6 +20,23 @@ #define COMPARE_S "inc_comp_single.cl" #define COMPARE_M "inc_comp_multi.cl" +#ifdef KERNEL_STATIC +DECLSPEC u8 hex_convert (const u8 c) +{ + return (c & 15) + (c >> 6) * 9; +} + +DECLSPEC u8 hex_to_u8 (const u8 *hex) +{ + u8 v = 0; + + v |= ((u8) hex_convert (hex[1]) << 0); + v |= ((u8) hex_convert (hex[0]) << 4); + + return (v); +} +#endif + typedef struct netntlm { u32 user_len; @@ -54,19 +71,54 @@ KERNEL_FQ void m27100_init (KERN_ATTR_TMPS_ESALT (netntlm_tmp_t, netntlm_t)) * base */ - tmps[gid].digest_buf[0] = pws[gid].i[ 0]; - tmps[gid].digest_buf[1] = pws[gid].i[ 1]; - tmps[gid].digest_buf[2] = pws[gid].i[ 2]; - tmps[gid].digest_buf[3] = pws[gid].i[ 3]; + u32 in[16]; + + in[ 0] = pws[gid].i[ 0]; + in[ 1] = pws[gid].i[ 1]; + in[ 2] = pws[gid].i[ 2]; + in[ 3] = pws[gid].i[ 3]; + in[ 4] = pws[gid].i[ 4]; + in[ 5] = pws[gid].i[ 5]; + in[ 6] = pws[gid].i[ 6]; + in[ 7] = pws[gid].i[ 7]; + + u8 *in_ptr = (u8 *) in; + + u32 out[4]; + + u8 *out_ptr = (u8 *) out; + + for (int i = 0, j = 0; i < 16; i += 1, j += 2) + { + out_ptr[i] = hex_to_u8 (in_ptr + j); + } + + tmps[gid].digest_buf[0] = out[ 0]; + tmps[gid].digest_buf[1] = out[ 1]; + tmps[gid].digest_buf[2] = out[ 2]; + tmps[gid].digest_buf[3] = out[ 3]; + } KERNEL_FQ void m27100_loop (KERN_ATTR_TMPS_ESALT (netntlm_tmp_t, netntlm_t)) { - const u64 lid = get_local_id (0); + +} + +KERNEL_FQ void m27100_comp (KERN_ATTR_TMPS_ESALT (netntlm_tmp_t, netntlm_t)) +{ + /** + * modifier + */ + const u64 gid = get_global_id (0); + if (gid >= gid_max) return; + + const u64 lid = get_local_id (0); + u32 w0[4]; u32 w1[4]; u32 w2[4]; @@ -88,70 +140,54 @@ KERNEL_FQ void m27100_loop (KERN_ATTR_TMPS_ESALT (netntlm_tmp_t, netntlm_t)) w3[1] = 0; w3[2] = 0; w3[3] = 0; - - for (u32 i = 0; i < loop_cnt; i++) - { - md5_hmac_ctx_t ctx0; + md5_hmac_ctx_t ctx0; - md5_hmac_init_64 (&ctx0, w0, w1, w2, w3); + md5_hmac_init_64 (&ctx0, w0, w1, w2, w3); - md5_hmac_update_global (&ctx0, esalt_bufs[DIGESTS_OFFSET].userdomain_buf, esalt_bufs[DIGESTS_OFFSET].user_len + esalt_bufs[DIGESTS_OFFSET].domain_len); + md5_hmac_update_global (&ctx0, esalt_bufs[DIGESTS_OFFSET].userdomain_buf, esalt_bufs[DIGESTS_OFFSET].user_len + esalt_bufs[DIGESTS_OFFSET].domain_len); - md5_hmac_final (&ctx0); + md5_hmac_final (&ctx0); - w0[0] = ctx0.opad.h[0]; - w0[1] = ctx0.opad.h[1]; - w0[2] = ctx0.opad.h[2]; - w0[3] = ctx0.opad.h[3]; - w1[0] = 0; - w1[1] = 0; - w1[2] = 0; - w1[3] = 0; - w2[0] = 0; - w2[1] = 0; - w2[2] = 0; - w2[3] = 0; - w3[0] = 0; - w3[1] = 0; - w3[2] = 0; - w3[3] = 0; - - md5_hmac_ctx_t ctx; - - md5_hmac_init_64 (&ctx, w0, w1, w2, w3); - - md5_hmac_update_global (&ctx, esalt_bufs[DIGESTS_OFFSET].chall_buf, esalt_bufs[DIGESTS_OFFSET].srvchall_len + esalt_bufs[DIGESTS_OFFSET].clichall_len); + w0[0] = ctx0.opad.h[0]; + w0[1] = ctx0.opad.h[1]; + w0[2] = ctx0.opad.h[2]; + w0[3] = ctx0.opad.h[3]; + w1[0] = 0; + w1[1] = 0; + w1[2] = 0; + w1[3] = 0; + w2[0] = 0; + w2[1] = 0; + w2[2] = 0; + w2[3] = 0; + w3[0] = 0; + w3[1] = 0; + w3[2] = 0; + w3[3] = 0; - md5_hmac_final (&ctx); + md5_hmac_ctx_t ctx; - tmps[gid].digest_buf[0] = ctx.opad.h[0]; - tmps[gid].digest_buf[1] = ctx.opad.h[1]; - tmps[gid].digest_buf[2] = ctx.opad.h[2]; - tmps[gid].digest_buf[3] = ctx.opad.h[3]; - } -} + md5_hmac_init_64 (&ctx, w0, w1, w2, w3); -KERNEL_FQ void m27100_comp (KERN_ATTR_TMPS_ESALT (netntlm_tmp_t, netntlm_t)) -{ - /** - * modifier - */ + md5_hmac_update_global (&ctx, esalt_bufs[DIGESTS_OFFSET].chall_buf, esalt_bufs[DIGESTS_OFFSET].srvchall_len + esalt_bufs[DIGESTS_OFFSET].clichall_len); - const u64 gid = get_global_id (0); + md5_hmac_final (&ctx); - if (gid >= gid_max) return; + tmps[gid].digest_buf[0] = ctx.opad.h[0]; + tmps[gid].digest_buf[1] = ctx.opad.h[1]; + tmps[gid].digest_buf[2] = ctx.opad.h[2]; + tmps[gid].digest_buf[3] = ctx.opad.h[3]; - const u64 lid = get_local_id (0); /** * digest */ - const u32 r0 = tmps[gid].digest_buf[DGST_R0]; - const u32 r1 = tmps[gid].digest_buf[DGST_R1]; - const u32 r2 = tmps[gid].digest_buf[DGST_R2]; - const u32 r3 = tmps[gid].digest_buf[DGST_R3]; + const u32 r0 = ctx.opad.h[DGST_R0]; + const u32 r1 = ctx.opad.h[DGST_R1]; + const u32 r2 = ctx.opad.h[DGST_R2]; + const u32 r3 = ctx.opad.h[DGST_R3]; #define il_pos 0 diff --git a/src/modules/module_27000.c b/src/modules/module_27000.c index 01c5d045c..3dc44335d 100644 --- a/src/modules/module_27000.c +++ b/src/modules/module_27000.c @@ -26,10 +26,9 @@ static const u64 OPTS_TYPE = OPTS_TYPE_PT_GENERATE_LE | OPTS_TYPE_PT_ADD80 | OPTS_TYPE_PT_ADDBITS14 | OPTS_TYPE_PT_UTF16LE - | OPTS_TYPE_ST_HEX - | OPTS_TYPE_PT_ALWAYS_HEXIFY; + | OPTS_TYPE_ST_HEX; static const u32 SALT_TYPE = SALT_TYPE_EMBEDDED; -static const char *ST_PASS = "\xb4\xb9\xb0\x2e\x6f\x09\xa9\xbd\x76\x0f\x38\x8b\x67\x35\x1e\x2b"; +static const char *ST_PASS = "b4b9b02e6f09a9bd760f388b67351e2b"; static const char *ST_HASH = "::5V4T:ada06359242920a500000000000000000000000000000000:0556d5297b5daa70eaffde82ef99293a3f3bb59b7c9704ea:9c23f6c094853920"; typedef struct netntlm @@ -334,9 +333,6 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE salt->salt_buf[0] = rotl32 (salt->salt_buf[0], 3); salt->salt_buf[1] = rotl32 (salt->salt_buf[1], 3); - // Why my _loop wasnt being called and what was causing me such confusion :D - salt->salt_iter = 1; - return (PARSER_OK); } @@ -420,18 +416,24 @@ int module_hash_encode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE u32 module_pw_max (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { - const u32 pw_max = 16; // Length of a NT hash + const u32 pw_max = 32; // Length of a NT hash return pw_max; } u32 module_pw_min (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { - const u32 pw_min = 16; // Length of a NT hash + const u32 pw_min = 32; // Length of a NT hash return pw_min; } +const char *module_benchmark_mask (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) +{ + const char *mask = "?a?a?a?a?a?a?a?axxxxxxxxxxxxxxxx"; + return mask; +} + void module_init (module_ctx_t *module_ctx) { module_ctx->module_context_size = MODULE_CONTEXT_SIZE_CURRENT; @@ -440,7 +442,7 @@ void module_init (module_ctx_t *module_ctx) module_ctx->module_attack_exec = module_attack_exec; module_ctx->module_benchmark_esalt = MODULE_DEFAULT; module_ctx->module_benchmark_hook_salt = MODULE_DEFAULT; - module_ctx->module_benchmark_mask = MODULE_DEFAULT; + module_ctx->module_benchmark_mask = module_benchmark_mask; module_ctx->module_benchmark_salt = MODULE_DEFAULT; module_ctx->module_build_plain_postprocess = MODULE_DEFAULT; module_ctx->module_deep_comp_kernel = MODULE_DEFAULT; diff --git a/src/modules/module_27100.c b/src/modules/module_27100.c index 985a43755..715f936ea 100644 --- a/src/modules/module_27100.c +++ b/src/modules/module_27100.c @@ -26,10 +26,9 @@ static const u64 OPTS_TYPE = OPTS_TYPE_PT_GENERATE_LE | OPTS_TYPE_PT_ADD80 | OPTS_TYPE_PT_ADDBITS14 | OPTS_TYPE_PT_UTF16LE - | OPTS_TYPE_ST_HEX - | OPTS_TYPE_PT_ALWAYS_HEXIFY; + | OPTS_TYPE_ST_HEX; static const u32 SALT_TYPE = SALT_TYPE_EMBEDDED; -static const char *ST_PASS = "\xb4\xb9\xb0\x2e\x6f\x09\xa9\xbd\x76\x0f\x38\x8b\x67\x35\x1e\x2b"; +static const char *ST_PASS = "b4b9b02e6f09a9bd760f388b67351e2b"; static const char *ST_HASH = "0UL5G37JOI0SX::6VB1IS0KA74:ebe1afa18b7fbfa6:aab8bf8675658dd2a939458a1077ba08:010100000000000031c8aa092510945398b9f7b7dde1a9fb00000000f7876f2b04b700"; typedef struct netntlm @@ -241,9 +240,6 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE salt->salt_len = 16; - // Why my _loop wasnt being called and what was causing me such confusion :D - salt->salt_iter = 1; - return (PARSER_OK); } @@ -316,18 +312,24 @@ int module_hash_encode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE u32 module_pw_max (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { - const u32 pw_max = 16; // Length of a NT hash + const u32 pw_max = 32; // Length of a NT hash return pw_max; } u32 module_pw_min (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { - const u32 pw_min = 16; // Length of a NT hash + const u32 pw_min = 32; // Length of a NT hash return pw_min; } +const char *module_benchmark_mask (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) +{ + const char *mask = "?a?a?a?a?a?a?a?axxxxxxxxxxxxxxxx"; + return mask; +} + void module_init (module_ctx_t *module_ctx) { module_ctx->module_context_size = MODULE_CONTEXT_SIZE_CURRENT; @@ -336,7 +338,7 @@ void module_init (module_ctx_t *module_ctx) module_ctx->module_attack_exec = module_attack_exec; module_ctx->module_benchmark_esalt = MODULE_DEFAULT; module_ctx->module_benchmark_hook_salt = MODULE_DEFAULT; - module_ctx->module_benchmark_mask = MODULE_DEFAULT; + module_ctx->module_benchmark_mask = module_benchmark_mask; module_ctx->module_benchmark_salt = MODULE_DEFAULT; module_ctx->module_build_plain_postprocess = MODULE_DEFAULT; module_ctx->module_deep_comp_kernel = MODULE_DEFAULT;