From d62fa617fb2e2517dcbbceedfa3949de86d053b8 Mon Sep 17 00:00:00 2001
From: Gabriele Gristina <matrix@users.noreply.github.com>
Date: Mon, 26 Jul 2021 22:45:02 +0200
Subject: [PATCH] fix to crack real hashes

---
 OpenCL/m26700-pure.cl        |  6 +++---
 src/modules/module_26700.c   | 29 ++++++++++++++++++-----------
 tools/test_modules/m26700.pm |  6 +++---
 3 files changed, 24 insertions(+), 17 deletions(-)

diff --git a/OpenCL/m26700-pure.cl b/OpenCL/m26700-pure.cl
index 6c8f029b3..8a5a04325 100644
--- a/OpenCL/m26700-pure.cl
+++ b/OpenCL/m26700-pure.cl
@@ -18,7 +18,7 @@
 #define COMPARE_M "inc_comp_multi.cl"
 
 #define SNMPV3_SALT_MAX             1500
-#define SNMPV3_ENGINEID_MAX         32
+#define SNMPV3_ENGINEID_MAX         34
 #define SNMPV3_MSG_AUTH_PARAMS_MAX  16
 #define SNMPV3_ROUNDS               1048576
 #define SNMPV3_MAX_PW_LENGTH        64
@@ -158,10 +158,10 @@ KERNEL_FQ void m26700_loop (KERN_ATTR_TMPS_ESALT (hmac_sha224_tmp_t, snmpv3_t))
   #define SNMPV3_TMP_ELEMS_OPT 1024 // 1024 = (64 max pw length * 64) / sizeof (u32)
                                     // for pw length > 64 we use global memory reads
 
-  u32 tmp[SNMPV3_TMP_ELEMS_OPT];
-
   if (pw_len < 64)
   {
+    u32 tmp[SNMPV3_TMP_ELEMS_OPT];
+
     for (int i = 0; i < pw_len64 / 4; i++)
     {
       tmp[i] = tmps[gid].tmp[i];
diff --git a/src/modules/module_26700.c b/src/modules/module_26700.c
index 15da3a60d..c64f269cf 100644
--- a/src/modules/module_26700.c
+++ b/src/modules/module_26700.c
@@ -24,8 +24,8 @@ static const u64   KERN_TYPE      = 26700;
 static const u32   OPTI_TYPE      = OPTI_TYPE_ZERO_BYTE;
 static const u64   OPTS_TYPE      = OPTS_TYPE_PT_GENERATE_LE;
 static const u32   SALT_TYPE      = SALT_TYPE_EMBEDDED;
-static const char *ST_PASS        = "hashcat";
-static const char *ST_HASH        = "$SNMPv3$3$93139992$221741464175523704413635982825760096118979556553098267101930601704853783146704303603164898517490303649758413279881023268227639264274559738208032094697403441579675568418814746064423158072029964334558571907882883041105245436623239742039483870313304031171307046174561938247029298397351679655253476035738973220651902635644891207741346383906360172060617958001549207150418505701978225626879116088671275359841611906258964723020692629233701447389366763685772212471681367034365005843875040967496437639996409692554570118676609568987002911124689769902674963799843406930141309408517459025165858554235820857416473466773963181853809212740450911140184957236422993171860303971025966646341351680880393147830452957802708608458538439866404321876100995381875117293904251031322241811475664324823327065168205689694742596451920374170034310748505203093091474865128628752667403895211365282260392475024320221767588855410235114859725219681974195474606697679001625416351117081484601569226697700302476076379$1759ce$cb8436f8e5b49d52a60d0ee076a79a97";
+static const char *ST_PASS        = "hashcat1";
+static const char *ST_HASH        = "$SNMPv3$3$45889431$308197020103301102047aa1a79e020300ffe30401010201030440303e041180001f88808106d566db57fd600000000002011002020118040e6d61747269785f5348412d3232340410000000000000000000000000000000000400303d041180001f88808106d566db57fd60000000000400a2260204272f76620201000201003018301606082b06010201010200060a2b06010401bf0803020a$80001f88808106d566db57fd6000000000$2f7a3891dd2e27d3f567e4d6d0257962";
 
 u32         module_attack_exec    (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return ATTACK_EXEC;     }
 u32         module_dgst_pos0      (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra) { return DGST_POS0;       }
@@ -45,8 +45,8 @@ const char *module_st_pass        (MAYBE_UNUSED const hashconfig_t *hashconfig,
 static const char *SIGNATURE_SNMPV3 = "$SNMPv3$3$";
 
 #define SNMPV3_SALT_MAX             1500
-#define SNMPV3_ENGINEID_MAX         32
-#define SNMPV3_MSG_AUTH_PARAMS_MAX  16
+#define SNMPV3_ENGINEID_MAX         34
+#define SNMPV3_MSG_AUTH_PARAMS_LEN  16
 #define SNMPV3_ROUNDS               1048576
 #define SNMPV3_MAX_PW_LENGTH        64
 
@@ -76,6 +76,13 @@ typedef struct snmpv3
 
 } snmpv3_t;
 
+u32 module_pw_min (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra)
+{
+  const u32 pw_min = 8;
+
+  return pw_min;
+}
+
 u64 module_esalt_size (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSED const user_options_t *user_options, MAYBE_UNUSED const user_options_extra_t *user_options_extra)
 {
   const u64 esalt_size = (const u64) sizeof (snmpv3_t);
@@ -130,23 +137,23 @@ int module_hash_decode (MAYBE_UNUSED const hashconfig_t *hashconfig, MAYBE_UNUSE
   token.attr[1]    = TOKEN_ATTR_VERIFY_LENGTH
                    | TOKEN_ATTR_VERIFY_DIGIT;
   // salt
-  token.len_min[2] = 16 * 2;
+  token.len_min[2] = SNMPV3_MSG_AUTH_PARAMS_LEN * 2;
   token.len_max[2] = SNMPV3_SALT_MAX * 2;
   token.sep[2]     = '$';
   token.attr[2]    = TOKEN_ATTR_VERIFY_LENGTH
                    | TOKEN_ATTR_VERIFY_HEX;
 
   // engineid
-  token.len_min[3] = 5;
+  token.len_min[3] = 26;
   token.len_max[3] = SNMPV3_ENGINEID_MAX;
   token.sep[3]     = '$';
-  token.attr[3]    = TOKEN_ATTR_VERIFY_LENGTH;
+  token.attr[3]    = TOKEN_ATTR_VERIFY_LENGTH
+                   | TOKEN_ATTR_VERIFY_HEX;
 
   // digest
-  token.len_min[4] = SNMPV3_MSG_AUTH_PARAMS_MAX * 2;
-  token.len_max[4] = SNMPV3_MSG_AUTH_PARAMS_MAX * 2;
+  token.len[4]     = SNMPV3_MSG_AUTH_PARAMS_LEN * 2;
   token.sep[4]     = '$';
-  token.attr[4]    = TOKEN_ATTR_VERIFY_LENGTH
+  token.attr[4]    = TOKEN_ATTR_FIXED_LENGTH
                    | TOKEN_ATTR_VERIFY_HEX;
 
   const int rc_tokenizer = input_tokenizer ((const u8 *) line_buf, line_len, &token);
@@ -316,7 +323,7 @@ void module_init (module_ctx_t *module_ctx)
   module_ctx->module_potfile_keep_all_hashes  = MODULE_DEFAULT;
   module_ctx->module_pwdump_column            = MODULE_DEFAULT;
   module_ctx->module_pw_max                   = MODULE_DEFAULT;
-  module_ctx->module_pw_min                   = MODULE_DEFAULT;
+  module_ctx->module_pw_min                   = module_pw_min;
   module_ctx->module_salt_max                 = MODULE_DEFAULT;
   module_ctx->module_salt_min                 = MODULE_DEFAULT;
   module_ctx->module_salt_type                = module_salt_type;
diff --git a/tools/test_modules/m26700.pm b/tools/test_modules/m26700.pm
index 4d77179f1..a97bc246e 100644
--- a/tools/test_modules/m26700.pm
+++ b/tools/test_modules/m26700.pm
@@ -11,14 +11,14 @@ use warnings;
 use Digest::SHA qw (sha224 sha224_hex);
 use Digest::HMAC qw (hmac hmac_hex);
 
-sub module_constraints { [[1, 256], [32, 3000], [-1, -1], [-1, -1], [-1, -1]] }
+sub module_constraints { [[8, 256], [32, 3000], [-1, -1], [-1, -1], [-1, -1]] }
 
 sub module_generate_hash
 {
   my $word = shift;
   my $salt = shift;
-  my $pkt_num = shift // int(rand(99999999));
-  my $engineID = shift // random_hex_string(6);
+  my $pkt_num = shift // int(rand(100000000));
+  my $engineID = shift // random_hex_string(26, 34);
 
   # make even if needed