john
john copied to clipboard
openwall
Support Apache Shiro and slapd Argon2 hash encodings
https://shiro.apache.org/cryptography-features.html uses Argon2id hashes, but encodes them subtly differently. Test vectors from CMIYC 2024 cracks:
$shiro2$argon2id$v=19$t=1,m=65536,p=4$z0RJt6Ddj3RwojqdC7ldPw$GlQ2aON2k6zNEIAVUgxounobxAFbpPXh8dQkPFUvexM
$shiro2$argon2id$v=19$t=1,m=65536,p=4$2IbMDqCmh/5RI5sVZzMdUw$fwqL7fb+UY2MDL2r4QXGGExJwK05yxolYjnY1xlFje0
were after a sed crackable by our argon2-opencl like this:
$argon2id$v=19$m=65536,t=1,p=4$z0RJt6Ddj3RwojqdC7ldPw$GlQ2aON2k6zNEIAVUgxounobxAFbpPXh8dQkPFUvexM:Aditya@2011
$argon2id$v=19$m=65536,t=1,p=4$2IbMDqCmh/5RI5sVZzMdUw$fwqL7fb+UY2MDL2r4QXGGExJwK05yxolYjnY1xlFje0:Aarush@01
We could want to add a split() or prepare() to remove the $shiro2 and put m and t in the canonical order. Alternatively, for the latter we could patch upstream Argon2 code not to insist on the order, but then there would be more than one representation of the same hash in john.pot, which is undesirable.
While at it, we could also want to support the {ARGON2} prefix used by slappw-argon2 - Argon2 password module to slapd: https://man.archlinux.org/man/core/openldap/slappw-argon2.5.en
Both userPassword LDAP attributes below encode the password 'secret' using different salts:
userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHQ$DKlexoEJUoZTmkAAC3SaMWk30El9/RvVhlqGo6afIng
userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$c2FsdHNhbHRzYWx0$qOCkx9nMeFlaGOO4DUmPDgrlUbgMMuO9T1+vQCFuyzw
see https://github.com/fin3ss3g0d/Shiro1Tools & https://github.com/hashcat/hashcat/blob/master/src/modules/module_12150.c
