1 /*
2 * MS Office 97-2003 cracker patch for JtR. Hacked together during May of
3 * 2012 by Dhiru Kholia <dhiru.kholia at gmail.com>.
4 *
5 * This software is Copyright (c) 2012, Dhiru Kholia <dhiru.kholia at gmail.com>
6 * Copyright (c) 2014, magnum
7 * Copyright (c) 2009, David Leblanc (http://offcrypto.codeplex.com/)
8 *
9 * License: Microsoft Public License (MS-PL)
10 */
11
12 #if FMT_EXTERNS_H
13 extern struct fmt_main fmt_oldoffice;
14 #elif FMT_REGISTERS_H
15 john_register_one(&fmt_oldoffice);
16 #else
17
18 #include <stdint.h>
19 #include <string.h>
20
21 #ifdef _OPENMP
22 #include <omp.h>
23 #endif
24
25 #include "md5.h"
26 #include "rc4.h"
27 #include "sha.h"
28 #include "arch.h"
29 #include "misc.h"
30 #include "common.h"
31 #include "formats.h"
32 #include "params.h"
33 #include "options.h"
34 #include "unicode.h"
35 #include "dyna_salt.h"
36
37 #define FORMAT_LABEL "oldoffice"
38 #define FORMAT_NAME "MS Office <= 2003"
39 #define ALGORITHM_NAME "MD5/SHA1 RC4 32/" ARCH_BITS_STR
40 #define BENCHMARK_COMMENT ""
41 #define BENCHMARK_LENGTH 7
42 #define PLAINTEXT_LENGTH 64
43 #define BINARY_SIZE 0
44 #define BINARY_ALIGN MEM_ALIGN_NONE
45 #define SALT_SIZE sizeof(dyna_salt*)
46 #define SALT_ALIGN MEM_ALIGN_WORD
47 #define MIN_KEYS_PER_CRYPT 1
48 #define MAX_KEYS_PER_CRYPT 64
49
50 #ifndef OMP_SCALE
51 #define OMP_SCALE 8 // Tuned w/ MKPC for core i7
52 #endif
53
54 #define CIPHERTEXT_LENGTH (TAG_LEN + 120)
55 #define FORMAT_TAG "$oldoffice$"
56 #define TAG_LEN (sizeof(FORMAT_TAG) - 1)
57
58 static struct fmt_tests oo_tests[] = {
59 {"$oldoffice$1*de17a7f3c3ff03a39937ba9666d6e952*2374d5b6ce7449f57c9f252f9f9b53d2*e60e1185f7aecedba262f869c0236f81", "test"},
60 {"$oldoffice$0*e40b4fdade5be6be329c4238e2099b8a*259590322b55f7a3c38cb96b5864e72d*2e6516bfaf981770fe6819a34998295d", "123456789012345"},
61 {"$oldoffice$4*163ae8c43577b94902f58d0106b29205*87deff24175c2414cb1b2abdd30855a3*4182446a527fe4648dffa792d55ae7a15edfc4fb", "Google123"},
62 /* Meet-in-the-middle candidate produced with hashcat -m9710 */
63 /* Real pw is "hashcat", one collision is "zvDtu!" */
64 {"", "zvDtu!", {"", "$oldoffice$1*d6aabb63363188b9b73a88efb9c9152e*afbbb9254764273f8f4fad9a5d82981f*6f09fd2eafc4ade522b5f2bee0eaf66d","f2ab1219ae"} },
65 #if PLAINTEXT_LENGTH >= 24
66 /* 2003-RC4-40bit-MS-Base-Crypto-1.0_myhovercraftisfullofeels_.doc */
67 {"$oldoffice$3*9f32522fe9bcb69b12f39d3c24b39b2f*fac8b91a8a578468ae7001df4947558f*f2e267a5bea45736b52d6d1051eca1b935eabf3a", "myhovercraftisfullofeels"},
68 /* Test-RC4-40bit-MS-Base-DSS_myhovercraftisfullofeels_.doc */
69 {"$oldoffice$3*095b777a73a10fb6bcd3e48d50f8f8c5*36902daab0d0f38f587a84b24bd40dce*25db453f79e8cbe4da1844822b88f6ce18a5edd2", "myhovercraftisfullofeels"},
70 /* 2003-RC4-40bit-MS-Base-DH-SChan_myhovercraftisfullofeels_.doc */
71 {"$oldoffice$3*284bc91cb64bc847a7a44bc7bf34fb69*1f8c589c6fcbd43c42b2bc6fff4fd12b*2bc7d8e866c9ea40526d3c0a59e2d37d8ded3550", "myhovercraftisfullofeels"},
72 /* Test-RC4-128bit-MS-Strong-Crypto_myhovercraftisfullofeels_.doc */
73 {"$oldoffice$4*a58b39c30a06832ee664c1db48d17304*986a45cc9e17e062f05ceec37ec0db17*fe0c130ef374088f3fec1979aed4d67459a6eb9a", "myhovercraftisfullofeels"},
74 /* 2003-RC4-40bit-MS-Base-1.0_myhovercraftisfullofeels_.xls */
75 {"$oldoffice$3*f426041b2eba9745d30c7949801f7d3a*888b34927e5f31e2703cc4ce86a6fd78*ff66200812fd06c1ba43ec2be9f3390addb20096", "myhovercraftisfullofeels"},
76 #endif
77 /* the following hash was extracted from Proc2356.ppt (manually + by oldoffice2john.py */
78 {"$oldoffice$3*DB575DDA2E450AB3DFDF77A2E9B3D4C7*AB183C4C8B5E5DD7B9F3AF8AE5FFF31A*B63594447FAE7D4945D2DAFD113FD8C9F6191BF5", "crypto"},
79 {"$oldoffice$3*3fbf56a18b026e25815cbea85a16036c*216562ea03b4165b54cfaabe89d36596*91308b40297b7ce31af2e8c57c6407994b205590", "openwall"},
80 {NULL}
81 };
82
83 /* Password encoded in UCS-2 */
84 static UTF16 (*saved_key)[PLAINTEXT_LENGTH + 1];
85 /* UCS-2 password length, in octets */
86 static int *saved_len;
87 /* Last hash with this salt and plain */
88 static unsigned char (*mitm_key)[16];
89 static unsigned char (*rc4_key)[16];
90 static int any_cracked, *cracked;
91 static size_t cracked_size;
92 static int new_keys;
93
94 typedef struct {
95 dyna_salt dsalt;
96 int type;
97 unsigned char salt[16];
98 unsigned char verifier[16]; /* or encryptedVerifier */
99 unsigned char verifierHash[20]; /* or encryptedVerifierHash */
100 unsigned int has_mitm;
101 unsigned char mitm[5]; /* Meet-in-the-middle hint, if we have one */
102 } custom_salt;
103
104 static struct {
105 int ct_hash;
106 unsigned char mitm[10];
107 } mitm_catcher;
108
109 static custom_salt cs;
110 static custom_salt *cur_salt = &cs;
111
init(struct fmt_main * self)112 static void init(struct fmt_main *self)
113 {
114 omp_autotune(self, OMP_SCALE);
115
116 if (options.target_enc == UTF_8)
117 self->params.plaintext_length = 3 * PLAINTEXT_LENGTH > 125 ?
118 125 : 3 * PLAINTEXT_LENGTH;
119 saved_key = mem_alloc(self->params.max_keys_per_crypt *
120 sizeof(*saved_key));
121 saved_len = mem_alloc(self->params.max_keys_per_crypt *
122 sizeof(*saved_len));
123 mitm_key = mem_alloc(self->params.max_keys_per_crypt *
124 sizeof(*mitm_key));
125 rc4_key = mem_alloc(self->params.max_keys_per_crypt *
126 sizeof(*rc4_key));
127 any_cracked = 0;
128 cracked_size = sizeof(*cracked) * self->params.max_keys_per_crypt;
129 cracked = mem_calloc(1, cracked_size);
130 }
131
done(void)132 static void done(void)
133 {
134 MEM_FREE(cracked);
135 MEM_FREE(rc4_key);
136 MEM_FREE(mitm_key);
137 MEM_FREE(saved_len);
138 MEM_FREE(saved_key);
139 }
140
141 /* Based on ldr_cracked_hash from loader.c */
142 #define HASH_LOG 30
143 #define HASH_SIZE (1 << HASH_LOG)
hex_hash(char * ciphertext)144 static int hex_hash(char *ciphertext)
145 {
146 unsigned int hash, extra;
147 unsigned char *p = (unsigned char *)ciphertext;
148
149 hash = p[0] | 0x20; /* ASCII case insensitive */
150 if (!hash)
151 goto out;
152 extra = p[1] | 0x20;
153 if (!extra)
154 goto out;
155
156 p += 2;
157 while (*p) {
158 hash <<= 1; extra <<= 1;
159 hash += p[0] | 0x20;
160 if (!p[1]) break;
161 extra += p[1] | 0x20;
162 p += 2;
163 if (hash & 0xe0000000) {
164 hash ^= hash >> HASH_LOG;
165 extra ^= extra >> (HASH_LOG - 1);
166 hash &= HASH_SIZE - 1;
167 }
168 }
169
170 hash -= extra;
171 hash ^= extra << (HASH_LOG / 2);
172 hash ^= hash >> HASH_LOG;
173 hash &= HASH_SIZE - 1;
174 out:
175 return hash;
176 }
177
valid(char * ciphertext,struct fmt_main * self)178 static int valid(char *ciphertext, struct fmt_main *self)
179 {
180 char *ctcopy, *ptr, *keeptr;
181 int type, extra;
182
183 if (strncmp(ciphertext, FORMAT_TAG, TAG_LEN))
184 return 0;
185 if (strlen(ciphertext) > CIPHERTEXT_LENGTH)
186 return 0;
187 if (!(ctcopy = strdup(ciphertext)))
188 return 0;
189 keeptr = ctcopy;
190 ctcopy += TAG_LEN;
191 if (!(ptr = strtokm(ctcopy, "*"))) /* type */
192 goto error;
193 type = atoi(ptr);
194 if (type < 0 || type > 4)
195 goto error;
196 if (!(ptr = strtokm(NULL, "*"))) /* salt */
197 goto error;
198 if (hexlen(ptr, &extra) != 32 || extra)
199 goto error;
200 if (!(ptr = strtokm(NULL, "*"))) /* verifier */
201 goto error;
202 if (hexlen(ptr, &extra) != 32 || extra)
203 goto error;
204 if (!(ptr = strtokm(NULL, "*"))) /* verifier hash */
205 goto error;
206 if (type < 3 && (hexlen(ptr, &extra) != 32 || extra))
207 goto error;
208 else if (type >= 3 && (hexlen(ptr, &extra) != 40 || extra))
209 goto error;
210 /*
211 * Deprecated field: mitm hash (40-bit RC4). The new way to put it is in the
212 * uid field, like hashcat's example hash.
213 */
214 if (type <= 3 && (ptr = strtokm(NULL, "*"))) {
215 if (hexlen(ptr, &extra) != 10 || extra)
216 goto error;
217 }
218 MEM_FREE(keeptr);
219 return 1;
220 error:
221 MEM_FREE(keeptr);
222 return 0;
223 }
224
225 /* uid field may contain a meet-in-the-middle hash */
prepare(char * split_fields[10],struct fmt_main * self)226 static char *prepare(char *split_fields[10], struct fmt_main *self)
227 {
228 if (split_fields[0] && valid(split_fields[0], self) && split_fields[1] &&
229 hexlen(split_fields[1], 0) == 10) {
230 mitm_catcher.ct_hash = hex_hash(split_fields[0]);
231 memcpy(mitm_catcher.mitm, split_fields[1], 10);
232 return split_fields[0];
233 }
234 else if (valid(split_fields[1], self) && split_fields[2] &&
235 hexlen(split_fields[2], 0) == 10) {
236 mitm_catcher.ct_hash = hex_hash(split_fields[1]);
237 memcpy(mitm_catcher.mitm, split_fields[2], 10);
238 }
239 return split_fields[1];
240 }
241
split(char * ciphertext,int index,struct fmt_main * self)242 static char *split(char *ciphertext, int index, struct fmt_main *self)
243 {
244 static char out[CIPHERTEXT_LENGTH];
245 char *p;
246 int extra;
247
248 strnzcpy(out, ciphertext, sizeof(out));
249 strlwr(out);
250
251 /* Drop legacy embedded MITM hash */
252 if ((p = strrchr(out, '*')) && (hexlen(&p[1], &extra) == 10 || extra))
253 *p = 0;
254 return out;
255 }
256
get_salt(char * ciphertext)257 static void *get_salt(char *ciphertext)
258 {
259 static void *ptr;
260 char *ctcopy = strdup(ciphertext);
261 char *keeptr = ctcopy;
262 char *p;
263 int i;
264
265 memset(&cs, 0, sizeof(cs));
266 ctcopy += TAG_LEN; /* skip over "$oldoffice$" */
267 p = strtokm(ctcopy, "*");
268 cs.type = atoi(p);
269 p = strtokm(NULL, "*");
270 for (i = 0; i < 16; i++)
271 cs.salt[i] = atoi16[ARCH_INDEX(p[i * 2])] * 16
272 + atoi16[ARCH_INDEX(p[i * 2 + 1])];
273 p = strtokm(NULL, "*");
274 for (i = 0; i < 16; i++)
275 cs.verifier[i] = atoi16[ARCH_INDEX(p[i * 2])] * 16
276 + atoi16[ARCH_INDEX(p[i * 2 + 1])];
277 p = strtokm(NULL, "*");
278 if (cs.type < 3) {
279 for (i = 0; i < 16; i++)
280 cs.verifierHash[i] = atoi16[ARCH_INDEX(p[i * 2])] * 16
281 + atoi16[ARCH_INDEX(p[i * 2 + 1])];
282 }
283 else {
284 for (i = 0; i < 20; i++)
285 cs.verifierHash[i] = atoi16[ARCH_INDEX(p[i * 2])] * 16
286 + atoi16[ARCH_INDEX(p[i * 2 + 1])];
287 }
288 if ((p = strtokm(NULL, "*"))) { /* Deprecated field */
289 cs.has_mitm = 1;
290 for (i = 0; i < 5; i++)
291 cs.mitm[i] = atoi16[ARCH_INDEX(p[i * 2])] * 16
292 + atoi16[ARCH_INDEX(p[i * 2 + 1])];
293 } else
294 if (hex_hash(ciphertext) == mitm_catcher.ct_hash) {
295 cs.has_mitm = 1;
296 for (i = 0; i < 5; i++)
297 cs.mitm[i] = atoi16[ARCH_INDEX(mitm_catcher.mitm[i * 2])] * 16
298 + atoi16[ARCH_INDEX(mitm_catcher.mitm[i * 2 + 1])];
299 } else
300 cs.has_mitm = 0;
301
302 MEM_FREE(keeptr);
303
304 cs.dsalt.salt_cmp_offset = SALT_CMP_OFF(custom_salt, type);
305 cs.dsalt.salt_cmp_size = SALT_CMP_SIZE(custom_salt, type, has_mitm, 0);
306 cs.dsalt.salt_alloc_needs_free = 0;
307
308 ptr = mem_alloc_copy(&cs, sizeof(custom_salt), MEM_ALIGN_WORD);
309 return &ptr;
310 }
311
set_salt(void * salt)312 static void set_salt(void *salt)
313 {
314 if (memcmp(cur_salt->salt, (*(custom_salt**)salt)->salt, 16))
315 new_keys = 1;
316 cur_salt = *(custom_salt**)salt;
317 }
318
salt_compare(const void * x,const void * y)319 static int salt_compare(const void *x, const void *y)
320 {
321 int c;
322
323 c = memcmp((*(custom_salt**)x)->salt, (*(custom_salt**)y)->salt, 16);
324 if (c)
325 return c;
326 c = dyna_salt_cmp((void*)x, (void*)y, SALT_SIZE);
327 return c;
328 }
329
crypt_all(int * pcount,struct db_salt * salt)330 static int crypt_all(int *pcount, struct db_salt *salt)
331 {
332 const int count = *pcount;
333 int index = 0;
334
335 if (any_cracked) {
336 memset(cracked, 0, cracked_size);
337 any_cracked = 0;
338 }
339
340 #ifdef _OPENMP
341 #pragma omp parallel for
342 #endif
343 for (index = 0; index < count; index++) {
344 int i;
345 RC4_KEY key;
346
347 if (cur_salt->type < 3) {
348 MD5_CTX ctx;
349 unsigned char pwdHash[16];
350 unsigned char hashBuf[21 * 16];
351
352 if (new_keys) {
353 unsigned char key_hash[16];
354
355 MD5_Init(&ctx);
356 MD5_Update(&ctx, saved_key[index], saved_len[index]);
357 MD5_Final(key_hash, &ctx);
358 for (i = 0; i < 16; i++) {
359 memcpy(hashBuf + i * 21, key_hash, 5);
360 memcpy(hashBuf + i * 21 + 5, cur_salt->salt, 16);
361 }
362 MD5_Init(&ctx);
363 MD5_Update(&ctx, hashBuf, 21 * 16);
364 MD5_Final(mitm_key[index], &ctx);
365 }
366
367 // Early reject if we got a hint
368 if (cur_salt->has_mitm &&
369 memcmp(mitm_key[index], cur_salt->mitm, 5))
370 continue;
371
372 if (new_keys) {
373 memcpy(hashBuf, mitm_key[index], 5);
374 memset(hashBuf + 5, 0, 4);
375 MD5_Init(&ctx);
376 MD5_Update(&ctx, hashBuf, 9);
377 MD5_Final(rc4_key[index], &ctx);
378 }
379
380 RC4_set_key(&key, 16, rc4_key[index]); /* rc4Key */
381 RC4(&key, 16, cur_salt->verifier, hashBuf); /* encryptedVerifier */
382 RC4(&key, 16, cur_salt->verifierHash, hashBuf + 16); /* encryptedVerifierHash */
383 /* hash the decrypted verifier */
384 MD5_Init(&ctx);
385 MD5_Update(&ctx, hashBuf, 16);
386 MD5_Final(pwdHash, &ctx);
387 if (!memcmp(pwdHash, hashBuf + 16, 16))
388 #ifdef _OPENMP
389 #pragma omp critical
390 #endif
391 {
392 any_cracked = cracked[index] = 1;
393 cur_salt->has_mitm = 1;
394 memcpy(cur_salt->mitm, mitm_key[index], 5);
395 }
396 }
397 else {
398 SHA_CTX ctx;
399 unsigned char H0[24];
400 unsigned char Hfinal[20];
401 unsigned char DecryptedVerifier[16];
402 unsigned char DecryptedVerifierHash[20];
403
404 if (new_keys) {
405 unsigned char key_hash[20];
406
407 SHA1_Init(&ctx);
408 SHA1_Update(&ctx, cur_salt->salt, 16);
409 SHA1_Update(&ctx, saved_key[index], saved_len[index]);
410 SHA1_Final(H0, &ctx);
411 memset(&H0[20], 0, 4);
412 SHA1_Init(&ctx);
413 SHA1_Update(&ctx, H0, 24);
414 SHA1_Final(key_hash, &ctx);
415
416 if (cur_salt->type < 4) {
417 memcpy(mitm_key[index], key_hash, 5);
418 memset(&mitm_key[index][5], 0, 11);
419 } else
420 memcpy(mitm_key[index], key_hash, 16);
421 }
422
423 // Early reject if we got a hint
424 if (cur_salt->has_mitm &&
425 memcmp(mitm_key[index], cur_salt->mitm, 5))
426 continue;
427
428 RC4_set_key(&key, 16, mitm_key[index]); /* dek */
429 RC4(&key, 16, cur_salt->verifier, DecryptedVerifier);
430 RC4(&key, 16, cur_salt->verifierHash, DecryptedVerifierHash);
431 SHA1_Init(&ctx);
432 SHA1_Update(&ctx, DecryptedVerifier, 16);
433 SHA1_Final(Hfinal, &ctx);
434 if (!memcmp(Hfinal, DecryptedVerifierHash, 16))
435 #ifdef _OPENMP
436 #pragma omp critical
437 #endif
438 {
439 any_cracked = cracked[index] = 1;
440 if (cur_salt->type < 4) {
441 cur_salt->has_mitm = 1;
442 memcpy(cur_salt->mitm, mitm_key[index], 5);
443 }
444 }
445 }
446 }
447 new_keys = 0;
448
449 return count;
450 }
451
cmp_all(void * binary,int count)452 static int cmp_all(void *binary, int count)
453 {
454 return any_cracked;
455 }
456
cmp_one(void * binary,int index)457 static int cmp_one(void *binary, int index)
458 {
459 return cracked[index];
460 }
461
cmp_exact(char * source,int index)462 static int cmp_exact(char *source, int index)
463 {
464 if (cur_salt->type < 4 && !bench_or_test_running) {
465 unsigned char *cp, out[11];
466 int i;
467
468 cp = cur_salt->mitm;
469 for (i = 0; i < 5; i++) {
470 out[2 * i + 0] = itoa16[*cp >> 4];
471 out[2 * i + 1] = itoa16[*cp & 0xf];
472 cp++;
473 }
474 out[10] = 0;
475 fprintf(stderr, "MITM key: %s\n", out);
476 }
477 return 1;
478 }
479
set_key(char * key,int index)480 static void set_key(char *key, int index)
481 {
482 /* convert key to UTF-16LE */
483 saved_len[index] = enc_to_utf16(saved_key[index], PLAINTEXT_LENGTH, (UTF8*)key, strlen(key));
484 if (saved_len[index] < 0)
485 saved_len[index] = strlen16(saved_key[index]);
486 saved_len[index] <<= 1;
487 new_keys = 1;
488 }
489
get_key(int index)490 static char *get_key(int index)
491 {
492 return (char*)utf16_to_enc(saved_key[index]);
493 }
494
oo_hash_type(void * salt)495 static unsigned int oo_hash_type(void *salt)
496 {
497 custom_salt *my_salt;
498
499 my_salt = *(custom_salt**)salt;
500 return (unsigned int) my_salt->type;
501 }
502
503 struct fmt_main fmt_oldoffice = {
504 {
505 FORMAT_LABEL,
506 FORMAT_NAME,
507 ALGORITHM_NAME,
508 BENCHMARK_COMMENT,
509 BENCHMARK_LENGTH,
510 0,
511 PLAINTEXT_LENGTH,
512 BINARY_SIZE,
513 BINARY_ALIGN,
514 SALT_SIZE,
515 SALT_ALIGN,
516 MIN_KEYS_PER_CRYPT,
517 MAX_KEYS_PER_CRYPT,
518 FMT_CASE | FMT_8_BIT | FMT_OMP | FMT_UNICODE | FMT_ENC | FMT_SPLIT_UNIFIES_CASE | FMT_DYNA_SALT,
519 {
520 "hash type",
521 },
522 { FORMAT_TAG },
523 oo_tests
524 }, {
525 init,
526 done,
527 fmt_default_reset,
528 prepare,
529 valid,
530 split,
531 fmt_default_binary,
532 get_salt,
533 {
534 oo_hash_type,
535 },
536 fmt_default_source,
537 {
538 fmt_default_binary_hash
539 },
540 fmt_default_dyna_salt_hash,
541 salt_compare,
542 set_salt,
543 set_key,
544 get_key,
545 fmt_default_clear_keys,
546 crypt_all,
547 {
548 fmt_default_get_hash
549 },
550 cmp_all,
551 cmp_one,
552 cmp_exact
553 }
554 };
555
556 #endif /* plugin stanza */
557