2 RainbowCrack - a general propose implementation of Philippe Oechslin's faster time-memory trade-off technique.
4 Copyright (C) Zhu Shuanglei <shuanglei@hotmail.com>
7 #include "HashAlgorithm.h"
12 #include <openssl/md4.h>
15 #define MSCACHE_HASH_SIZE 16
16 void setup_des_key(unsigned char key_56[], des_key_schedule &ks)
21 key[1] = (key_56[0] << 7) | (key_56[1] >> 1);
22 key[2] = (key_56[1] << 6) | (key_56[2] >> 2);
23 key[3] = (key_56[2] << 5) | (key_56[3] >> 3);
24 key[4] = (key_56[3] << 4) | (key_56[4] >> 4);
25 key[5] = (key_56[4] << 3) | (key_56[5] >> 5);
26 key[6] = (key_56[5] << 2) | (key_56[6] >> 6);
27 key[7] = (key_56[6] << 1);
29 //des_set_odd_parity(&key);
30 des_set_key(&key, ks);
33 void HashLM(unsigned char* pPlain, int nPlainLen, unsigned char* pHash)
36 unsigned char data[7] = {0};
37 memcpy(data, pPlain, nPlainLen > 7 ? 7 : nPlainLen);
41 for (i = nPlainLen; i < 7; i++)
44 static unsigned char magic[] = {0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25};
46 //setup_des_key(data, ks);
47 setup_des_key(pPlain, ks);
48 des_ecb_encrypt((des_cblock*)magic, (des_cblock*)pHash, ks, DES_ENCRYPT);
51 void HashLMCHALL(unsigned char* pPlain, int nPlainLen, unsigned char* pHash)
53 unsigned char pass[14];
54 unsigned char pre_lmresp[21];
55 static unsigned char magic[] = {0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25};
56 static unsigned char spoofed_challange[] = {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88};
59 memset (pass,0,sizeof(pass));
60 memset (pre_lmresp,0,sizeof(pre_lmresp));
62 memcpy (pass,pPlain, nPlainLen);
64 setup_des_key(pass, ks);
65 des_ecb_encrypt((des_cblock*)magic, (des_cblock*)pre_lmresp, ks, DES_ENCRYPT);
67 setup_des_key(&pass[7], ks);
68 des_ecb_encrypt((des_cblock*)magic, (des_cblock*)&pre_lmresp[8], ks, DES_ENCRYPT);
70 setup_des_key(pre_lmresp, ks);
71 des_ecb_encrypt((des_cblock*)spoofed_challange, (des_cblock*)pHash, ks, DES_ENCRYPT);
73 setup_des_key(&pre_lmresp[7], ks);
74 des_ecb_encrypt((des_cblock*)spoofed_challange, (des_cblock*)&pHash[8], ks, DES_ENCRYPT);
76 setup_des_key(&pre_lmresp[14], ks);
77 des_ecb_encrypt((des_cblock*)spoofed_challange, (des_cblock*)&pHash[16], ks, DES_ENCRYPT);
81 void HashHALFLMCHALL(unsigned char* pPlain, int nPlainLen, unsigned char* pHash)
83 unsigned char pre_lmresp[8];
84 static unsigned char magic[] = {0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25};
85 static unsigned char salt[] = {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88};
88 unsigned char plain[8] = {0};
89 memcpy(plain, pPlain, nPlainLen);
90 setup_des_key(plain, ks);
91 des_ecb_encrypt((des_cblock*)magic, (des_cblock*)pre_lmresp, ks, DES_ENCRYPT);
93 setup_des_key(pre_lmresp, ks);
94 des_ecb_encrypt((des_cblock*)salt, (des_cblock*)pHash, ks, DES_ENCRYPT);
99 void HashNTLMCHALL(unsigned char* pPlain, int nPlainLen, unsigned char* pHash)
101 unsigned char UnicodePlain[MAX_PLAIN_LEN];
102 static unsigned char spoofed_challange[] = {0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88};
104 int len = (nPlainLen < 127) ? nPlainLen : 127;
107 for (i = 0; i < len; i++)
109 UnicodePlain[i * 2] = pPlain[i];
110 UnicodePlain[i * 2 + 1] = 0x00;
114 unsigned char lm[21];
116 MD4(UnicodePlain, len * 2, lm);
117 lm[16] = lm[17] = lm[18] = lm[19] = lm[20] = 0;
119 setup_des_key(lm, ks);
120 des_ecb_encrypt((des_cblock*)spoofed_challange, (des_cblock*)pHash, ks, DES_ENCRYPT);
122 setup_des_key(&lm[7], ks);
123 des_ecb_encrypt((des_cblock*)spoofed_challange, (des_cblock*)&pHash[8], ks, DES_ENCRYPT);
125 setup_des_key(&lm[14], ks);
126 des_ecb_encrypt((des_cblock*)spoofed_challange, (des_cblock*)&pHash[16], ks, DES_ENCRYPT);
130 void HashORACLE(unsigned char* pPlain, int nPlainLen, unsigned char* pHash)
137 DES_key_schedule ks1,ks2;
138 unsigned char deskey_fixed[]={ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef};
141 strcpy_s(username, sizeof(username), "SYS");
143 strcpy(username, "SYS");
147 _strupr((char*) pPlain);
149 strupr((char*) pPlain);
151 memset (ToEncrypt,0,sizeof(ToEncrypt));
153 for (i=1,j=0; j<userlen; i++,j++)
155 ToEncrypt[i] = username[j];
159 for (j=0; j<nPlainLen; i++,j++)
161 ToEncrypt[i] = pPlain[j];
168 DES_set_key((DES_cblock*) deskey_fixed, &ks1);
169 DES_ncbc_encrypt((unsigned char*) ToEncrypt, (unsigned char*) temp, i, &ks1, &iv, DES_ENCRYPT);
170 DES_set_key((DES_cblock*) &iv, &ks2);
171 DES_ncbc_encrypt((unsigned char*) ToEncrypt, (unsigned char*) temp, i, &ks2, &iv2, DES_ENCRYPT);
172 memcpy (pHash,iv2,8);
175 void HashNTLM(unsigned char* pPlain, int nPlainLen, unsigned char* pHash)
177 unsigned char UnicodePlain[MAX_PLAIN_LEN * 2];
179 for (i = 0; i < nPlainLen; i++)
181 UnicodePlain[i * 2] = pPlain[i];
182 UnicodePlain[i * 2 + 1] = 0x00;
185 MD4(UnicodePlain, nPlainLen * 2, pHash);
186 // printf("Plain: %s Hash: %x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x\n", pPlain, pHash[0], pHash[1], pHash[2], pHash[3], pHash[4], pHash[5], pHash[6], pHash[7], pHash[8], pHash[9], pHash[10], pHash[11], pHash[12], pHash[13], pHash[14], pHash[15]);
189 void HashMD2(unsigned char* pPlain, int nPlainLen, unsigned char* pHash)
191 MD2(pPlain, nPlainLen, pHash);
194 void HashMD4(unsigned char* pPlain, int nPlainLen, unsigned char* pHash)
196 MD4(pPlain, nPlainLen, pHash);
199 void HashMD5(unsigned char* pPlain, int nPlainLen, unsigned char* pHash)
201 MD5_NEW(pPlain, nPlainLen, pHash);
203 void HashDoubleMD5(unsigned char* pPlain, int nPlainLen, unsigned char* pHash)
205 MD5_NEW(pPlain, nPlainLen, pHash);
206 unsigned char hash[16];
207 memcpy(hash, pHash, 16);
208 MD5_NEW(hash, 16, pHash);
211 void HashSHA1(unsigned char* pPlain, int nPlainLen, unsigned char* pHash)
213 SHA1(pPlain, nPlainLen, pHash);
216 void HashRIPEMD160(unsigned char* pPlain, int nPlainLen, unsigned char* pHash)
218 RIPEMD160(pPlain, nPlainLen, pHash);
221 void HashMSCACHE(unsigned char *pPlain, int nPlainLen, unsigned char* pHash)
223 char unicode_pwd[256];
224 char unicode_user[256];
225 static unsigned char username[] = "administrator";
226 static int userlen = 13;
227 unsigned char final1[MD4_DIGEST_LENGTH];
231 // strcpy (username, "administrator");
234 for (i=0; i<nPlainLen; i++)
236 unicode_pwd[i*2] = pPlain[i];
237 unicode_pwd[i*2+1] = 0x00;
240 for (i=0; i<userlen; i++)
242 unicode_user[i*2] = username[i];
243 unicode_user[i*2+1] = 0x00;
247 MD4_Update(&ctx,unicode_pwd,nPlainLen*2);
248 MD4_Final(final1,&ctx);
251 MD4_Update(&ctx,final1,MD4_DIGEST_LENGTH);
252 MD4_Update(&ctx,(unsigned char*) unicode_user,userlen*2);
253 MD4_Final(pHash,&ctx);
256 unsigned char unicode_pwd[256];
257 for (int i=0; i<nPlainLen; i++)
259 unicode_pwd[i*2] = pPlain[i];
260 unicode_pwd[i*2+1] = 0x00;
263 unsigned char *buf = (unsigned char*)calloc(MSCACHE_HASH_SIZE + nSaltLength, sizeof(unsigned char));
264 HashNTLM(pPlain, nPlainLen, buf, NULL);
265 //MD4(unicode_pwd, nPlainLen*2, buf);
266 memcpy(buf + MSCACHE_HASH_SIZE, pSalt, nSaltLength);
267 MD4(buf, MSCACHE_HASH_SIZE + nSaltLength, pHash);
272 //*********************************************************************************
273 // Code for MySQL password hashing
274 //*********************************************************************************
276 inline void mysql_hash_password_323(unsigned long *result, const char *password)
278 register unsigned long nr=1345345333L, add=7, nr2=0x12345671L;
280 for (; *password ; password++)
282 if (*password == ' ' || *password == '\t') continue;
283 tmp= (unsigned long) (unsigned char) *password;
284 nr^= (((nr & 63)+add)*tmp)+ (nr << 8);
285 nr2+=(nr2 << 8) ^ nr;
288 result[0]=nr & (((unsigned long) 1L << 31) -1L); ;
289 result[1]=nr2 & (((unsigned long) 1L << 31) -1L);
293 void HashMySQL323(unsigned char* pPlain, int nPlainLen, unsigned char* pHash)
295 unsigned long hash_pass[2];
296 unsigned char* f = (unsigned char*) hash_pass;
298 unsigned char* pass = (unsigned char*) calloc (nPlainLen+4,sizeof(unsigned char));
299 memcpy(pass,pPlain,nPlainLen);
301 mysql_hash_password_323(hash_pass, (char*) pass);
302 pHash[0]=*(f+3); pHash[1]=*(f+2); pHash[2]=*(f+1); pHash[3]=*(f+0);
303 pHash[4]=*(f+7); pHash[5]=*(f+6); pHash[6]=*(f+5); pHash[7]=*(f+4);
308 void HashMySQLSHA1(unsigned char* pPlain, int nPlainLen, unsigned char* pHash)
310 unsigned char hash_stage1[SHA_DIGEST_LENGTH];
314 SHA1_Update(&ctx, (unsigned char *) pPlain, nPlainLen);
315 SHA1_Final(hash_stage1, &ctx);
317 SHA1_Update(&ctx, hash_stage1, SHA_DIGEST_LENGTH);
318 SHA1_Final(pHash, &ctx);
321 //*********************************************************************************
322 // Code for PIX password hashing
323 //*********************************************************************************
324 static char itoa64[] = /* 0 ... 63 => ascii - 64 */
325 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
327 void _crypt_to64(char *s, unsigned long v, int n)
330 *s++ = itoa64[v&0x3f];
335 void HashPIX(unsigned char* pPlain, int nPlainLen, unsigned char* pHash)
337 char temp[MD5_DIGEST_LENGTH+1];
338 unsigned char final[MD5_DIGEST_LENGTH];
339 char* pass = (char*) calloc (nPlainLen+MD5_DIGEST_LENGTH,sizeof(char));
341 memcpy (pass,pPlain,nPlainLen);
345 MD5_Update(&ctx, (unsigned char *) pass, MD5_DIGEST_LENGTH);
346 MD5_Final(final, &ctx);
348 char* p = (char*) temp;
349 _crypt_to64(p,*(unsigned long*) (final+0),4); p += 4;
350 _crypt_to64(p,*(unsigned long*) (final+4),4); p += 4;
351 _crypt_to64(p,*(unsigned long*) (final+8),4); p += 4;
352 _crypt_to64(p,*(unsigned long*) (final+12),4); p += 4;
355 memcpy(pHash,temp,MD5_DIGEST_LENGTH);