CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/data/jtr/dynamic.conf
Views: 1904
1
# Here are some examples of DYNAMIC.

2
# Please refer to ./doc/DYNAMIC for documentation on how to set these up.

3
# Format names up to dynamic_999 are reserved for builtin functions.

4


5
####################################################################

6
# here is a synopsis of the formats in this file.  Please keep this up to date

7
####################################################################

8
# dynamic_1001: md5(md5(md5(md5($p))))

9
# dynamic_1002: md5(md5(md5(md5(md5($p)))))

10
# dynamic_1003: md5(md5($p).md5($p))

11
# dynamic_1004: md5(md5(md5(md5(md5(md5($p))))))

12
# dynamic_1005: md5(md5(md5(md5(md5(md5(md5($p)))))))

13
# dynamic_1006: md5(md5(md5(md5(md5(md5(md5(md5($p))))))))

14
# dynamic_1007: md5(md5($p).$s) (vBulletin)

15
# dynamic_1008: md5($p.$s) (RADIUS User-Password)

16
# dynamic_1009: md5($s.$p) (RADIUS Responses)

17
# dynamic_1010: md5($p null_padded_to_len_100) RAdmin v2.x MD5

18
# dynamic_1011: md5($p.md5($s)) (webEdition CMS)

19
# dynamic_1012: md5($p.md5($s)) (webEdition CMS)

20
# dynamic_1013: md5($p.PMD5(username)) (webEdition CMS)

21
# dynamic_1014: md5($p.$s) (long salt)

22
# dynamic_1015: md5(md5($p.$u).$s) (PostgreSQL 'pass the hash')

23
# dynamic_1016: md5($p.$s) (long salt)

24
# dynamic_1017: md5($s.$p) (long salt)

25
# dynamic_1018: md5(sha1(sha1($p)))

26
# dynamic_1019: md5(sha1(sha1(md5($p))))

27
# dynamic_1020: md5(sha1(md5($p)))

28
# dynamic_1021: md5(sha1(md5(sha1($p))))

29
# dynamic_1022: md5(sha1(md5(sha1(md5($p)))))

30
# dynamic_1023: sha1($p) (hash truncated to length 32)

31
# dynamic_1024: sha1(md5($p)) (hash truncated to length 32)

32
# dynamic_1025: sha1(md5(md5($p))) (hash truncated to length 32)

33
# dynamic_1026: sha1(sha1($p)) (hash truncated to length 32)

34
# dynamic_1027: sha1(sha1(sha1($p))) (hash truncated to length 32)

35
# dynamic_1028: sha1(sha1_raw($p)) (hash truncated to length 32)

36
# dynamic_1029: sha256($p) (hash truncated to length 32)

37
# dynamic_1030: whirlpool($p) (hash truncated to length 32)

38
# dynamic_1031: gost($p) (hash truncated to length 32)

39
# dynamic_1032: sha1_64(utf16($p)) (PeopleSoft)

40
# dynamic_1033: sha1_64(utf16($p).$s)

41
# dynamic_1034: md5($p.$u) (PostgreSQL MD5)

42
# dynamic_1300: md5(md5_raw($p))

43
# dynamic_1350: md5(md5($s.$p):$s)

44
# dynamic_1400: sha1(utf16($p)) (Microsoft CREDHIST)

45
# dynamic_1401: md5($u.\nskyper\n.$p) (Skype MD5)

46
# dynamic_1501: sha1($s.sha1($p)) (Redmine)

47
# dynamic_1502: sha1(sha1($p).$s) (XenForo SHA-1)

48
# dynamic_1503: sha256(sha256($p).$s) (XenForo SHA-256)

49
# dynamic_1504: sha1($s.$p.$s)

50
# dynamic_1505: md5($p.$s.md5($p.$s))

51
# dynamic_1506: md5($u.:XDB:.$p) (Oracle 12c "H" hash)

52
# dynamic_1507: sha1(utf16($const.$p)) (Mcafee master pass)

53
# dynamic_1518: md5(sha1($p).md5($p).sha1($p))

54
# dynamic_1528: sha256($s.$p.$s) (Telegram for Android)

55
# dynamic_1529: sha1($p null_padded_to_len_32) (DeepSound)

56
# dynamic_1550: md5($u.:mongo:.$p) (MONGODB-CR system hash)

57
# dynamic_1551: md5($s.$u.(md5($u.:mongo:.$p)) (MONGODB-CR network hash)

58
# dynamic_1552: md5($s.$u.(md5($u.:mongo:.$p)) (MONGODB-CR network hash)

59
# dynamic_1560: md5($s.$p.$s2) (SocialEngine)

60
# dynamic_1588: sha256($s.sha1($p)) (ColdFusion 11)

61
# dynamic_1590: sha1(utf16be(space_pad_10(uc($s)).$p)) (IBM AS/400 SHA1)

62
# dynamic_1592: sha1($s.sha1($s.sha1($p))) (wbb3)

63
# dynamic_1600: sha1($s.utf16le($p)) (Oracle PeopleSoft PS_TOKEN)

64
# dynamic_1608: sha256(sha256_raw(sha256_raw($p))) (Neo Wallet)

65


66
####################################################################

67


68
####################################################################

69
# Simple DYNAMIC type for md5($p)^^4  (i.e. 4 steps of md5 recursively)

70
####################################################################

71
[List.Generic:dynamic_1001]

72
# expression shown will be the string:   dynamic_1001 md5(md5(md5(md5($p))))

73
Expression=md5(md5(md5(md5($p))))

74
Flag=MGF_KEYS_INPUT

75
Flag=MGF_SET_INP2LEN32

76
MaxInputLen=55

77
MaxInputLenX86=110

78
Func=DynamicFunc__crypt_md5

79
Func=DynamicFunc__overwrite_from_last_output_to_input2_as_base16_no_size_fix

80
#if !ARCH_LITTLE_ENDIAN  // unfortunatly, we have no #define here, so we always have to call this function, in a script or they will fail on BE boxes :(

81
Func=DynamicFunc__set_input2_len_32_cleartop

82
#endif

83
Func=DynamicFunc__crypt2_md5

84
Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix

85
Func=DynamicFunc__set_input2_len_32_cleartop

86
Func=DynamicFunc__crypt2_md5

87
Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix

88
Func=DynamicFunc__set_input2_len_32_cleartop

89
Func=DynamicFunc__crypt_md5_in2_to_out1

90
Test=$dynamic_1001$57200e13b490d4ae47d5e19be026b057:test1

91
Test=$dynamic_1001$c6cc44f9e7fb7efcde62ba2e627a49c6:thatsworking

92
Test=$dynamic_1001$0ae9549604e539a249c1fa9f5e5fb73b:test3

93
# TestM= will ONLY load in an MMX or SSE2 build of JtR.

94
# TestF= will ONLY load in a non-MMX and nonSSE build (flat oSSL build, or generic)

95
TestM=$dynamic_1001$94c59ab02fcd39f3ff9a4e553a4afcb6:1234567890123456789012345678901234567890123456789012345

96
TestF=$dynamic_1001$a8b46c02f1680860622df837fa78c3e4:12345678901234567890123456789012345678901234567890123456789012345678901234567890

97


98
####################################################################

99
# Simple DYNAMIC type for md5($p)^^5  (i.e. 5 steps of md5 recursively)

100
####################################################################

101
[List.Generic:dynamic_1002]

102
# expression shown will be the string:   dynamic_1002 md5(md5(md5(md5(md5($p)))))

103
Expression=md5(md5(md5(md5(md5($p)))))

104
Flag=MGF_KEYS_INPUT

105
Flag=MGF_SET_INP2LEN32

106
MaxInputLen=55

107
MaxInputLenX86=110

108
# here is the optimized 'script' to perform the md5 5 times on itself.

109
Func=DynamicFunc__crypt_md5

110
Func=DynamicFunc__overwrite_from_last_output_to_input2_as_base16_no_size_fix

111
Func=DynamicFunc__set_input2_len_32_cleartop

112
Func=DynamicFunc__crypt2_md5

113
Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix

114
Func=DynamicFunc__set_input2_len_32_cleartop

115
Func=DynamicFunc__crypt2_md5

116
Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix

117
Func=DynamicFunc__set_input2_len_32_cleartop

118
Func=DynamicFunc__crypt2_md5

119
Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix

120
Func=DynamicFunc__set_input2_len_32_cleartop

121
Func=DynamicFunc__crypt_md5_in2_to_out1

122
# These are test strings for this format.

123
Test=$dynamic_1002$25de8cd0b0cf69c5b5bc19c8ee64adab:test1

124
Test=$dynamic_1002$a0b535420ea47849f7c2cc09a3ad0ac3:thatsworking

125
Test=$dynamic_1002$4cb029bd5b4ef79f785ca685caf17bf8:test3

126
TestM=$dynamic_1002$5a791c6c9de2f488a8155f35900348b0:1234567890123456789012345678901234567890123456789012345

127
TestF=$dynamic_1002$b8da59d26b6494df42b8c0f1fba8cd7e:12345678901234567890123456789012345678901234567890123456789012345678901234567890

128


129
####################################################################

130
# Simple DYNAMIC type for md5(md5($p).md5($p))

131
####################################################################

132
[List.Generic:dynamic_1003]

133
# expression shown will be the string:   dynamic_1003 md5(md5($p).md5($p))

134
Expression=md5(md5($p).md5($p))

135
# NOTE, this format does NOT work on SSE2.  It requires a md5() of a 64 byte string.

136
# SSE (or MMX) is limtited to 54 byte max password, due to 'enhancements'

137
# Thus, we need a non-sse2 safe flag.

138
##JF Flag=MGF_NOTSSE2Safe

139
##JF Flag=MGF_KEYS_INPUT

140
##JF Flag=MGF_FULL_CLEAN_REQUIRED

141
# here is the optimized 'script' to perform hash 'like' IPB but salt replaced with password.

142
##JF Func=DynamicFunc__crypt_md5

143
##JF Func=DynamicFunc__clean_input2_kwik

144
##JF Func=DynamicFunc__append_from_last_output_to_input2_as_base16

145
##JF Func=DynamicFunc__append_from_last_output_to_input2_as_base16

146
##JF Func=DynamicFunc__crypt_md5_in2_to_out1

147


148
# much more optimal.   From 1118k to 2155k on an SSE2 box.

149
Flag=MGF_FLAT_BUFFERS

150
Flag=MGF_KEYS_BASE16_IN1

151
Flag=MGF_POOR_OMP

152
MaxInputLen=110

153
MaxInputLenX86=110

154
Func=DynamicFunc__append_input_from_input

155
Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL

156


157
# These are test strings for this format.

158
Test=$dynamic_1003$478b10974f15e7295883224fd286ccba:test1

159
Test=$dynamic_1003$18a59101e6c6fb38260d542a394ecb22:thatsworking

160
Test=$dynamic_1003$630b01b68b6db6fd43a751f8147d1faf:test3

161
Test=$dynamic_1003$2dbecd858c29d5602da78204af7dfe1b:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890

162


163
####################################################################

164
# Simple DYNAMIC type for md5($p)^^6  (i.e. 6 steps of md5 recursively)

165
####################################################################

166
[List.Generic:dynamic_1004]

167
# expression shown will be the string:   dynamic_1004 md5(md5(md5(md5(md5(md5($p))))))

168
Expression=md5(md5(md5(md5(md5(md5($p))))))

169
Flag=MGF_KEYS_INPUT

170
Flag=MGF_SET_INP2LEN32

171
MaxInputLen=55

172
MaxInputLenX86=110

173
# here is the optimized 'script' to perform the md5 6 times on itself.

174
Func=DynamicFunc__crypt_md5

175
Func=DynamicFunc__overwrite_from_last_output_to_input2_as_base16_no_size_fix

176
Func=DynamicFunc__set_input2_len_32_cleartop

177
Func=DynamicFunc__crypt2_md5

178
Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix

179
Func=DynamicFunc__set_input2_len_32_cleartop

180
Func=DynamicFunc__crypt2_md5

181
Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix

182
Func=DynamicFunc__set_input2_len_32_cleartop

183
Func=DynamicFunc__crypt2_md5

184
Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix

185
Func=DynamicFunc__set_input2_len_32_cleartop

186
Func=DynamicFunc__crypt2_md5

187
Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix

188
Func=DynamicFunc__set_input2_len_32_cleartop

189
Func=DynamicFunc__crypt_md5_in2_to_out1

190
# These are test strings for this format.

191
Test=$dynamic_1004$de1b991dd27fb9813e88b957a455dccd:test1

192
Test=$dynamic_1004$6a62cd3c4d81139f61fb2553cdef0dc7:thatsworking

193
Test=$dynamic_1004$a977990e521c5d1d17c6d65fdf2681b4:test3

194
TestM=$dynamic_1004$e475d31b00626080fc01ca4832a33293:1234567890123456789012345678901234567890123456789012345

195
TestF=$dynamic_1004$f60eca1ad34608b7c6b1b04379b3fee3:12345678901234567890123456789012345678901234567890123456789012345678901234567890

196


197


198
####################################################################

199
# Simple DYNAMIC type for md5($p)^^7  (i.e. 7 steps of md5 recursively)

200
####################################################################

201
[List.Generic:dynamic_1005]

202
# expression shown will be the string:   dynamic_1005 md5(md5(md5(md5(md5(md5(md5($p)))))))

203
Expression=md5(md5(md5(md5(md5(md5(md5($p)))))))

204
Flag=MGF_KEYS_INPUT

205
Flag=MGF_SET_INP2LEN32

206
MaxInputLen=55

207
MaxInputLenX86=110

208
# here is the optimized 'script' to perform the md5 7 times on itself.

209
Func=DynamicFunc__crypt_md5

210
Func=DynamicFunc__overwrite_from_last_output_to_input2_as_base16_no_size_fix

211
Func=DynamicFunc__set_input2_len_32_cleartop

212
Func=DynamicFunc__crypt2_md5

213
Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix

214
Func=DynamicFunc__set_input2_len_32_cleartop

215
Func=DynamicFunc__crypt2_md5

216
Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix

217
Func=DynamicFunc__set_input2_len_32_cleartop

218
Func=DynamicFunc__crypt2_md5

219
Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix

220
Func=DynamicFunc__set_input2_len_32_cleartop

221
Func=DynamicFunc__crypt2_md5

222
Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix

223
Func=DynamicFunc__set_input2_len_32_cleartop

224
Func=DynamicFunc__crypt2_md5

225
Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix

226
Func=DynamicFunc__set_input2_len_32_cleartop

227
Func=DynamicFunc__crypt_md5_in2_to_out1

228
# These are test strings for this format.

229
Test=$dynamic_1005$784c527d0d92873ff9c0773e1c35621d:test1

230
Test=$dynamic_1005$efcbbe6331caecf0e7f40160e65aadcc:thatsworking

231
Test=$dynamic_1005$abb8bdd2c6ac2dfea2b2af6f5aed5446:test3

232
TestM=$dynamic_1005$8f853f8abf74a8e686c213a9849d9beb:1234567890123456789012345678901234567890123456789012345

233
TestF=$dynamic_1005$37e4fc15b5dc59286aee85f4b7008315:12345678901234567890123456789012345678901234567890123456789012345678901234567890

234


235
####################################################################

236
# Simple DYNAMIC type for md5($p)^^8  (i.e. 8 steps of md5 recursively)

237
####################################################################

238
[List.Generic:dynamic_1006]

239
# expression shown will be the string:   dynamic_1006 md5(md5(md5(md5(md5(md5(md5(md5($p))))))))

240
Expression=md5(md5(md5(md5(md5(md5(md5(md5($p))))))))

241
Flag=MGF_KEYS_INPUT

242
Flag=MGF_SET_INP2LEN32

243
MaxInputLen=55

244
MaxInputLenX86=110

245
# here is the optimized 'script' to perform the md5 8 times on itself.

246
Func=DynamicFunc__crypt_md5

247
Func=DynamicFunc__overwrite_from_last_output_to_input2_as_base16_no_size_fix

248
Func=DynamicFunc__set_input2_len_32_cleartop

249
Func=DynamicFunc__crypt2_md5

250
Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix

251
Func=DynamicFunc__set_input2_len_32_cleartop

252
Func=DynamicFunc__crypt2_md5

253
Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix

254
Func=DynamicFunc__set_input2_len_32_cleartop

255
Func=DynamicFunc__crypt2_md5

256
Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix

257
Func=DynamicFunc__set_input2_len_32_cleartop

258
Func=DynamicFunc__crypt2_md5

259
Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix

260
Func=DynamicFunc__set_input2_len_32_cleartop

261
Func=DynamicFunc__crypt2_md5

262
Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix

263
Func=DynamicFunc__set_input2_len_32_cleartop

264
Func=DynamicFunc__crypt2_md5

265
Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix

266
Func=DynamicFunc__set_input2_len_32_cleartop

267
Func=DynamicFunc__crypt_md5_in2_to_out1

268
# These are test strings for this format.

269
Test=$dynamic_1006$1ec1f32398f64cab51183f63630eceea:test1

270
Test=$dynamic_1006$f66b339ac21d6fd6af216f2b70aab2c9:thatsworking

271
Test=$dynamic_1006$e9d38522b5eeec753332e576e2e0fe5d:test3

272
TestM=$dynamic_1006$399310c857c0d83b931441d514528ee6:1234567890123456789012345678901234567890123456789012345

273
TestF=$dynamic_1006$e89d92a2291b5b43b6697c51d722ae8b:12345678901234567890123456789012345678901234567890123456789012345678901234567890

274


275
####################################################################

276
# Simple DYNAMIC type for vBulletin md5(md5($p).$s)   Included here to 'exercise' the script parser

277
####################################################################

278
[List.Generic:dynamic_1007]

279
# expression shown will be the string:   dynamic_1007 md5(md5($p).$s) [vBulletin]

280
Expression=md5(md5($p).$s) (vBulletin)

281
# Flag needed here, is Salt.  There is no 'fixed' saltlen.

282
Flag=MGF_SALTED

283
Flag=MGF_KEYS_BASE16_IN1

284
# vBulletin has a 'fixed' 3 byte salt, so list the fixed size  (restriction removed).

285
SaltLen=-23

286
SaltLenX86=-64

287
MaxInputLen=55

288
MaxInputLenX86=110

289
# here is the optimized 'script' to perform vBulletin hash

290
Func=DynamicFunc__set_input_len_32_cleartop

291
Func=DynamicFunc__append_salt

292
Func=DynamicFunc__crypt_md5

293
Test=$dynamic_1007$daa61d77e218e42060c2fa198ac1feaf$SXB:test1

294
Test=$dynamic_1007$de56b00bb15d6db79204bd44383469bc$T &:thatsworking

295
Test=$dynamic_1007$fb685c6f469f6e549c85e4c1fb5a65a6$HEX$5C483A:test3

296
Test=$dynamic_1007$5dd8145e0d1e2499bce05dcb4bce5cdf$HEX$24324F:testme

297
TestM=$dynamic_1007$09019afd1303ff078ba323569ac05ea5$123:1234567890123456789012345678901234567890123456789012

298
TestF=$dynamic_1007$1eff62d90df7e82566f75f7cfb316f6e$PS9:12345678901234567890123456789012345678901234567890123456789012345678901234567890

299


300
####################################################################

301
# Dynamic type for algorithm used in RADIUS User-Password attribute md5($p.$s)

302
####################################################################

303
[List.Generic:dynamic_1008]

304
# expression shown will be this string:

305
Expression=md5($p.$s) (RADIUS User-Password)

306
# Flag needed here, is Salt

307
Flag=MGF_SALTED

308
# The salt has a fixed length of 16 bytes

309
Saltlen=16

310
Func=DynamicFunc__clean_input

311
Func=DynamicFunc__append_keys

312
Func=DynamicFunc__append_salt

313
Func=DynamicFunc__crypt_md5

314
Test=$dynamic_1008$b962b0d40fc9111ce5f8efab424bad73$NormalSaltNormal:secret

315
Test=$dynamic_1008$8bfccd9d67ec0bcdc38e9ae3c19a2903$FinishingwitHEX$:secret

316
Test=$dynamic_1008$bf239357f3aa95508a53fe41b7e5f2e3$inthem$HEXiddle6:secret

317
# unfortunately, these next 2 have embedded NULLs, so at this time they have been removed.

318
# later we will get dynamic working with these also.

319
#Test=$dynamic_1008$7fe3c4d1bf2ac68e94ee9f2bf75b9601$HEX$00000000000000000000000000000000:secret

320
#Test=$dynamic_1008$658bbf9f04538d6bede09a4a52a77504$HEX$626c6168003637383930313233343536:secret

321
TestM=$dynamic_1008$6bf84723242c758538951ebfcbe82498$Zm8EXfUeRrEJMx5b:123456789012345678901234567890123456789

322
TestF=$dynamic_1008$7978620b9b48b1d6e322bfe5b081bf3e$yH9RErqH2ktDYesl:1234567890123456789012345678901234567890123456789012345678901234

323


324
######################################################################

325
# Dynamic Type for algorithm used in RADIUS Responses md5($s.$p)

326
#

327
# Also used by a "popular" backup solution

328
# select id, name, emailid, password from administrator;

329
# hashlib.md5((str(id) + pwd)).hexdigest()

330
######################################################################

331
[List.Generic:dynamic_1009]

332
Expression=md5($s.$p) (RADIUS Responses)

333
Flag=MGF_SALTED

334
Saltlen=-16

335
Func=DynamicFunc__clean_input

336
Func=DynamicFunc__append_salt

337
Func=DynamicFunc__append_keys

338
Func=DynamicFunc__crypt_md5

339
Test=$dynamic_1009$0b9b9fdf75fc79d85c5b69aa1de26288$Salt:test1

340
Test=$dynamic_1009$05ed3fc5e044d559290c400254e568c9$1:hackme

341
TestM=$dynamic_1009$9619094908f5c9f29eb95eadefae84c3$ex5fKtjhZwVMCi2C:123456789012345678901234567890123456789

342
TestF=$dynamic_1009$92cfbd6aadc48b2ef97ca2699037dea6$73WkPYCT2CxnQ8pt:1234567890123456789012345678901234567890123456789012345678901234

343


344
######################################################################

345
# Dynamic Type for algorithm used in RAdmin v2.x Responses md5($p.NULL-to-100-bytes)

346
# v2, where keys are in input, and set_input_len_100 'cleans' up if needed.

347
######################################################################

348
[List.Generic:dynamic_1010]

349
Expression=md5($p null_padded_to_len_100) RAdmin v2.x MD5

350
##JF Flag=MGF_NOTSSE2Safe

351
##JF Flag=MGF_KEYS_INPUT

352
##JF Func=DynamicFunc__set_input_len_100

353
##JF Func=DynamicFunc__crypt_md5

354


355
# MUCH faster.  Went from 1930k to 5600k

356
MaxInputLen=99

357
MaxInputLenX86=99

358
Flag=MGF_FLAT_BUFFERS

359
Flag=MGF_KEYS_INPUT

360
Flag=MGF_POOR_OMP

361
Func=DynamicFunc__set_input_len_100

362
Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL

363


364
Test=$dynamic_1010$B137F09CF92F465CABCA06AB1B283C1F:lastwolf

365
Test=$dynamic_1010$14e897b1a9354f875df51047bb1a0765:podebradka

366
Test=$dynamic_1010$02ba5e187e2589be6f80da0046aa7e3c:12345678

367
Test=$dynamic_1010$b4e13c7149ebde51e510959f30319ac7:firebaLL

368
Test=$dynamic_1010$3d2c8cae4621edf8abb081408569482b:yamaha12345

369
Test=$dynamic_1010$60cb8e411b02c10ecc3c98e29e830de8:xplicit

370


371
####################################################################

372
# DYNAMIC type for webEdition CMS md5($p.md5($s))

373
# > select username,passwd,UseSalt from tblUser

374
# username is salt

375
####################################################################

376
[List.Generic:dynamic_1011]

377
Expression=md5($p.md5($s)) (webEdition CMS)

378
Flag=MGF_SALTED

379
MaxInputLenX86=48

380
SaltLen=-55

381
MaxInputLen=23

382
Func=DynamicFunc__clean_input

383
Func=DynamicFunc__append_salt

384
Func=DynamicFunc__crypt_md5

385
Func=DynamicFunc__clean_input2

386
Func=DynamicFunc__append_keys2

387
Func=DynamicFunc__append_from_last_output_to_input2_as_base16

388
Func=DynamicFunc__crypt_md5_in2_to_out1

389
Test=$dynamic_1011$e82bf09e8a1899d4c3d00a3f380d5cdb$SXB:openwall

390
Test=$dynamic_1011$c0e024d9200b5705bc4804722636378a$admin:admin

391
Test=$dynamic_1011$14f8b3781f19a3b7ea520311482ce207$openwall:openwall

392
TestM=$dynamic_1011$b8db62204359efcbfc92da2d697d21cb$xkcR9B:12345678901234567890123

393
TestF=$dynamic_1011$61f55f04f8f4e05392415181bcf57420$rtJEIj:123456789012345678901234567890123456789012345678

394


395
####################################################################

396
# DYNAMIC type for webEdition CMS md5($p.md5($s))

397
# > select username,passwd,UseSalt from tblUser

398
# username is salt

399
# Twice as fast as dynamic_1011 since md5($s) is pre-computed!

400
####################################################################

401
[List.Generic:dynamic_1012]

402
Expression=md5($p.md5($s)) (webEdition CMS)

403
Flag=MGF_SALTED

404
Flag=MGF_SALT_AS_HEX

405
MaxInputLenX86=48

406
SaltLen=-110

407
MaxInputLen=23

408
Func=DynamicFunc__clean_input

409
Func=DynamicFunc__append_keys

410
Func=DynamicFunc__append_salt

411
Func=DynamicFunc__crypt_md5

412
Test=$dynamic_1012$e82bf09e8a1899d4c3d00a3f380d5cdb$SXB:openwall

413
Test=$dynamic_1012$c0e024d9200b5705bc4804722636378a$admin:admin

414
Test=$dynamic_1012$14f8b3781f19a3b7ea520311482ce207$openwall:openwall

415
TestM=$dynamic_1012$b8db62204359efcbfc92da2d697d21cb$xkcR9B:12345678901234567890123

416
TestF=$dynamic_1012$61f55f04f8f4e05392415181bcf57420$rtJEIj:123456789012345678901234567890123456789012345678

417


418
####################################################################

419
## DYNAMIC type for webEdition CMS md5($p.PMD5(username))

420
## > select md5(username),passwd,UseSalt from tblUser

421
## PMD5(username), pre-computed md5 of username is salt

422
#####################################################################

423
[List.Generic:dynamic_1013]

424
Expression=md5($p.PMD5(username)) (webEdition CMS)

425
Flag=MGF_SALTED

426
MaxInputLenX86=48

427
MaxInputLen=23

428
SaltLen=32

429
Func=DynamicFunc__clean_input

430
Func=DynamicFunc__append_keys

431
Func=DynamicFunc__append_salt

432
Func=DynamicFunc__crypt_md5

433
Test=$dynamic_1013$14f8b3781f19a3b7ea520311482ce207$f2df0ddd3129c68b1ae7be05779ebeb3:openwall

434
TestM=$dynamic_1013$b8db62204359efcbfc92da2d697d21cb$f3ae4d2b2c3600df57bbeab163eac04b:12345678901234567890123

435
TestF=$dynamic_1013$61f55f04f8f4e05392415181bcf57420$5e87dbf3663cbead467fc645c5c9586d:123456789012345678901234567890123456789012345678

436


437
####################################################################

438
# Dynamic type for md5($p.$s) for long salts

439
####################################################################

440
[List.Generic:dynamic_1014]

441
# expression shown will be this string:

442
Expression=md5($p.$s) (long salt)

443
# Flag needed here, is Salt

444
Flag=MGF_SALTED

445
##JF Went from 1376k/1100k to 3483k/2600k by switching to flat buffer sse2

446
##JF Flag=MGF_NOTSSE2Safe

447
Flag=MGF_FLAT_BUFFERS

448
##JF Flag=MGF_FULL_CLEAN_REQUIRED

449
##JF MaxInputLen=32

450
MaxInputLenX86=110

451
MaxInputLen=110

452
SaltLen=-137

453
Func=DynamicFunc__clean_input

454
Func=DynamicFunc__append_keys

455
Func=DynamicFunc__append_salt

456
##JF Func=DynamicFunc__crypt_md5

457
Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL

458
Test=$dynamic_1014$c0dbfba522fad4054da9808a2fa09580$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:test

459
Test=$dynamic_1014$6130b0e84d387ffd460fc83cffcc1426$bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbc:aaaa

460
Test=$dynamic_1014$399df23011bb3742e83011c1074187e2$cccccccccccccccccccccccccccccccccccccccccccccccccccd:bbbb

461
Test=$dynamic_1014$b962b0d40fc9111ce5f8efab424bad73$NormalSaltNormal:secret

462
Test=$dynamic_1014$8bfccd9d67ec0bcdc38e9ae3c19a2903$FinishingwitHEX$:secret

463
Test=$dynamic_1014$bf239357f3aa95508a53fe41b7e5f2e3$inthem$HEXiddle6:secret

464
Test=$dynamic_1014$e463b65f14643afd970c7ea7e7efeb0f$123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890:12345678901234567890123456789012

465


466
####################################################################

467
# Dynamic type for md5(md5($p.$u).$s) for PostgreSQL 'pass the hash' weakness

468
# See also dynamic_1034 for PostgreSQL MD5

469
# http://www.openwall.com/lists/oss-security/2015/03/03/12

470
####################################################################

471
[List.Generic:dynamic_1015]

472
Expression=md5(md5($p.$u).$s) (PostgreSQL 'pass the hash')

473
Flag=MGF_SALTED

474
Flag=MGF_USERNAME

475
MaxInputLen=31

476
MaxInputLenX86=56

477
SaltLen=-23

478
Func=DynamicFunc__clean_input

479
Func=DynamicFunc__append_keys

480
Func=DynamicFunc__append_userid

481
Func=DynamicFunc__crypt_md5

482
Func=DynamicFunc__clean_input2

483
Func=DynamicFunc__append_from_last_output_to_input2_as_base16

484
Func=DynamicFunc__append_salt2

485
Func=DynamicFunc__crypt_md5_in2_to_out1

486
Test=$dynamic_1015$1d586cc8d137e5f1733f234d224393e8$HEX$f063f05d:openwall:postgres

487
Test=$dynamic_1015$1c4e11fb51835c3bbe9851ec91ec1375$HEX$c31803a2:password:postgres

488
Test=$dynamic_1015$bf2a64f35feba7bf1b633d60393c1356$HEX$684697c8:openwall:postgres

489
# repeat one test in the format that is used in john.pot

490
Test=$dynamic_1015$1d586cc8d137e5f1733f234d224393e8$HEX$f063f05d242455706f737467726573:openwall

491
TestM=$dynamic_1015$c99b3494687ed9895d4ffca184a9daf5$M6krNt:1234567890123456789012345678901:usrx

492
TestF=$dynamic_1015$5618a66e934dfef13cae2d06d71bdf75$usrwxT:12345678901234567890123456789012345678901234567890123456:01234

493


494
####################################################################

495
# Dynamic type for md5($p.$s) for long salts

496
#  NOTE, we should use dynamic_2001 and not this hash.

497
####################################################################

498
[List.Generic:dynamic_1016]

499
# expression shown will be this string:

500
Expression=md5($p.$s) (long salt)

501
# Flag needed here, is Salt

502
Flag=MGF_SALTED

503
Flag=MGF_FLAT_BUFFERS

504
MaxInputLenX86=110

505
MaxInputLen=110

506
SaltLen=-137

507
Func=DynamicFunc__clean_input

508
Func=DynamicFunc__append_keys

509
Func=DynamicFunc__append_salt

510
Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL

511
Test=$dynamic_1016$08e3ded271f83affc8f127dae3cb5bed$HEX$e30003fa000100000001000000000000000000000000000000000000000000000000000000000000d7dd1060ee06bec2:secret

512
# repeat that hash in exactly the same form that is used in john.pot

513
#Test=$dynamic_1016$08e3ded271f83affc8f127dae3cb5bed$HEX$48455824653330303033666130303031303030303030303130303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303064376464313036306565303662656332:secret

514


515
####################################################################

516
# Dynamic type for md5($s.$p) for long salts

517
#  NOTE, we should use dynamic_2004 and not this hash.

518
####################################################################

519
[List.Generic:dynamic_1017]

520
# expression shown will be this string:

521
Expression=md5($s.$p) (long salt)

522
# Flag needed here, is Salt

523
Flag=MGF_SALTED

524
Flag=MGF_FLAT_BUFFERS

525
MaxInputLenX86=55

526
MaxInputLen=55

527
SaltLen=-192

528
Func=DynamicFunc__clean_input

529
Func=DynamicFunc__append_salt

530
Func=DynamicFunc__append_keys

531
Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL

532
# PrestaShop uses long salts, $s == _COOKIE_KEY_ (config/settings.inc.php file)

533
# PrestaShop hashes can be extracted from the "ps_employee" table ("ps_" is the default table prefix)

534
# PrestaShop 1.6.0.9 was used for testing this!

535
# Update: PrestaShop 1.7.x.y doesn't make use of the config/settings.inc.php

536
# file. It uses bcrypt hashing, and the hashes are stored in the ps_customer

537
# table.

538
#

539
# This hash format is also used by RADIUS Responses when salts are > 16 bytes long.

540
Test=$dynamic_1017$2b3f4811983db00560dfd4c28f67bc5a$B3DdR7ZVi2N26aVbR84bjSAHht8JYhqcDr1FK49jiQXFU8Vo66PKmAFt:lemons12345

541


542
[List.Generic:dynamic_1018]

543
Expression=md5(sha1(sha1($p)))

544
Flag=MGF_StartInX86Mode

545
Flag=MGF_KEYS_INPUT

546
MaxInputLen=55

547
MaxInputLenX86=110

548
Func=DynamicFunc__clean_input2_kwik

549
Func=DynamicFunc__SHA1_crypt_input1_append_input2

550
Func=DynamicFunc__SHA1_crypt_input2_overwrite_input2

551
Func=DynamicFunc__X86toSSE_switch_input2

552
Func=DynamicFunc__crypt_md5_in2_to_out1

553
Test=$dynamic_1018$a93dcf04edd0e2b98c1165304c250b80:1234abcd

554
Test=$dynamic_1018$f3b5f01810c4d66ae0af85b3789e12cd:potato

555
TestM=$dynamic_1018$5c43d21a3dfb81435d45e78334fa6109:1234567890123456789012345678901234567890123456789012345

556
TestF=$dynamic_1018$073c8ec8e73fdedb7aad9df4ded29ba3:12345678901234567890123456789012345678901234567890123456789012345678901234567890

557


558
[List.Generic:dynamic_1019]

559
Expression=md5(sha1(sha1(md5($p))))

560
Flag=MGF_KEYS_INPUT

561
MaxInputLen=55

562
MaxInputLenX86=110

563
Func=DynamicFunc__crypt_md5

564
Func=DynamicFunc__SSEtoX86_switch_output1

565
Func=DynamicFunc__clean_input2_kwik

566
Func=DynamicFunc__append_from_last_output_to_input2_as_base16

567
Func=DynamicFunc__SHA1_crypt_input2_overwrite_input2

568
Func=DynamicFunc__SHA1_crypt_input2_overwrite_input2

569
Func=DynamicFunc__X86toSSE_switch_input2

570
Func=DynamicFunc__crypt_md5_in2_to_out1

571
Test=$dynamic_1019$86f607194f0aefe63a6c13723e94382d:jjaammaaiiccaa

572
Test=$dynamic_1019$77faf9282c0c9b5870a4d9c3ec484aca:blink182

573
TestM=$dynamic_1019$bc679e2715c335fcf8b9205efd031521:1234567890123456789012345678901234567890123456789012345

574
TestF=$dynamic_1019$36966d66615d3c0de89ca53ed88212ec:12345678901234567890123456789012345678901234567890123456789012345678901234567890

575


576
[List.Generic:dynamic_1020]

577
Expression=md5(sha1(md5($p)))

578
Flag=MGF_KEYS_INPUT

579
MaxInputLen=55

580
MaxInputLenX86=110

581
Func=DynamicFunc__crypt_md5

582
Func=DynamicFunc__SSEtoX86_switch_output1

583
Func=DynamicFunc__clean_input2_kwik

584
Func=DynamicFunc__append_from_last_output_to_input2_as_base16

585
Func=DynamicFunc__SHA1_crypt_input2_overwrite_input2

586
Func=DynamicFunc__X86toSSE_switch_input2

587
Func=DynamicFunc__crypt_md5_in2_to_out1

588
Test=$dynamic_1020$2a8ce40b837c8550506d9b5d220bac28:0124

589
TestM=$dynamic_1020$74102b324b8b1cf909263284a53955aa:1234567890123456789012345678901234567890123456789012345

590
TestF=$dynamic_1020$e4ad9c1e34bad775d2cd399294c286e8:12345678901234567890123456789012345678901234567890123456789012345678901234567890

591


592
[List.Generic:dynamic_1021]

593
Expression=md5(sha1(md5(sha1($p))))

594
Flag=MGF_StartInX86Mode

595
Flag=MGF_KEYS_INPUT

596
MaxInputLen=55

597
MaxInputLenX86=110

598
Func=DynamicFunc__clean_input2_kwik

599
Func=DynamicFunc__SHA1_crypt_input1_append_input2

600
Func=DynamicFunc__X86toSSE_switch_input2

601
Func=DynamicFunc__crypt2_md5

602
Func=DynamicFunc__SSEtoX86_switch_output2

603
Func=DynamicFunc__clean_input2_kwik

604
Func=DynamicFunc__append_from_last_output2_as_base16

605
Func=DynamicFunc__SHA1_crypt_input2_overwrite_input2

606
Func=DynamicFunc__X86toSSE_switch_input2

607
Func=DynamicFunc__crypt_md5_in2_to_out1

608
Test=$dynamic_1021$c1e054140feac1b411d3efc8bae5b881:norway

609
TestM=$dynamic_1021$dbf8fc7a96898e16e1251d94b3bb06d9:1234567890123456789012345678901234567890123456789012345

610
TestF=$dynamic_1021$df38670077cb4c299bcaf06e8271c986:12345678901234567890123456789012345678901234567890123456789012345678901234567890

611


612
[List.Generic:dynamic_1022]

613
Expression=md5(sha1(md5(sha1(md5($p)))))

614
Flag=MGF_KEYS_INPUT

615
MaxInputLen=55

616
MaxInputLenX86=110

617
Func=DynamicFunc__crypt_md5

618
Func=DynamicFunc__SSEtoX86_switch_output1

619
Func=DynamicFunc__clean_input2_kwik

620
Func=DynamicFunc__append_from_last_output_to_input2_as_base16

621
Func=DynamicFunc__SHA1_crypt_input2_overwrite_input2

622
Func=DynamicFunc__X86toSSE_switch_input2

623
Func=DynamicFunc__crypt2_md5

624
Func=DynamicFunc__SSEtoX86_switch_output2

625
Func=DynamicFunc__clean_input2_kwik

626
Func=DynamicFunc__append_from_last_output2_as_base16

627
Func=DynamicFunc__SHA1_crypt_input2_overwrite_input2

628
Func=DynamicFunc__X86toSSE_switch_input2

629
Func=DynamicFunc__crypt_md5_in2_to_out1

630
Test=$dynamic_1022$9caf8c249c588a89030db581ec6cea47:313131

631
Test=$dynamic_1022$e1eb34c6ab9e9cbe4ff67fdeb747e169:8616

632
TestM=$dynamic_1022$d4d51c756abefb41bafbcff7c6237618:1234567890123456789012345678901234567890123456789012345

633
TestF=$dynamic_1022$9367b878de004be863000174e728c15f:12345678901234567890123456789012345678901234567890123456789012345678901234567890

634


635
[List.Generic:dynamic_1023]

636
Expression=sha1($p) (hash truncated to length 32)

637
Flag=MGF_KEYS_INPUT

638
Flag=MGF_FLAT_BUFFERS

639
Flag=MGF_POOR_OMP

640
MaxInputLen=110

641
MaxInputLenX86=110

642
Func=DynamicFunc__SHA1_crypt_input1_to_output1_FINAL

643
Test=$dynamic_1023$5baa61e4c9b93f3f0682250b6cf8331b:password

644
Test=$dynamic_1023$e4227954acdafb57977d7dc8a1957095:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890

645


646
[List.Generic:dynamic_1024]

647
Expression=sha1(md5($p)) (hash truncated to length 32)

648
Flag=MGF_KEYS_INPUT

649
MaxInputLen=55

650
MaxInputLenX86=110

651
Func=DynamicFunc__crypt_md5

652
Func=DynamicFunc__SSEtoX86_switch_output1

653
Func=DynamicFunc__clean_input2_kwik

654
Func=DynamicFunc__append_from_last_output_to_input2_as_base16

655
Func=DynamicFunc__SHA1_crypt_input2_to_output1_FINAL

656
Test=$dynamic_1024$c56289182ffd862d906eac1ce5c6fe6d:trigun

657
TestM=$dynamic_1024$e290c79e9584e4cd61faded848ff96f0:1234567890123456789012345678901234567890123456789012345

658
TestF=$dynamic_1024$609fed73c093edfbcc9913004656f360:12345678901234567890123456789012345678901234567890123456789012345678901234567890

659


660
[List.Generic:dynamic_1025]

661
Expression=sha1(md5(md5($p))) (hash truncated to length 32)

662
Flag=MGF_KEYS_INPUT

663
MaxInputLen=55

664
MaxInputLenX86=110

665
Func=DynamicFunc__crypt_md5

666
Func=DynamicFunc__clean_input2_kwik

667
Func=DynamicFunc__append_from_last_output_to_input2_as_base16

668
Func=DynamicFunc__crypt2_md5

669
Func=DynamicFunc__SSEtoX86_switch_output2

670
Func=DynamicFunc__clean_input2_kwik

671
Func=DynamicFunc__append_from_last_output2_as_base16

672
Func=DynamicFunc__SHA1_crypt_input2_to_output1_FINAL

673
Test=$dynamic_1025$f122db007ed655921f98184e4302bba8:123456

674
TestM=$dynamic_1025$006d246968ee9e761578bce26d5a82a2:1234567890123456789012345678901234567890123456789012345

675
TestF=$dynamic_1025$cc98637054045e998ab01e97ce65585e:12345678901234567890123456789012345678901234567890123456789012345678901234567890

676


677
[List.Generic:dynamic_1026]

678
Expression=sha1(sha1($p)) (hash truncated to length 32)

679
Flag=MGF_FLAT_BUFFERS

680
Flag=MGF_KEYS_INPUT

681
MaxInputLen=110

682
MaxInputLenX86=110

683
Func=DynamicFunc__clean_input2_kwik

684
Func=DynamicFunc__SHA1_crypt_input1_overwrite_input2

685
Func=DynamicFunc__SHA1_crypt_input2_to_output1_FINAL

686
Test=$dynamic_1026$71b37a2d9b0a7d5dc4da8a08d9092817:peanuts

687
Test=$dynamic_1026$30f8cf133eaac8e3b6af4bcba722921d:peanut

688
Test=$dynamic_1026$809df50e02b68a389a8f6639a03421eb:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890

689


690
[List.Generic:dynamic_1027]

691
Expression=sha1(sha1(sha1($p))) (hash truncated to length 32)

692
Flag=MGF_FLAT_BUFFERS

693
Flag=MGF_KEYS_INPUT

694
MaxInputLen=110

695
MaxInputLenX86=110

696
Func=DynamicFunc__clean_input2_kwik

697
Func=DynamicFunc__SHA1_crypt_input1_overwrite_input2

698
Func=DynamicFunc__SHA1_crypt_input2_overwrite_input2

699
Func=DynamicFunc__SHA1_crypt_input2_to_output1_FINAL

700
Test=$dynamic_1027$b8443c12b3066dac22b3857b2fb779b4:leelee

701
Test=$dynamic_1027$00aeb6dc5e6269a6b2f39728cd8a6812:test1

702
Test=$dynamic_1027$54e45916fb79f7be1c695828fdba4491:test3

703
Test=$dynamic_1027$d08a9796dc4ea6decf59ce43caa1b4b4:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890

704


705
[List.Generic:dynamic_1028]

706
Expression=sha1(sha1_raw($p)) (hash truncated to length 32)

707
# currently, the raw sha1 does not work in SSE code.  It does work on 'flat' x86 code

708
Flag=MGF_FLAT_BUFFERS

709
Flag=MGF_KEYS_INPUT

710
MaxInputLen=110

711
MaxInputLenX86=110

712
Func=DynamicFunc__clean_input2

713
Func=DynamicFunc__LargeHash_OUTMode_raw

714
Func=DynamicFunc__SHA1_crypt_input1_append_input2

715
Func=DynamicFunc__SHA1_crypt_input2_to_output1_FINAL

716
Test=$dynamic_1028$79239e0207cd5f6a472c8795c73b451d:rainbow

717
Test=$dynamic_1028$06c0bf5b64ece2f648b5f048a7190390:test1

718
Test=$dynamic_1028$f357e78cabad76fd3f1018ef85d78499:test3

719
Test=$dynamic_1028$64ad70ca481a2c33a2c843cc03555365:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890

720


721
[List.Generic:dynamic_1029]

722
Expression=sha256($p) (hash truncated to length 32)

723
Flag=MGF_FLAT_BUFFERS

724
MaxInputLen=110

725
MaxInputLenX86=110

726
Func=DynamicFunc__clean_input

727
Func=DynamicFunc__append_keys

728
Func=DynamicFunc__SHA256_crypt_input1_to_output1_FINAL

729
Test=$dynamic_1029$e4ad93ca07acb8d908a3aa41e920ea4f:iloveyou

730
Test=$dynamic_1029$13b1f7ec5beaefc781e43a3b344371cd:freedom

731
Test=$dynamic_1029$aa97302150fce811425cd84537028a5a:computer

732
Test=$dynamic_1029$75ff6bea5b0ad25171988e435c24b3ee:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890

733


734
[List.Generic:dynamic_1030]

735
Expression=whirlpool($p) (hash truncated to length 32)

736
Flag=MGF_FLAT_BUFFERS

737
MaxInputLen=110

738
MaxInputLenX86=110

739
Func=DynamicFunc__clean_input

740
Func=DynamicFunc__append_keys

741
Func=DynamicFunc__WHIRLPOOL_crypt_input1_to_output1_FINAL

742
Test=$dynamic_1030$56fd4ecb153a08b65a73b51e3c8ca369:spiral

743
Test=$dynamic_1030$6b116ef0c32185d3ae1136f4593a5cae:defender

744
Test=$dynamic_1030$fee8605795f28dda386324d59a28ba99:amazon

745
Test=$dynamic_1030$73622582350099f45647970c0a8a2496:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890

746


747
[List.Generic:dynamic_1031]

748
Expression=gost($p) (hash truncated to length 32)

749
Flag=MGF_FLAT_BUFFERS

750
MaxInputLen=110

751
MaxInputLenX86=110

752
Func=DynamicFunc__clean_input

753
Func=DynamicFunc__append_keys

754
Func=DynamicFunc__GOST_crypt_input1_to_output1_FINAL

755
Test=$dynamic_1031$0e8cd409a23c2e7ad1c5b22b101dfa16:admin

756
Test=$dynamic_1031$3b024be97641061bdd5409b4866c26c5:test1

757
Test=$dynamic_1031$55719211936152fbe2e1f6aa796fa866:test3

758
Test=$dynamic_1031$096dd6ff632727d682070752fbda548e:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890

759


760
[List.Generic:dynamic_1032]

761
Expression=sha1_64(utf16($p)) (PeopleSoft)

762
Flag=MGF_INPBASE64m

763
Flag=MGF_FLAT_BUFFERS

764
Flag=MGF_UTF8

765
MaxInputLen=110

766
MaxInputLenX86=110

767
Func=DynamicFunc__clean_input

768
Func=DynamicFunc__setmode_unicode

769
Func=DynamicFunc__append_keys

770
Func=DynamicFunc__SHA1_crypt_input1_to_output1_FINAL

771
Test=$dynamic_1032$6Pl/upEE0epQR5SObftn+s2fW3M=:password

772


773
[List.Generic:dynamic_1033]

774
Expression=sha1_64(utf16($p).$s)

775
Flag=MGF_INPBASE64m

776
Flag=MGF_FLAT_BUFFERS

777
Flag=MGF_SALTED

778
Flag=MGF_UTF8

779
SaltLen=-32

780
MaxInputLen=110

781
MaxInputLenX86=110

782
Func=DynamicFunc__clean_input

783
Func=DynamicFunc__setmode_unicode

784
Func=DynamicFunc__append_keys

785
Func=DynamicFunc__setmode_normal

786
Func=DynamicFunc__append_salt

787
Func=DynamicFunc__SHA1_crypt_input1_to_output1_FINAL

788
# we want to make SURE that something ending with = mixed

789
# with others NOT ending with = are handled properly.

790
Test=$dynamic_1033$D7C1gHanUq1xE96HpEQitzAhNB8$FyKXs6zU:password

791
Test=$dynamic_1033$sh+Q50Cp4vERzDkJcaaKIv8zubM=$M1RxMCTZ:password2

792
Test=$dynamic_1033$DfM7ryjrNamyG0wRS6CwheZS6Mo$3swBL4qn:

793


794
####################################################################

795
# Dynamic type for md5($p.$u) for PostgreSQL stored MD5 hashes

796
# See also dynamic_1015 for PostgreSQL 'pass the hash' (with salt)

797
####################################################################

798
[List.Generic:dynamic_1034]

799
Expression=md5($p.$u) (PostgreSQL MD5)

800
Flag=MGF_USERNAME

801
SaltLen=-32

802
Func=DynamicFunc__clean_input

803
Func=DynamicFunc__append_keys

804
Func=DynamicFunc__append_userid

805
Func=DynamicFunc__crypt_md5

806
Test=$dynamic_1034$bd6fd49a627ecdbe4031b2d52d5748ab:openwall:postgres

807
Test=$dynamic_1034$32e12f215ba27cb750c9e093ce4b5127:password:postgres

808


809
[List.Generic:dynamic_1300]

810
MaxInputLen=55

811
MaxInputLenX86=110

812
Flag=MGF_POOR_OMP

813
Expression=md5(md5_raw($p))

814
Func=DynamicFunc__clean_input

815
Func=DynamicFunc__append_keys

816
# changed these 3 lines to the 4 lines that follow. This format has had problems

817
# in certain builds (like generic). Likely it is the set_input_len_16 causing

818
# issues and should be looked at. For now, the new method using input2 works fine.

819
#Func=DynamicFunc__crypt_md5_to_input_raw

820
#Func=DynamicFunc__set_input_len_16

821
#Func=DynamicFunc__crypt_md5

822
Func=DynamicFunc__crypt_md5

823
Func=DynamicFunc__clean_input2_kwik

824
Func=DynamicFunc__append2_from_last_output1_as_raw

825
Func=DynamicFunc__crypt_md5_in2_to_out1

826
Test=$dynamic_1300$43442676c74ae59f219c2d87fd6bad52:admin

827
Test=$dynamic_1300$5cbaca32e76bb49ca69657a9145d77ee:test1

828
Test=$dynamic_1300$1c8b12da6f307bbfe8d245c79d468b3d:test3

829
TestM=$dynamic_1300$60f3fd93d4e949d871dc7713664b2b4e:1234567890123456789012345678901234567890123456789012345

830
TestF=$dynamic_1300$d66e6e66ff4a8dc6f3665740268fe1bc:12345678901234567890123456789012345678901234567890123456789012345678901234567890

831


832
[List.Generic:dynamic_1350]

833
Expression=md5(md5($s.$p):$s)

834
# Flag needed here, is Salt.

835
CONST1=:

836
Flag=MGF_SALTED

837
SaltLen=2

838
MaxInputLen=53

839
MaxInputLenX86=108

840
Func=DynamicFunc__clean_input

841
Func=DynamicFunc__append_salt

842
Func=DynamicFunc__append_keys

843
Func=DynamicFunc__crypt_md5

844
Func=DynamicFunc__clean_input

845
Func=DynamicFunc__append_from_last_output_as_base16

846
Func=DynamicFunc__append_input1_from_CONST1

847
Func=DynamicFunc__append_salt

848
Func=DynamicFunc__crypt_md5

849
Test=$dynamic_1350$c1f58952ab714b5ef76926628f6e0b16$92:blondie

850
Test=$dynamic_1350$a130dbe6709653d602eec70945e14f87$9e:blondie

851
TestM=$dynamic_1350$0f7dcf84c95a3c191a4bff15c62058a0$12:12345678901234567890123456789012345678901234567890123

852
TestF=$dynamic_1350$f78bdbc1c68b64f52c40d777068309fb$12:123456789012345678901234567890123456789012345678901234567890123456789012345678

853


854
# Thanks to JimF for his help in making this format work

855
# (Jean-Michel Picod)

856
[List.Generic:dynamic_1400]

857
Expression=sha1(utf16($p)) (Microsoft CREDHIST)

858
Flag=MGF_INPUT_20_BYTE

859
Flag=MGF_StartInX86Mode

860
Flag=MGF_POOR_OMP

861
Flag=MGF_UTF8

862
MaxInputLen=55

863
MaxInputLenX86=110

864
Func=DynamicFunc__clean_input

865
Func=DynamicFunc__setmode_unicode

866
Func=DynamicFunc__append_keys

867
Func=DynamicFunc__SHA1_crypt_input1_to_output1_FINAL

868
#Test=$dynamic_1500$e8f97fba9104d1ea5047948e6dfb67fa:password

869
Test=$dynamic_1400$e8f97fba9104d1ea5047948e6dfb67facd9f5b73:password

870


871
# Thanks JimF for his help making this format to work

872
# (Jean-Michel Picod)

873
[List.Generic:dynamic_1401]

874
Expression=md5($u.\nskyper\n.$p) (Skype MD5)

875
Flag=MGF_USERNAME

876
Flag=MGF_StartInX86Mode

877
Flag=MGF_INPUT_20_BYTE

878
CONST1=\x0Askyper\x0A

879
# 23 gives us ability to do user names up to 55-8-23 (or 24 byte user names)

880
# this should be ported to a flat format.

881
MaxInputLen=23

882
MaxInputLenX86=110

883
SaltLen=-24

884
Func=DynamicFunc__clean_input

885
Func=DynamicFunc__append_userid

886
Func=DynamicFunc__append_input1_from_CONST1

887
Func=DynamicFunc__append_keys

888
Func=DynamicFunc__crypt

889
# NOTE, I did not have full 40 byte hashes, but am using the INPUT_20_BYTE flag.

890
# The last 8 0's are only used for valid to work, and so we can add full hashes

891
# when we get them. Only the first 16 bytes is used in hash compare within JtR

892
Test=$dynamic_1401$27f6a9d892475e6ce0391de8d2d893f700000000:password:username

893
Test=$dynamic_1401$27f6a9d892475e6ce0391de8d2d893f700000000$$Uusername:password

894
# repeat that hash in exactly the same form that is used in john.pot

895
Test=$dynamic_1401$27f6a9d892475e6ce0391de8d2d893f700000000$HEX$2455757365726e616d65:password

896


897
# In Redmine, the hashed password is stored in the following form,

898
# SHA1(salt + SHA1(password))

899
#

900
# $ mysql -u root -p

901
# mysql> use bitnami_redmine;

902
# Database changed

903
# mysql> select * from users

904
[List.Generic:dynamic_1501]

905
Expression=sha1($s.sha1($p)) (Redmine)

906
Flag=MGF_INPUT_20_BYTE

907
Flag=MGF_SALTED

908
Flag=MGF_FLAT_BUFFERS

909
Flag=MGF_KEYS_BASE16_IN1_SHA1

910
SaltLen=32

911
MaxInputLenX86=110

912
MaxInputLen=110

913
Func=DynamicFunc__clean_input2_kwik

914
Func=DynamicFunc__append_salt2

915
Func=DynamicFunc__append_input2_from_input

916
Func=DynamicFunc__SHA1_crypt_input2_to_output1_FINAL

917
Test=$dynamic_1501$dd49e260795cb71da6904b9bccec30cb79b189f5$21737e0ab18ae77caec21f73c6e60c8d:redminecrap

918
Test=$dynamic_1501$713769f2b8824e8f5abc2d3e4f9326f32ff1d46b$5bfe6f1c0f7a8d802032d1bf85225400:redminefff

919


920
# In XenForo, the hashed password is stored in the following form(s),

921
# sha1(sha1(password).salt)

922
#

923
# OR

924
#

925
# sha256(sha256(password).salt)

926
#   NOTE, added MGF_KEYS_BASE16_IN1_SHA1 and MGF_KEYS_BASE16_IN1_SHA256 flags

927
#   and the many salts speed is now greatly improved.

928
[List.Generic:dynamic_1502]

929
Expression=sha1(sha1($p).$s) (XenForo SHA-1)

930
Flag=MGF_INPUT_20_BYTE

931
Flag=MGF_SALTED

932
Flag=MGF_FLAT_BUFFERS

933
Flag=MGF_KEYS_BASE16_IN1_SHA1

934
SaltLen=-120  // dont know, so made it big, jfoug

935
MaxInputLenX86=110

936
MaxInputLen=110

937
Func=DynamicFunc__set_input_len_40

938
Func=DynamicFunc__append_salt

939
Func=DynamicFunc__SHA1_crypt_input1_to_output1_FINAL

940
Test=$dynamic_1502$fd74fa6521e515921ad843a8465e34b703960db1$dummysalt:password

941


942
# note this hash could use the pre-compute limb-1 optimization we are wanting to do.

943
# that would take it from 3 sha256 limbs to 1 sha256 limb (in many salts). Right now,

944
# we have reduced it from 3 limbs to 2 limbs (for many salts).

945
[List.Generic:dynamic_1503]

946
Expression=sha256(sha256($p).$s) (XenForo SHA-256)

947
Flag=MGF_INPUT_32_BYTE

948
Flag=MGF_SALTED

949
Flag=MGF_FLAT_BUFFERS

950
Flag=MGF_KEYS_BASE16_IN1_SHA256

951
MaxInputLenX86=110

952
SaltLen=-120  // dont know, so made it big, jfoug

953
MaxInputLen=110

954
Func=DynamicFunc__set_input_len_64

955
Func=DynamicFunc__append_salt

956
Func=DynamicFunc__SHA256_crypt_input1_to_output1_FINAL

957
Test=$dynamic_1503$453f2e21fa6c150670d3ecf0e4a0ff3bab8b1903c2e96ad655d960b95f104248$697de9eda4a02563a7ec66d42d4a96995cb2948e29ab76fbcc89e8db71dd10f1:password

958
Test=$dynamic_1503$a8a0e9545c1475e8546f8546d87fe2516cf525c12ad79a6a7a8fee2fb0d8afd3$697de9eda4a02563a7ec66d42d4a96995cb2948e29ab76fbcc89e8db71dd10f1:verlongcrappypassword01234567890

959


960
# http://wiki.insidepro.com/index.php/sha1($a.$p.$s)

961
[List.Generic:dynamic_1504]

962
Expression=sha1($s.$p.$s)

963
Flag=MGF_INPUT_20_BYTE

964
Flag=MGF_SALTED

965
Flag=MGF_FLAT_BUFFERS

966
MaxInputLenX86=110

967
MaxInputLen=110

968
SaltLen=-68  // dont know, so made it max size that fits in 4 limb buffer, jfoug

969
Func=DynamicFunc__clean_input_kwik

970
Func=DynamicFunc__append_salt

971
Func=DynamicFunc__append_keys

972
Func=DynamicFunc__append_salt

973
Func=DynamicFunc__SHA1_crypt_input1_to_output1_FINAL

974
Test=$dynamic_1504$114e4978430ee4fe2bc492f059f5c7aa400bf2fe$Salt:abcd

975
Test=$dynamic_1504$aab04277ffba1dee47288b05fa58d25e49a1935e$Salt:12345678

976
Test=$dynamic_1504$3b71a92fb2f4aeda9ae38211b67c5a4dc2a1771a$Salt:

977


978
# md5($p.$s.md5($p.$s)) (saw it on https://hashcat.net/trac)

979
[List.Generic:dynamic_1505]

980
Expression=md5($p.$s.md5($p.$s))

981
# to make flat (allows much longer passwords and salts)

982
Flag=MGF_FLAT_BUFFERS

983
MaxInputLen=110

984
SaltLen=-64

985
Flag=MGF_SALTED

986
MaxInputLenX86=110

987
Func=DynamicFunc__clean_input

988
Func=DynamicFunc__append_keys

989
Func=DynamicFunc__append_salt

990
Func=DynamicFunc__crypt_md5

991
Func=DynamicFunc__clean_input2

992
Func=DynamicFunc__append_keys2

993
Func=DynamicFunc__append_salt2

994
Func=DynamicFunc__append_from_last_output_to_input2_as_base16

995
Func=DynamicFunc__MD5_crypt_input2_to_output1_FINAL

996
Test=$dynamic_1505$b8bbabb1eb9802a2e962de0207ca5172$aaaSXB:test1

997


998
# https://www.trustwave.com/Resources/SpiderLabs-Blog/Changes-in-Oracle-Database-12c-password-hashes/

999
[List.Generic:dynamic_1506]

1000
Expression=md5($u.:XDB:.$p) (Oracle 12c "H" hash)

1001
Flag=MGF_USERNAME

1002
CONST1=:XDB:

1003
MaxInputLen=23

1004
MaxInputLenX86=110

1005
SaltLen=-27

1006
Func=DynamicFunc__clean_input

1007
Func=DynamicFunc__append_userid

1008
Func=DynamicFunc__append_input1_from_CONST1

1009
Func=DynamicFunc__append_keys

1010
Func=DynamicFunc__crypt

1011
Test=$dynamic_1506$dc9894a01797d91d92eca1da66242209:epsilon:DEMO

1012


1013
# salt here is really a const.

1014
[List.Generic:dynamic_1507]

1015
Expression=sha1(utf16($const.$p)) (Mcafee master pass)

1016
CONST1=\x01\x0f\x0d\x33

1017
Flag=MGF_FLAT_BUFFERS

1018
Flag=MGF_INPUT_20_BYTE

1019
MaxInputLen=110

1020
MaxInputLenX86=110

1021
Func=DynamicFunc__clean_input

1022
Func=DynamicFunc__setmode_unicode

1023
Func=DynamicFunc__append_input1_from_CONST1

1024
Func=DynamicFunc__append_keys

1025
Func=DynamicFunc__SHA1_crypt_input1_to_output1_FINAL

1026
Test=$dynamic_1507$d4eaf666d09316f9d61b14753353a73d5fbcf048:test

1027
Test=$dynamic_1507$9dbe0d0ea16ae0a14c0c81a7c962b5a16e777259:test1

1028


1029
# Newer SunShop Shopping Cart. Older SunShop 4.1.0 uses md5($p) as the hashing

1030
# scheme. It seems that both these hash types can live together in a single

1031
# SunShop database.

1032
[List.Generic:dynamic_1518]

1033
Expression=md5(sha1($p).md5($p).sha1($p))

1034
Flag=MGF_FLAT_BUFFERS

1035
MaxInputLenX86=110

1036
MaxInputLen=110

1037
Func=DynamicFunc__clean_input_kwik

1038
Func=DynamicFunc__clean_input2_kwik

1039
Func=DynamicFunc__append_keys

1040
Func=DynamicFunc__SHA1_crypt_input1_append_input2

1041
Func=DynamicFunc__MD5_crypt_input1_append_input2

1042
Func=DynamicFunc__SHA1_crypt_input1_append_input2

1043
Func=DynamicFunc__MD5_crypt_input2_to_output1_FINAL

1044
Test=$dynamic_1518$c756b56aed8d6748ee63e1e270c71a3f:password

1045
Test=$dynamic_1518$8e6db6b58e9e326aba17e19a36c79d95:menura

1046
Test=$dynamic_1518$2abe0f6794cc57663527ce7ab81fdaf3:stealth

1047
Test=$dynamic_1518$08793c9ab17a586b3af71d28e1cae2c1:fletch

1048
Test=$dynamic_1518$b19d46258f6a00f151367024789d71f1:smurfs

1049
Test=$dynamic_1518$065c78f47a7da2e2ca2bd76eed10f6cd:ralphy1

1050
Test=$dynamic_1518$82f7dd8a757d1a79126817940336087d:Kitesurfing1

1051


1052
# Telegram for Android hashes. Use ../run/telegram2john.py to extract the hashes.

1053
[List.Generic:dynamic_1528]

1054
Expression=sha256($s.$p.$s) (Telegram for Android)

1055
Flag=MGF_INPUT_32_BYTE

1056
Flag=MGF_SALTED

1057
Flag=MGF_FLAT_BUFFERS

1058
SaltLen=16

1059
Func=DynamicFunc__clean_input_kwik

1060
Func=DynamicFunc__append_salt

1061
Func=DynamicFunc__append_keys

1062
Func=DynamicFunc__append_salt

1063
Func=DynamicFunc__SHA256_crypt_input1_to_output1_FINAL

1064
Test=$dynamic_1528$dab5552484cc327bd6d23b2a1ceb55b6ffb30f305bc09962a9102a6cec63773c$HEX$9533cd79bf8739bdd47ff8998aaf578c:1234

1065
Test=$dynamic_1528$cad3fe1d4df2bf68c23f003e771c79fa42d10ae9a03671019d9c91a266a91372$HEX$901c3371d7de4b525b0e0a6abf4f392e:0987

1066


1067
# DeepSound hashes. Use ../run/deepsound2john.py to extract the hashes.

1068
[List.Generic:dynamic_1529]

1069
Expression=sha1($p null_padded_to_len_32) (DeepSound)

1070
Flag=MGF_INPUT_20_BYTE

1071
Flag=MGF_FLAT_BUFFERS

1072
Func=DynamicFunc__clean_input

1073
Func=DynamicFunc__append_keys

1074
Func=DynamicFunc__set_input_len_32

1075
Func=DynamicFunc__SHA1_crypt_input1_to_output1_FINAL

1076
Test=$dynamic_1529$6f9fa2285514c73bcac858496361f19f477ee416:deep5ound

1077
Test=$dynamic_1529$66cad8923499423fa0c1d3974256d957840b9d69:iqlusion

1078
Test=$dynamic_1529$a3eb15172cc7e6090a2eb32e6dc8c3bd30c39a02:abcdefghijklmnopqrstuvwxyz012345

1079


1080
# MONGODB-CR system hashes

1081
# Input hash format => username:$dynamic_1550$hash

1082
[List.Generic:dynamic_1550]

1083
Expression=md5($u.:mongo:.$p) (MONGODB-CR system hash)

1084
Flag=MGF_USERNAME

1085
CONST1=:mongo:

1086
MaxInputLen=23

1087
MaxInputLenX86=110

1088
# note, saltlen + length(:mongo:) + length(plain) must stay <= 55 for SIMD

1089
#   so 25+7+23 == 55

1090
SaltLen=-25

1091
Func=DynamicFunc__clean_input

1092
Func=DynamicFunc__append_userid

1093
Func=DynamicFunc__append_input1_from_CONST1

1094
Func=DynamicFunc__append_keys

1095
Func=DynamicFunc__crypt

1096
Test=$dynamic_1550$08f32db65f837a52cd791bd923a61e95$$Usomeadmin:secret

1097
Test=$dynamic_1550$819951ad797c3564148a77cbecf3b166$$Uadmin:secret@12345

1098


1099
# MONGODB-CR network hashes  (user name < 8 bytes long)

1100
# Input hash format => username:$dynamic_1551$hash$salt$$Uusername

1101
[List.Generic:dynamic_1551]

1102
Expression=md5($s.$u.(md5($u.:mongo:.$p)) (MONGODB-CR network hash)

1103
Flag=MGF_USERNAME

1104
CONST1=:mongo:

1105
MaxInputLen=23

1106
MaxInputLenX86=110

1107
# note, saltlen + length(:mongo:) + length(plain) must stay <= 55 for SIMD

1108
#   so 25+7+23 == 55

1109
SaltLen=16

1110
Func=DynamicFunc__clean_input

1111
Func=DynamicFunc__clean_input2

1112
Func=DynamicFunc__append_userid

1113
Func=DynamicFunc__append_input1_from_CONST1

1114
Func=DynamicFunc__append_keys

1115
Func=DynamicFunc__append_salt2

1116
Func=DynamicFunc__append_userid2

1117
Func=DynamicFunc__crypt

1118
Func=DynamicFunc__append_from_last_output_to_input2_as_base16

1119
Func=DynamicFunc__crypt_md5_in2_to_out1

1120
Test=$dynamic_1551$0c85e3f74adce5d037426791940c820a$58d3229c83e3f87e$$Usa:sa

1121
Test=$dynamic_1551$797d7e18879446845f10ae9d519960b2$10441db416a99ffc$$Usa:longpassword

1122
Test=$dynamic_1551$a5ca2c517c06fdfb773144d53fb26f56$9b90cf265f3194d7$$UHerman:123456789

1123
Test=$dynamic_1551$441d6ece7356c67dcc69dd26e7e0501f$be8fa52f0e64c250$$Usz110:passWOrd

1124
Test=$dynamic_1551$c95e106f1d9952c88044a0b21a6bd3fd$304b81adddfb4d6f$$Ujack:

1125


1126
# MONGODB-CR network hashes  (user name >= 8 bytes long)

1127
# Input hash format => username:$dynamic_1552$hash$salt$$Uusername

1128
[List.Generic:dynamic_1552]

1129
Expression=md5($s.$u.(md5($u.:mongo:.$p)) (MONGODB-CR network hash)

1130
Flag=MGF_USERNAME

1131
Flag=MGF_FLAT_BUFFERS

1132
CONST1=:mongo:

1133
MaxInputLen=110

1134
MaxInputLenX86=110

1135
SaltLen=16

1136
Func=DynamicFunc__clean_input_kwik

1137
Func=DynamicFunc__clean_input2_kwik

1138
Func=DynamicFunc__append_userid

1139
Func=DynamicFunc__append_input1_from_CONST1

1140
Func=DynamicFunc__append_keys

1141
Func=DynamicFunc__append_salt2

1142
Func=DynamicFunc__append_userid2

1143
Func=DynamicFunc__MD5_crypt_input1_append_input2

1144
Func=DynamicFunc__MD5_crypt_input2_to_output1_FINAL

1145
Test=$dynamic_1552$10290925d16d81e50db242c9f3572d91$0000000000000000$$Ulongusername:longpassword@12345678

1146
Test=$dynamic_1552$53257e018399a241849cb04c70ba8daa$0000000000000000$$Ulongusername:longpassword

1147
Test=$dynamic_1552$1abe48bac6ad0bf567ab51b094f026a9$86336266301fb552$$Ulongusername:longpassword

1148
Test=$dynamic_1552$5c414259f7f7a42f8c4d1b6ffb37913a$8c82aec197929775$$Ueight18_characters:123

1149


1150
# SocialEngine hashes (Elijah [W&P])

1151
#

1152
# hash = md5('core secret'.'password'.'salt')

1153
# core.secret -> MySQL 'engine4_core_settings' table, row 'core.secret'

1154
# salt -> MySQL 'engine4_users' table, 'salt' column

1155
[List.Generic:dynamic_1560]

1156
Expression=md5($s.$p.$s2) (SocialEngine)

1157
Flag=MGF_SALTED

1158
Flag=MGF_SALTED2

1159
Flag=MGF_FLAT_BUFFERS

1160
SaltLen=-46

1161
Func=DynamicFunc__clean_input

1162
Func=DynamicFunc__append_salt

1163
Func=DynamicFunc__append_keys

1164
Func=DynamicFunc__append_2nd_salt

1165
Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL

1166
Test=$dynamic_1560$55fce7789372d510023fc819c0ce55a6$a6ebe407fa6e2337cb2deb573d17791e$$21060744:test1

1167
Test=$dynamic_1560$fd880f2c10f148c409f3c850a52201b0$6cbe843e024f59827c55f3a32d1c3be9$$22262250:thatsworking

1168
Test=$dynamic_1560$2b199a07acf8e9e36e47ec2a0178933b$2a4c7cf421315f49fae230e80acfa218$$29597016:test3

1169
Test=$dynamic_1560$13d806a7e87bc1b551478742349882a9$2161869cadcb41f1cc1e939f191c0bb35e58a9a7$$21060744:123123

1170


1171
# ColdFusion 11 hashes (Ivan Novikov <[email protected]>)

1172
# Hash is password variable from ./lib/password.properties

1173
# Salt is admin.userid.root.salt variable from ./lib/neo-security.xml

1174
[List.Generic:dynamic_1588]

1175
Expression=sha256($s.sha1($p)) (ColdFusion 11)

1176
Flag=MGF_INPUT_32_BYTE

1177
Flag=MGF_SALTED

1178
Flag=MGF_FLAT_BUFFERS

1179
Flag=MGF_BASE_16_OUTPUT_UPCASE

1180
SaltLen=64

1181
Func=DynamicFunc__clean_input_kwik

1182
Func=DynamicFunc__clean_input2_kwik

1183
Func=DynamicFunc__append_salt

1184
Func=DynamicFunc__append_keys2

1185
Func=DynamicFunc__SHA1_crypt_input2_append_input1

1186
Func=DynamicFunc__SHA256_crypt_input1_to_output1_FINAL

1187
Test=$dynamic_1588$37F816D599BFD69C5A0D750198AB6E46E26CEB120C9AF3B1E5306515058CBAE8$D7B6D57262290BC0A634D2D1A0DFE59F1FBE47885DBC9BB1CEBA8EA9D09D9839:test1234

1188


1189
# IBM AS/400 SHA1 hashes   !NOTE, salt is pre prepared, utf16be(space_pad_10(uc($user_name))

1190
[List.Generic:dynamic_1590]

1191
Expression=sha1(utf16be(space_pad_10(uc($s)).$p)) (IBM AS/400 SHA1)

1192
Flag=MGF_INPUT_20_BYTE

1193
Flag=MGF_SALTED

1194
Flag=MGF_FLAT_BUFFERS

1195
Flag=MGF_BASE_16_OUTPUT_UPCASE

1196
Flag=MGF_UTF8

1197
SaltLen=20

1198
Func=DynamicFunc__clean_input_kwik

1199
Func=DynamicFunc__append_salt

1200
Func=DynamicFunc__setmode_unicodeBE

1201
Func=DynamicFunc__append_keys

1202
Func=DynamicFunc__SHA1_crypt_input1_to_output1_FINAL

1203
Test=$dynamic_1590$4C106E52CA196986E1C52C7FCD02AF046B76C73C$HEX$0052004F00420020002000200020002000200020:banaan

1204
Test=$dynamic_1590$CED8050C275A5005D101051FF5BCCADF693E8AB7$HEX$0042004100520054002000200020002000200020:Kulach007

1205
Test=$dynamic_1590$1BA6C7D54E9696ED33F4DF201E348CA8CA815F75$HEX$005300590053004F005000520020002000200020:T0Psecret!

1206
Test=$dynamic_1590$A1284B4F1BDD7ED598D4B5060D861D6D614620D3$HEX$00530059005300540045004D0020002000200020:P@ssword01

1207
Test=$dynamic_1590$94C55BC7EDF1996AC62E8145CDBFA285CA79ED2E$HEX$0051005300590053004400420041002000200020:qsysdba

1208
Test=$dynamic_1590$CDF4063E283B51EDB7B9A8E6E542042000BD9AE9$HEX$0051005300450043004F00460052002000200020:qsecofr!

1209
Test=$dynamic_1590$44D43148CFE5CC3372AFD2610BEE3D226B2B50C5$HEX$0054004500530054003100200020002000200020:password1

1210
Test=$dynamic_1590$349B12D6588843A1632649A501ABC353EBF409E4$HEX$0054004500530054003200200020002000200020:secret

1211
Test=$dynamic_1590$A97F2F9ED9977A8A628F8727E2851415B06DC540$HEX$0054004500530054003300200020002000200020:test3

1212


1213
# wbb3 SHA1 hashes

1214
[List.Generic:dynamic_1592]

1215
Expression=sha1($s.sha1($s.sha1($p))) (wbb3)

1216
Flag=MGF_INPUT_20_BYTE

1217
Flag=MGF_SALTED

1218
Flag=MGF_FLAT_BUFFERS

1219
Flag=MGF_KEYS_BASE16_IN1_SHA1

1220
Flag=MGF_FULL_CLEAN_REQUIRED2

1221
SaltLen=40

1222
Func=DynamicFunc__clean_input2_kwik

1223
Func=DynamicFunc__append_salt2

1224
Func=DynamicFunc__append_input2_from_input

1225
Func=DynamicFunc__LargeHash_set_offset_40

1226
Func=DynamicFunc__SHA1_crypt_input2_at_offset_input2

1227
Func=DynamicFunc__SHA1_crypt_input2_to_output1_FINAL

1228
Test=$dynamic_1592$e2063f7c629d852302d3020599376016ff340399$0b053db07dc02bc6f6e24e00462f17e3c550afa9:123456

1229
Test=$dynamic_1592$f6975cc560c5d03feb702158d08f90bf2fa773d6$0b053db07dc02bc6f6e24e00462f17e3c550afa9:password

1230
Test=$dynamic_1592$2c56d23b44eb122bb176dfa2a1452afaf89f1143$a710463f75bf4568d398db32a53f9803007388a3:123456

1231
Test=$dynamic_1592$2596b5f8e7cdaf4b15604ad336b810e8e2935b1d$1039145e9e785ddb2ac7ccca89ac1b159b595cc1:12345678

1232
Test=$dynamic_1592$26496a87c1a7dd68f7beceb2fc40b6fc4223a453$db763342e23f8ccdbd9c90d1cc7896d80b7e0a44:12345678

1233
Test=$dynamic_1592$d945c02cf85738b7db4f4f05edd676283280a513$bf2c7d0c8fb6cb146adf8933e32da012d31b5bbb:123456789

1234
Test=$dynamic_1592$e3e03fe02223c5030e834f81997f614b43441853$d132b22d3f1d942b99cc1f5fbd5cc3eb0824d608:1234567890

1235


1236
# All credit for this format goes to Alexey Tyurin (ERPScan), François Gaudreault, and Martin Lemay

1237
# http://gosecure.net/2016/05/04/oracle-peoplesoft-still-a-threat-for-enterprises/ (source)

1238
# https://erpscan.com/press-center/blog/peoplesoft-security-part-4-peoplesoft-pentest-using-tokenchpoken-tool/

1239
# https://erpscan.com/wp-content/uploads/tools/ERPScan-tockenchpoken.zip

1240
[List.Generic:dynamic_1600]

1241
Expression=sha1($s.utf16le($p)) (Oracle PeopleSoft PS_TOKEN)

1242
Flag=MGF_INPUT_20_BYTE

1243
Flag=MGF_FLAT_BUFFERS

1244
Flag=MGF_SALTED

1245
Flag=MGF_UTF8

1246
SaltLen=-150

1247
Func=DynamicFunc__clean_input

1248
Func=DynamicFunc__append_salt

1249
Func=DynamicFunc__setmode_unicode

1250
Func=DynamicFunc__append_keys

1251
Func=DynamicFunc__SHA1_crypt_input1_to_output1_FINAL

1252
Test=$dynamic_1600$e6155f87b073451076d81e3505f8b9fcd3f53b5a$HEX$710000000403020101000000bc0200000000000010500050005700450042004500580054000645004e0047000e50005300460054005f00480052003432003000310036002d00300034002d00300038002d00310039002e00320037002e00300035002e0030003000300030003000320000:password

1253
Test=$dynamic_1600$b5e335754127b25ba6f99a94c738e24cd634c35a$HEX$aa07d396f5038a6cbeded88d78d1d6c907e4079b3dc2e12fddee409a51cc05ae73e8cc24d518c923a2f79e49376594503e6238b806bfe33fa8516f4903a9b4:hashcat

1254
Test=$dynamic_1600$ac869d82e768c1af0e2b80679ddee8efe769d480$HEX$650000000403020101000000bc0200000000000004500053000645004e0047000e50005300460054005f00480052003432003000310035002d00300037002d00300031002d00300038002e00300036002e00340036002e0039003900390035003400330000:password@12345

1255


1256
# https://github.com/neo-project/neo-gui (tested with Neo GUI v2.3.2)

1257
[List.Generic:dynamic_1608]

1258
Expression=sha256(sha256_raw(sha256_raw($p))) (Neo Wallet)

1259
Flag=MGF_FLAT_BUFFERS

1260
Flag=MGF_INPUT_32_BYTE

1261
MaxInputLenX86=110

1262
MaxInputLen=110

1263
Func=DynamicFunc__clean_input_kwik

1264
Func=DynamicFunc__LargeHash_OUTMode_raw

1265
Func=DynamicFunc__append_keys

1266
Func=DynamicFunc__SHA256_crypt_input1_overwrite_input2

1267
Func=DynamicFunc__SHA256_crypt_input2_overwrite_input2

1268
Func=DynamicFunc__SHA256_crypt_input2_to_output1_FINAL

1269
Test=$dynamic_1608$f2a778f1a6ed3d5bc59a5d79104c598f3f07093f240ca4e91333fb09ed4f36da:abc

1270
Test=$dynamic_1608$8b12147de49a2832aca47a5bf6fbca12689420ac14c2547ab90f6d495f21f6dc:ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEF

1271
Test=$dynamic_1608$2a1a9918abe22f14d737462301e0c17b125a5f9ba11dc1e872b5320180437d12:openwall

1272


1273
# https://www.oneidentity.com/products/authentication-services/

1274
# Author: Tim Brown. Borrowed from https://github.com/portcullislabs/linikatz (under BSD 3-Clause "New" or "Revised" License).

1275
[List.Generic:dynamic_1602]

1276
Expression=sha256(#.$salt.-.$pass) (QAS vas_auth)

1277
Flag=MGF_INPUT_32_BYTE

1278
Flag=MGF_USERNAME

1279
Flag=MGF_SALTED

1280
Flag=MGF_FLAT_BUFFERS

1281
CONST1=#

1282
CONST2=-

1283
SaltLen=36

1284
Func=DynamicFunc__clean_input

1285
Func=DynamicFunc__append_input1_from_CONST1

1286
Func=DynamicFunc__append_salt

1287
Func=DynamicFunc__append_input1_from_CONST2

1288
Func=DynamicFunc__append_keys

1289
Func=DynamicFunc__SHA256_crypt_input1_to_output1_FINAL

1290
Test=$dynamic_1602$9b4d1328a3dc064704301d2da2975f97b9212d8f08539214b27fd3106dc208ff$C34208EA-8C33-473D-A9B4-53FB40347EA0:P0rtcu11i5!:Administrator@3rd-party.example.org

1291


1292
# this should be last line of the file.  Put other formats before this.  The formats in

1293
# the following included file are replacement formats for the MD4/5 formats which use

1294
# 'intermixed' SSE for speed, BUT which can not process longer passwords, due to being

1295
# limited to a single SSE buffer.  The formats in dynamic_flat_sse_formats.conf are using

1296
# the large hash 'flat' methods, which allow multiple SSE buffers. They are slower (sometimes

1297
# a LOT slower), than the intermixed SSE.  But they are much faster than oSSL code, and can

1298
# take full length passwords (110 bytes).

1299


1300
.include <dynamic_flat_sse_formats.conf>

1301


1302