Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 7 Aug 2012 00:33:52 +0200
From: Frank Dittrich <frank_dittrich@...mail.com>
To: john-dev@...ts.openwall.com
Subject: Re: Aleksey's daily status report #1

On 08/06/2012 09:38 PM, Aleksey Cherepanov wrote:
> Done
> 
> - writeup
> - tried sessions but failed

Is this what you described in your "how to handle sessions" mail?

> - format list
>   - reduced list to only supported by core john
>   - made field editable so user could enter anything

OK, this is what Solar asked for.
Would parsing john's usage output and generating the value list upon
start be much harder to do?
IMO, it would be more reliable. E.g., john versions prior to 1.7.9
didn't have trip.
But if Solar wants it this way, I am OK with it.
In most cases, auto detection should work, so that will be fine.

>   I hope these two actions are enough now.

For the format, I think this is currently enough.


Restoring an attack that had been started and paused is also a
must-have, but may be you want to address this when working on sessions.

I noticed you added a warning when there is no PathToJohn= line in the
config file.
Could you apply the same logic (searching for john in PATH) if the line
reads:
PathToJohn=
(This happens if the user clears the input field and then saves.)
May be allow this even without a warning during start, and just silently
search for john at start?
Or require an input, but warn if the PathToJohn=value
doesn't refer to an executable file (or to a symlink pointing to an
executable file?.
OTOH, a user can also enter a bogus value. E.g., entering
/home/fd/git/johnny/johnny
also resulted in funny behavior when I tried "start attack"


> To do
> 
> - sessions

Even if we allow attacks with different session names, I think in the
first version we shouldn't support starting multiple sessions in
parallel. The user has to pause (interrupt) a currently running attack,
before he can start or restore another attack.

Otherwise mixed output, different password files, different formats will
currently be too difficult to handle.

Frank

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.