Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 7 May 2015 19:20:51 +0300
From: Shinnok <admin@...nnok.com>
To: john-dev@...ts.openwall.com
Subject: Re: Session names somename.[0-9]+ shouldn't be allowed


> On May 7, 2015, at 5:43 PM, Solar Designer <solar@...nwall.com> wrote:
> 
> On Thu, May 07, 2015 at 10:32:47AM -0400, Mathieu Laprise wrote:
>> I don't know if this has been already said by Aleksey, I didn't follow
>> closely this discussion. Sorry if it's a duplicate. I just want to warn
>> that current magnum/master seems to have side effects on all version of
>> Johnny which is probably related to this thread. The way Johnny open a new
>> password file is this :
>> 
>> C:/Users/Mathieu/Desktop/JohnCompile/JohnTheRipper/run/john.exe
>> --session=C:/Users/Mathieu/.john/johnny/default
>> C:/Users/Mathieu/Desktop/password.txt
>> 
>> 
>> And output is :
>> 
>> Invalid session name: must not contain a dot
> 
> Ouch, I didn't realize people were passing pathnames to --session.  This
> was never supposed to work, but it just happened to.  I think it's a bug
> in Johnny, and should be fixed there.
> 
> But there may be more to it.  I realize it may be unclean to have the
> session files go to the current directory.  Maybe $JOHN should be used
> as the directory to store .rec and .log files into even with explicit
> session names?
> 
> What do others think?

The $USER/.john/ on Windows should be fixed yes, especially since it's not nice to hide files like that in Windows.

I'm not sure exactly as to wether we'll require absolute urls for session names at this point, I guess it depends on how far away we look into the future.
What I can say for a certainty is that I'd like Johnny to be capable of working with several JtR versions(numbers, core, jumbo) without much hassle and if we take onto managing sessions out of $JOHN then we'd also have to keep track of which is which and what is what, which is another responsibility to assume.
Keeping sessions in $JOHN will absolve us from that responsibility. However, there's the pollution issue, if the user is a heavy one he might have lots of manual sessions in there along with Johnny's. Maybe it would help if we prefix Johnny's session names (johnny_$sessionname)?

Shinnok

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.