Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 29 May 2015 17:19:51 +0300
From: Shinnok <admin@...nnok.com>
To: john-dev@...ts.openwall.com
Subject: Re: [Johnny] Task 1.5.1 Manual plaintext guessing


> On May 25, 2015, at 5:54 PM, Shinnok <admin@...nnok.com> wrote:
> I'd like to take the simplest approach as possible for this small feature:
> 
> 1. Separate johnHandler; Thus no session. Single question that stands is different john session name vs. don't allow running this feature if there's a current cracking session active?
> 2. Use --stdin method;
> 3. Passphrase will be tested agains all hashes since there's no simple way of doing otherwise ;
> 4. Isn't --skip-self-tests jumbo only? We don't need to think about it if so;
> 5. Single pashphrase at a time. Anything different than that falls into the wordlist attack category.
> 6. Input at the bottom of the table view is fine. It could also be a button in the actions toolbar with a popup message box.
> 

Mathieu,

You can proceed to this task until I have the stub for 1.5.3 ready, which requires some more time from me apparently. You have everything you need up there in the numbered list; implement a separate handler just like you're used to already. The handlers will fit right into my 1.5.3 design.

For now the easiest would be to add a separate action button to the toolbar(lots of room there left). Name it "Guess" and add a tooltip to it "I'm feeling lucky!". :-) I'll take care of the icon later, if I can still find the original source icon pack.
The button should popup a window for input then run the handler with that and update the table using the existing --show handler method. This is the simplest approach we can follow for now, to achieve this super simple action, that's probably missing from all other password crackers with a UI. Use cases include quickly confirming shoulder surfing scenarios, tip of the tongue forgotten password guessing attempts or quickly trying variations of info gathered from open source intel or other means. Anything more complex than that falls into the custom wordlist and mangling/rules attack methods.

Maybe for later, once we figure out how to interact better with JtR(the no-tty and stdout buffer) we can do more.

Regards,
Shinnok

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.