Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Jun 2015 21:51:07 -0400
From: Mathieu Laprise <mathlaprise@...il.com>
To: john-dev@...ts.openwall.com
Subject: Re: Johnny test feedback (was: Mathieu's weekly report #7)

Frank, thanks for your feedback. I really appreciate it. It will help
improving Johnny to get user's feedback. Shinnok and I need to understand
what users like and what users don't like to set our priorities.
On Tue, Jun 16, 2015 at 5:34 AM, Frank Dittrich <frank.dittrich@...lbox.org>
wrote:

> When I run ./johnny from the command line, I get a warning which is
> probably harmless, but might confuse some users:
> libpng warning: iCCP: known incorrect sRGB profile
>
I don't get this warning on my distro, I'll search Google to understand how
to correct it.

> I must admit that I find the term "Passwd File" somewhat confusing
> (because the file contains hashes, not passwords), but that term matches
> john's usage output:
> Usage: john [OPTIONS] [PASSWORD-FILES]
>
I understand your concern. I guess for beginner, "open password file" is
less confusing but for tech-savy people, "open hash file" would be less
confusing.

> What I like less is that pressing the "Start Attack" icon just starts
> john without any options, cracking just the descrypt hashes, ignoring
> all the other hashes.
> May be the user should be forced to pick a hash format. (After all, you
> already know that there are many different formats in the file, you
> don't need to parse ./john's stderr output...)
>
The user has to switch to the console log to see all the warnings.
>
Yes, it's true that the console log is probably the most important view of
Johnny when something goes wrong. In our roadmap, we should add a task to
make important error messages of john stands out more because it's not
every user that will think about going to the console log. It's probably an
important point for Johnny's future and it should be further discussed.
Sometimes, the user will see that the attack stopped by looking at the
buttons but if he doesn't have the reflex to go look at the console log,
he'll never understand what happened : no hashes found, wrong parameter,
wrong format etc... ? There are so many reasons. Good point ! Also it's
true that maybe forcing user to pick a hash format would avoid errors for
the users. Since default option "auto-detect"(which start john without
option) isn't working really great most of the time when we have multiple
hash formats in the file, it's not really error-prone. We have to go see
the console log, look at the error and change format most of the time in
this situation. It can be annoying like you said.

> I must admit that I noticed the "Open Last Session" icon only after
> starting johnny several times.
> That's why, resuming the work seemed to be rather complicated.
> When I paused the attack, closed johnny, and restarted johnny, I would
> have preferred johnny to load the previously loaded hashes, may be after
> automatically parsing the .rec file of the default session.
> Instead, I did re-load the hashes manually. I couldn't even pick from a
> list of previously used files, but has to navigate through the file system.
> Also, the "Resume Attack" icon was not active until I opened the same
> "Passwd File" again.
> Instead of automatically loading the hashes when restarting johnny, the
> "Resume Attack" icon could be active of no password hashes are loaded,
> and when pressing it, johnny could automatically load the password
> hashes after parsing the .rec file of the default session.
> I would prefer getting rid of the "Open Last Session" icon if johnny
> would just do "the right thing". But please ask for input of other users.
>
1) I think it's a great idea to always open the latest session when Johnny
start. If Shinnok agree, I'll add this feature.
2) I think you will appreciate the new feature I'm working on (session
history and properly save the session settings to restore UI).  This
screenshot summarize it
https://cloud.githubusercontent.com/assets/9955284/8185757/1bd9d742-1414-11e5-9ba3-460e68f2f93d.png
. Session history is automatically saved and the history can be cleared by
the user. The user can open any undeleted previous sessions of his choice
and the options will be filled with the right settings in the UI. Because
right now, if you load the last session, the UI won't reflect the
settings(example: fork is enabled, mode = single etc.), so you can't easily
differentiate sessions.

> There is no indication that the passwords of two users have been
> cracked. The status bar is just showing "0%".
> (After I restarted johnny several times, I noticed that it also prints
> the number of guessed passwords, so may be I just didn't wait long
> enough when I noticed that the number of cracked passwords was not
> indicated on the status line.)
>
Were those password already cracked in the .pot file before starting this
johnny session(or from another format than the currently choosen format in
johnny) ? If yes, it's two known bugs : one which was merged yesterday and
one which is in my TODO list.

> The fact that both "users" used empty passwords doesn't help to indicate
> which hashes had been cracked.
> May be you need to somehow indicate that the password has been found
> even if the password is empty (or consists of a sequence of spaces).
>
Good point, I'll make a issue on github regarding password starting with
space to discuss about it. Maybe color the rows of the tableview of cracked
password in green.

[ CONTENT OF TYPE text/html SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ