Date: Fri, 29 Sep 2017 16:10:31 -0800 From: Royce Williams <royce@...ho.org> To: john-users@...ts.openwall.com Subject: Re: RFC: Hashkiller Rosetta Stone (I apologize for the duplicate post; I'll treat this one as the "correct" one) On Fri, Sep 29, 2017 at 1:58 PM, Solar Designer <solar@...nwall.com> wrote: > On Fri, Sep 29, 2017 at 07:20:31AM -0800, Royce Williams wrote: > > I'm working on a Hashkiller Rosetta Stone (a list of upload formats > > supported by Hashkiller, and how to use those modes in hashcat, john, and > > MDXfind.) > > > > A draft is here: > > > > https://gist.github.com/roycewilliams/28a9e940e7cd37268ceeac4962bda757 > > > > Any help/tips appreciated. I don't know the underlying algorithm of many > > product-specific formats, so I'm almost certainly missing some obvious > ones. > > It'd help if you list example hashes, preferably all for a fixed > password like "password", so that you don't need to list the > corresponding different plaintext passwords as well. > That's a really good idea. I will do this. > JtR supports command-line dynamic formats now (and has been for a couple > of years, due to work by Jim), so most if not all of your "unsupported"s > are actually supported at least in this way. > Cool. I will investigate this. > Those command-line dynamics typically allow for a higher password > length, too. For example, when experimenting with Update 2 from > https://haveibeenpwned.com/Passwords I found that "--external=Repeats" > cracks plenty of passwords of lengths up to 109 (and I've just tested > that it cracks 110 too, but not 111 - as expected) with > "--format=dynamic='sha1($p)'", whereas "--format=raw-sha1" only goes up > to length 55 (also as expected). Indeed. For completeness, I'll try to make such differences explicit somehow in the table. > > My future ambition is to expand this concept to be a Rosetta Stone for > the > > superset of all formats supported by any known product. Small steps > first. > > :) > > Cool. With JtR's command-line dynamics, its list of supported formats > is sort of "infinite", though. ;-) But I guess you'll list only those > actually seen in use somewhere. > Heh, fair enough. > > BTW, I found that the command-line dynamics are much easier to use than > having to remember the old numeric dynamics. > That makes sense.
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux - Powered by OpenVZ