Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 29 Sep 2017 16:10:31 -0800
From: Royce Williams <royce@...ho.org>
To: john-users@...ts.openwall.com
Subject: Re: RFC: Hashkiller Rosetta Stone

(I apologize for the duplicate post; I'll treat this one as the "correct"
one)

On Fri, Sep 29, 2017 at 1:58 PM, Solar Designer <solar@...nwall.com> wrote:

> On Fri, Sep 29, 2017 at 07:20:31AM -0800, Royce Williams wrote:
> > I'm working on a Hashkiller Rosetta Stone (a list of upload formats
> > supported by Hashkiller, and how to use those modes in hashcat, john, and
> > MDXfind.)
> >
> > A draft is here:
> >
> > https://gist.github.com/roycewilliams/28a9e940e7cd37268ceeac4962bda757
> >
> > Any help/tips appreciated. I don't know the underlying algorithm of many
> > product-specific formats, so I'm almost certainly missing some obvious
> ones.
>
> It'd help if you list example hashes, preferably all for a fixed
> password like "password", so that you don't need to list the
> corresponding different plaintext passwords as well.
>

That's a really good idea. I will do this.


> JtR supports command-line dynamic formats now (and has been for a couple
> of years, due to work by Jim), so most if not all of your "unsupported"s
> are actually supported at least in this way.
>

Cool. I will investigate this.


> Those command-line dynamics typically allow for a higher password
> length, too.  For example, when experimenting with Update 2 from
> https://haveibeenpwned.com/Passwords I found that "--external=Repeats"
> cracks plenty of passwords of lengths up to 109 (and I've just tested
> that it cracks 110 too, but not 111 - as expected) with
> "--format=dynamic='sha1($p)'", whereas "--format=raw-sha1" only goes up
> to length 55 (also as expected).


Indeed. For completeness, I'll try to make such differences explicit
somehow in the table.



> > My future ambition is to expand this concept to be a Rosetta Stone for
> the
> > superset of all formats supported by any known product. Small steps
> first.
> > :)
>
> Cool.  With JtR's command-line dynamics, its list of supported formats
> is sort of "infinite", though. ;-)  But I guess you'll list only those
> actually seen in use somewhere.
>

Heh, fair enough.


>
> BTW, I found that the command-line dynamics are much easier to use than
> having to remember the old numeric dynamics.
>

That makes sense.

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ