Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 22 Apr 2015 00:08:39 +0300
From: Aleksey Cherepanov <lyosha@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: Johnny: core/jumbo differences

On Tue, Apr 21, 2015 at 05:18:22PM +0300, Aleksey Cherepanov wrote:
> I've tried to write down exhaustive list of differences between john
> core and john jumbo. I don't know everything, so feel free to comment.
> 
> This list does not cover usage of the differences in Johnny. I'll make
> a follow up with ideas.

Some ideas for all those options, not prioritized. I am not sure what
should fall under "jumbo support" and "*2john". What options are
needed in johnny to be not so limited for jumbo?

What are show-stoppers that prevent johnny from being used much?

After working through jumbo options, I don't think that jumbo is very
different: there are 3 new cracking modes, there are a lot of options
for tweaking, there is --list= interface to improve interactive gui
features. That's all, is not it?

Having -fork, I'd say Johnny lacks ability to attack one file with
several attacks at the same time, attack multiple files with one/many
attacks (BTW john can attack several files in one invocation: like
`john *.pw`). Also I fing inconvenient the way newly cracked passwords
are shown: user have to monitor the log page. It is not very different
from cmd line john (or at least it differs from my expectations from
the gui).

BTW I found quite confusing: when short wordlist finishes its work,
just start/pause buttons switches, there is no big banner "the attack
is finished!!!!".

If the log is so important then it may be shown all the time as a
small region with 1-5 lines of the log. The log may be not from cli
but from events to show only really important things to the user.

(There is no border between fantasies and really important features in
this text.)


> * Common CLI options without differences

> * Common CLI Options
> 
> The format:
> core option
> jumbo option
> comments
> 
> ----------------------------------------
> 
> --single                   "single crack" mode
> 
> --single[=SECTION]        "single crack" mode
>
> It is possible to choose Rules section to run with single mode.
> [List.Rules:Single] is the default in both versions (so --single is
> equivalent to --single=Single; though parameters are not case
> sensitive).

and

> --rules                    enable word mangling rules for wordlist mode
> 
> --rules[=SECTION]         enable word mangling rules for wordlist modes
> 
> $ ./core-1.8.0/run/john --rules=NT --wordlist=~/d/t.pw ~/d/t.pw
> Extra parameter for option: "--rules=NT"
> 
> Core does not allow rules section to be specified. Both versions
> default to [List.Rules:Wordlist]

Currently johnny does not allow to choose rules section for single
mode and wordlist mode. `john --list=rules` can be used to get the
list of rules sections. Though single mode has additional rules, I am
not sure how they affect wordlist mode and if rules for wordlist mode
are good for single mode.

> ----------------------------------------
> 
> --wordlist=FILE --stdin    wordlist mode, read words from FILE or stdin
> 
> --wordlist[=FILE] --stdin wordlist mode, read words from FILE or stdin
>                   --pipe  like --stdin, but bulk reads, and allows rules
> 
> $ ./core-1.8.0/run/john --wordlist ~/d/t.pw
> Option requires a parameter: "--wordlist"
> 
> The default wordlist is used by default in jumbo:
> [Options]
> # Wordlist file name, to be used in batch mode
> Wordlist = $JOHN/password.lst
> 
> Also jumbo has --stdin and --pipe options to read candidates from
> standard input.

It may be possible to put john's default wordlist as the default for
this option in johnny. It may be useful to remember wordlists used by
user between restarts of johnny.

> ----------------------------------------
> 
> --show                     show cracked passwords
> 
> --show[=LEFT]             show cracked passwords [if =LEFT, then uncracked]
> 
> In jumbo --show can print remaining hashes but it drops dupes (when
> there is 1 canonical hash for 2 users and the hash is in different
> forms and/or there are different gecos).
> 
> ----------------------------------------
> 
> --salts=[-]N               load salts with[out] at least N passwords only
> 
> --salts=[-]COUNT[:MAX]    load salts with[out] COUNT [to MAX] hashes

That's an option to choose hashes. Like other options to choose hashes
to be loaded, it may be implemented as filter for table view.

> ----------------------------------------
> 
> --format=NAME              force hash type NAME: descrypt/bsdicrypt/md5crypt/
>                            bcrypt/LM/AFS/tripcode/dummy/crypt
> 
> --format=NAME             force hash of type NAME. The supported formats can
>                           be seen with --list=formats and --list=subformats
> 
> Format list is much larger in jumbo, also it is possible to specify
> hash type for generic crypt through --subformat option.

List of format names may be loaded on the fly with `john
--list=formats`. Though usually it is not needed to specify the
format. There are several cases it is needed:
- file contain hashes of different formats, user wants to attack
different part of file (running john against file does mean that
all hashes are under attack),
- hashes are loaded incorrectly: they may be loaded as several formats
and the default format is not what user wants,
- to choose format's implementation (regular vs -ng, cpu vs -gpu, and
others).



> * Jumbo-only CLI options
> 
> --loopback[=FILE]         like --wordlist, but fetch words from a .pot file

It seems to be a separate mode. It may be implemented as a checkbox
for wordlist mode.

> --dupe-suppression        suppress all dupes in wordlist (and force preload)

It affects performance only. It may be made as a setting. Or some more
clever heuristic may be implemented: use dupe suppression only for
slow hashes.

> --prince[=FILE]           PRINCE mode, read words from FILE
> --mask=MASK               mask mode using MASK
> --markov[=OPTIONS]        "Markov" mode (see doc/MARKOV)

The cracking modes not supported by johnny yet. Rexgen is one too.

It may be useful to make "feature testing" determing capabilities of
john in use.

> --pot=NAME                pot file to use
> --list=WHAT               list capabilities, see --list=help or doc/OPTIONS
> --help                    print usage summary, just like running the command
>                           without any parameters
> --config=FILE             use FILE instead of john.conf or john.ini



> --mem-file-size=SIZE      size threshold for wordlist preload (default 5 MB)

It may be done as a setting.

> --progress-every=N        emit a status line every N seconds
> --crack-status            emit a status line whenever a password is cracked

It may be useful for johnny. Though there may be buffering.

> --log-stderr              log to screen instead of file

It may be helpful to see log in output with option to write found
passwords to log because this way it possible to connect the passwords
with rules used.

> --costs=[-]C[:M][,...]    load salts with[out] cost value Cn [to Mn] for
>                           tunable cost parameters, see doc/OPTIONS
>                           (comma separated list of values/ranges per param.)

Another hash selector.

> --field-separator-char=C  use 'C' instead of the ':' in input and pot files

This option allows to load hashes that are separated not with colon.
There are formats that use or allow colon as part of them. Johnny
won't open such files nicely.

Hm, theoretically there may be a hash with all possible characters
alone on a line in input file... Not sure what then.

> --max-run-time=N          gracefully exit after this many seconds

It may be showed to user to limit the work.

> --stress-test[=TIME]      loop self tests forever

Johnny may have a mode/page for benchmarks.

> --encoding=NAME           input encoding (eg. UTF-8, ISO-8859-1). See also
>                           doc/ENCODING and --list=hidden-options.
> --input-encoding=NAME     input encoding (alias for --encoding)
> --internal-encoding=NAME  encoding used in rules/masks (see doc/ENCODING)
> --target-encoding=NAME    output encoding (used by format, see doc/ENCODING)

Encoding stuff.

> --format=CLASS            valid classes: dynamic, cpu
> --subformat=FORMAT        pick a benchmark format for --format=crypt
> --mkpc=N                  request a lower max. keys per crypt
> --min-length=N            request a minimum candidate length
> --max-length=N            request a maximum candidate length
> --fix-state-delay=N       performance tweak, see doc/OPTIONS
> --nolog                   disables creation and writing to john.log file
> --bare-always-valid=C     if C is 'Y' or 'y', then the dynamic format will
>                           always treat bare hashes as valid
> --keep-guessing           try more candidates for cracked hashes (ie. search
>                           for plaintext collisions)
> --regen-lost-salts=N      regenerate lost salts (see doc/OPTIONS)
> --mkv-stats=FILE          "Markov" stats file (see doc/MARKOV)
> --reject-printable        reject printable binaries
> --verbosity=N             change verbosity (1-5, default 3)
> --skip-self-tests         skip self tests

There are options to tweak john. There may be "advanced user" checkbox
to show all of them.

I am not sure that it is good to put some of such options to settings
page because it seems natural to separate johnny's settings and john's
options to be applied always. Also john has options in the config file.

Hm, some options have settings in config file:
# Emit a status line whenever a password is cracked (this is the same as
# passing the --crack-status option flag to john). NOTE: if this is set
# to true here, --crack-status will toggle it back to false.
CrackStatus = N


> * Config file
> 
> In Jumbo config files may include other files. Core john has only one
> file.
> 
> John built from sources searches config file (and other files) in run/
> directory, john installed from package most usually looks into ~/.john
> and /etc/john . While distros usually use john core, there distros
> with jumbo. Also this behaviour may depend on distro.
> 
> With jumbo, you can get path to the folder with --list=build-info option:
> $ jumbo/run/john --list=build-info
> [...]
> $JOHN is jumbo/run/
> [...]

The setting to use with --log-stderr in trick mentioned above:
# Write cracked passwords to the log file (default is just the user name)
LogCrackedPasswords = N


> * Utilities and tools
> 
> In core
> john - john
> mailer - "script to send mail to all users whose passwords got cracked."
> makechr - utility to make .chr files (incremental mode) from current .pot
> relbench - statistics for benchmarks
> unafs
> unique - filter to remove dupes in wordlist saving order
> unshadow
> 
> unafs and unshadow may fall into *2john category.
> 
> 
> BTW Jumbo has bash auto-completions.
> 
> 
> In jumbo there are various utilities:
> 
> *2john converters (including symlinks):
> 
> These tools usually read file(s) and print hashes to stdout in a form
> john understands them. Some utilities perform quite non-trivial
> parsing using pulled-in third party libraries.
> 
> 1password2john.py
> 7z2john.py
[...]
> wpapcap2john
> zip2john
> 
> undrop

These utilities may be used to "import" files. So to crack a .7z file
with password you don't apply john to the file, you make a hash using
7z2john.py and then apply john on the hash.

It may be tricky to choose the tool automatically. Though some files
have simple connection between their extensions and the tools (.7z
files have .7z on the end, though not all files are so).

The other way to pick the tools is to get the file's format by
magic/signature. On Linux, it is possible to call `file` utility.
Though it may be unsafe (though running the utilities on user's files
may be unsafe).

The utilities are written in various languages. While johnny does not
have anything to do with it, such zoo may be a problem to package john
(e.g. to prepare a bundle john + johnny + all dependencies).

> There are more tools:
> 
> base64conv - raw/hex/base64(mime/crypt/cryptBS) converter
> genincstats.rb - make statistics from .inc file
> leet.pl - rules generator for leet speak
> netscreen.py - netscreen hasher
> hextoraw.pl - unhex for pass_gen.pl
> pass_gen.pl - dynamic formats hasher
> sha-dump.pl - ldap dumper
> sha-test.pl - ldap sha1 hasher
> calc_stat - some statistics for wordlist
> 
> benchmark-unify
> # John the Ripper benchmark output conversion tool, revision 1
> 
> netntlm.pl
> #   The purpose of this script is to aid with cracking a LM/NTLM
> #   challenge/response set, when part of the password is known. It
> #   was written with John's NetLM/NetNTLM formats and "halflmchall"
> #   Rainbow Tables in mind.
> 
> unrule.pl
> # Extract basewords from list of plains. Based on an embryo from epixoip.
> # ./unrule.pl < rockyou.lst > basewords.lst
> 
> (I don't know at all)
> genmkvpwd
> mkvcalcproba
> SIPdump
> tgtsnarf
> cprepair

They does not seem very important now.


Thanks!

-- 
Regards,
Aleksey Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.