Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 29 May 2015 17:19:51 +0300
From: Shinnok <>
Subject: Re: [Johnny] Task 1.5.1 Manual plaintext guessing

> On May 25, 2015, at 5:54 PM, Shinnok <> wrote:
> I'd like to take the simplest approach as possible for this small feature:
> 1. Separate johnHandler; Thus no session. Single question that stands is different john session name vs. don't allow running this feature if there's a current cracking session active?
> 2. Use --stdin method;
> 3. Passphrase will be tested agains all hashes since there's no simple way of doing otherwise ;
> 4. Isn't --skip-self-tests jumbo only? We don't need to think about it if so;
> 5. Single pashphrase at a time. Anything different than that falls into the wordlist attack category.
> 6. Input at the bottom of the table view is fine. It could also be a button in the actions toolbar with a popup message box.


You can proceed to this task until I have the stub for 1.5.3 ready, which requires some more time from me apparently. You have everything you need up there in the numbered list; implement a separate handler just like you're used to already. The handlers will fit right into my 1.5.3 design.

For now the easiest would be to add a separate action button to the toolbar(lots of room there left). Name it "Guess" and add a tooltip to it "I'm feeling lucky!". :-) I'll take care of the icon later, if I can still find the original source icon pack.
The button should popup a window for input then run the handler with that and update the table using the existing --show handler method. This is the simplest approach we can follow for now, to achieve this super simple action, that's probably missing from all other password crackers with a UI. Use cases include quickly confirming shoulder surfing scenarios, tip of the tongue forgotten password guessing attempts or quickly trying variations of info gathered from open source intel or other means. Anything more complex than that falls into the custom wordlist and mangling/rules attack methods.

Maybe for later, once we figure out how to interact better with JtR(the no-tty and stdout buffer) we can do more.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.