Date: Fri, 05 Jun 2015 20:13:28 +0200 From: Frank Dittrich <frank.dittrich@...lbox.org> To: john-dev@...ts.openwall.com Subject: Re: poor man's fuzzer On 06/05/2015 03:08 PM, Kai Zhao wrote: >> I don't have a goal to fully do this myself - rather my goal is to show to >> you that there's more work on this, and that there's still plenty of >> low-hanging fruit (that you somehow missed? or/and that got added >> after you were done with fuzzing?) > > Thanks. I missed a lot. I will learn your script. If you update your fuzzing > script, please let me know. Alexander Cherepanov also posted a john format fuzzer some time ago which uncovered tons of bugs: http://article.gmane.org/gmane.comp.security.openwall.john.devel/8105 It needs some adjustments: -it is not longer necessary to search the source code for hashes, this can be replaced with ./john --list=format-tests | cut -f 3 -some hashes use additional delimiters between components of hashes, e.g., '#' instead of just '$' and '*'. and may be -don't run each format against all the fuzzed format tests of all formats (at least not as long as you find bugs by just fuzzing the format specific hashes Frank
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.