Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 7 Jun 2015 23:01:49 +0800
From: Kai Zhao <>
Subject: Re: Fuzzing Report on hashes

> There's, however, a major omission: you didn't create any issues for the
> false positives.  This is probably two issues:

I do not understand the false positives.

django_scrypt_fmt_plug.c: 64


$ cat pwfile

The pwfile is different with test vector of django_scrypt_fmt_plug.

14 -> 41

$ ./john pwfile
Using default input encoding: UTF-8
Loaded 1 password hash (django-scrypt [Salsa20/8 128/128 AVX])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1234567890       (?)
1g 0:00:00:00 DONE 2/3 (2015-06-07 22:59) 50.00g/s 400.0p/s 400.0c/s
400.0C/s 123456..abc123
Use the "--show" option to display all of the cracked passwords reliably
Session completed

So the problem is that john reports "1234567890" is the password ?

> Isn't this 21 issues?
> 1412-1392+1 = 21

There is no 1400, I created the 1400 and later I found this issue was
same with 1399. So I closed the 1400. It's my mistake.

> You could want to enhance this with --session and --pot pointing to
> files on a tmpfs mount, and run multiple processes at a time (I don't
> know how this is done with afl; you should know) with different session
> files for each concurrent child process.

Thanks for your advice, I will have a try.



Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.