Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 22 May 2009 01:45:13 +0200
From: Bucsay Balázs <>
Subject: Re: GI John

First of all, please try it before you write anything.

Minga Minga wrote:
>> Finally I can publish my distributed patch for john. Its seems to
>> working, i hope it will be stable in the future, when more people will
>> use it.
>> You can download it from here:
> Interesting project. Ill give it a try. I hope lots of people use it.
> Then again, I would not use something like this for client's
> passwords. Its too dangerous to share your hashes with
> strangers on the Internet.
I heard this opinion before, and I dont agree with it, and I wont.
If you upload some hashes, the system only stores the hash without the
username. The username is a unnecessary thing for the GI John, because
we only want the plainttext form of the hashes. If I download the
hashlist, I cant get the username, host, service etc. If you can get
those, you can write a mail for me in private :)

> Notes:
> 1) The error message
> <error>No such user. Please register, or change the account.</error>
> ... implies that the username is invalid, if I pick a valid username will I
> get a different error message? If so, this is user-enumeration
> vulnerability. And I can use it to brute force user names. And maybe
> eventually passwords.
Thats only an error message, not more :) If an error happend on the
login, the client will get this message.

> 2)  The traffic to the server is over port 80.  Will it be sending
> password hashes and plain-text non-encrypted over the Internet?
> That's really dangerous - I would wrap it with 'stunnel' if
> was running an SSL web-server. Which is doesn't
> POST /newsession.php?user=testing&pass=testpassword HTTP/1.0
> Host:
> hashes=%3C%3Fxml%20version%3D%221.0%22............etc
> 3) In the POST above, by sending the login and password in the
> URL, you are allowing the credentials to be stored in a variety of
> places (some of which might be out of your reach). Including incoming
> and outgoing proxy logs. and your web-server logs. If I gained access
> to your logfiles - I would have EVERYONE's login and password.
> You are putting your user's at risk.
Yeah I now this 2, the plaintext-in-get login is an evolution leftover :)
But, if i move it to the post part, you can sniff too, but you are
rigth, its better than the present.
> 4) If my machine is a member of the "cloud" - can I be able to
> display all the hashes that I am attempting to crack for other
> users? This is a large information disclosure. (as mentioned
> above). I could easily create a "dummy" client that talks to the
> server and constantly requests new hashes.
I dont see your point. If you are in the grid/cloud/whatever, that means
you want to crack something, you want to use your free cpu. If you want
to crack hashes, to not to get bored, or get points or something else,
you have to download some hashes from the server, isnt it right? If you
downloaded it, it is in your memory, you can do anything with it.
How else can you solve this problem?

> -Minga

Anyway thanks :)

Balázs Bucsay

To unsubscribe, e-mail and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.