Date: Tue, 6 Jan 2015 10:34:54 +0300 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: PRINCE approach from hashcat On Mon, Jan 05, 2015 at 01:21:34PM -0500, Matt Weir wrote: > I ran some tests with PRINCE and posted the results here: > http://reusablesec.blogspot.com/2014/12/tool-deep-dive-prince.html. I need > to model a longer cracking session but I was pleasantly surprised with how > well it did. Thanks! Your "Experiment 3) PRINCE and JtR Wordlist + Incremental mode targeting the MySpace list" is interesting and relevant. PRINCE does perform surprisingly well there. Something to note, however, is that per atom's Passwords14 talk, PRINCE is intended for slow hashes, whereas per your test results it performed slightly worse than JtR incremental during the first 1 billion guesses (which is often more than would be tested against slow hashes in a non-targeted attack). It did crack 1.5% more of the passwords than JtR's incremental by 10 billion guesses. So it appears to be a good thing to have in the arsenal, but not exactly a slow hash focused mode. In fact, zoom-ins for first 1 billion and first 100M guesses would be interesting to see. (Less than 100M would be interesting too, but then you'd need to perform extra test runs with less wordlist pre-cracking, because it's kind of pointless to compare PRINCE vs. incremental at less than 100M when you pre-crack ~100M with a wordlist. To simulate attacks on slow hashes, the amounts of pre-cracking and PRINCE/incremental need to stay sane with respect to each other.) I am also curious about the lengths distribution among cracked passwords. I guess with PRINCE the average cracked password length is higher than with JtR's incremental. Is this so? Especially if you exclude the wordlist pre-cracked passwords from the length statistics. Then, what's the total percentage of passwords cracked by PRINCE and JtR's incremental combined? You got PRINCE to 72.5% and incremental to 71%, but if you combine the two at the 10 billion mark, would you get e.g. 75%? What about 5 billion mark (so 10 billion total for both, thus comparable to the end results for the two modes individually)? Finally, you write: "JtR Incremental=UTF8, (equivalent to "ALL" in the older version of JtR)". I think the equivalent to 1.7.9's "All" is 1.8's "ASCII", not 1.8-jumbo's "UTF8". I don't know if this affected your results significantly (and how) or not. I'd be curious to know the answer to that: if "UTF8" performs better than "ASCII" on your test, maybe we'd want to make it the default in jumbo. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.