Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 9 Mar 2016 16:32:56 +0100
From: Marek Wrzosek <marek.wrzosek@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Johnny's "Guess password" button

W dniu 09.03.2016 o 14:44, Shinnok pisze:
> Hi Marek,
> 
> 
>> On Mar 4, 2016, at 6:57 PM, Marek Wrzosek <marek.wrzosek@...il.com> wrote:
>>
>> Hi list
>>
>> How does "Guess password" work? Does it use john at all? There is no
>> sign of it in the console log. Were there any plans of adding similar
>> function to john? I mean e.g.:
>> $./john --guess=foo ...
>>
>> instead of something like this:
>>
>> $ echo foo|./john --stdin ...
>>
> 
> Indeed Johnny is using --stdin for Guess.
> 
>> or:
>>
>> $ echo foo > single_word
>> $ ./john --wordlist=single_word ...
>>
>> It would be easier to use rexgen with alphabet like this:
>>
>> $ ./john --guess=624686 --regex=alpha:T9='\0' --stdout
> 
> There is no option --guess to john. I'm not sure how useful this could be in the main tool.
> 
>>
>> instead of:
>>
>> $ echo 624686 | ./john --stdin --regex=alpha:T9='\0' --stdout
>>
>> or even;
>>
>> $ ./john --regex='[mno6][abc2][ghi4][mno6][tuv8][mno6]' --stdout
>>
>> Instead of applying regex mode, it could be hybrid mask or word mangling
>> rules (just like for wordlist mode).
> 
> The rexgen approach is indeed interesting, though it would be a jumbo specific implementation. I don't remember it being proposed when Guess was being discussed, do you see any specific benefits  for considering this with a jumbo detection? (we already have some jumbo specific functionality in Johnny)
> 
> Shinnok
> 

Hi Shinnok

If Johnny is using --stdin for "Guess password" function, then where is
it in a "Console log"? ;-)
I assume, that --stdin option was created for more complex command in
mind, than "echo foo". In fact, it is for commands, that would generate
way too long wordlists, that are practical to store uncompressed,
because using wordlist mode is more practical.
"Guess password" in Johnny is very poor comparing to using "echo
foo|./john --stdin ...", because in john, user could do everything with
that single word. In Johnny only this one word will be checked, it's
closer to "./john --mask=foo ...". The downside of using mask mode is
that mask mode is last in a chain, so you can't apply rules or anything
else. Using "guess mode", which would be simply nameless wordlist with
only one word, would require less typing. That's all.
Maybe would be wise to add the "Advanced options" button to the
"Password Guessing" window, that would allow user to apply rules, mask,
external filters, etc.

Best Regards,
Marek
-- 
Marek Wrzosek
marek.wrzosek@...il.com

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.