Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 10 Mar 2016 20:06:45 +0100
From: Marek Wrzosek <marek.wrzosek@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Johnny's "Guess password" button

W dniu 09.03.2016 o 16:32, Marek Wrzosek pisze:
> W dniu 09.03.2016 o 14:44, Shinnok pisze:
>> Hi Marek,
>>
>>
>>
>> Indeed Johnny is using --stdin for Guess.
>>
>>> or:
>>>
>>> $ echo foo > single_word
>>> $ ./john --wordlist=single_word ...
>>>
>>> It would be easier to use rexgen with alphabet like this:
>>>
>>> $ ./john --guess=624686 --regex=alpha:T9='\0' --stdout
>>
>> There is no option --guess to john. I'm not sure how useful this could be in the main tool.
>>
>>>
>>> instead of:
>>>
>>> $ echo 624686 | ./john --stdin --regex=alpha:T9='\0' --stdout
>>>
>>> or even;
>>>
>>> $ ./john --regex='[mno6][abc2][ghi4][mno6][tuv8][mno6]' --stdout
>>>
>>> Instead of applying regex mode, it could be hybrid mask or word mangling
>>> rules (just like for wordlist mode).
>>
>> The rexgen approach is indeed interesting, though it would be a jumbo specific implementation. I don't remember it being proposed when Guess was being discussed, do you see any specific benefits  for considering this with a jumbo detection? (we already have some jumbo specific functionality in Johnny)
>>
>> Shinnok
>>
> 
> Hi Shinnok
> 
> If Johnny is using --stdin for "Guess password" function, then where is
> it in a "Console log"? ;-)
> I assume, that --stdin option was created for more complex command in
> mind, than "echo foo". In fact, it is for commands, that would generate
> way too long wordlists, that are practical to store uncompressed,
> because using wordlist mode is more practical.
> "Guess password" in Johnny is very poor comparing to using "echo
> foo|./john --stdin ...", because in john, user could do everything with
> that single word. In Johnny only this one word will be checked, it's
> closer to "./john --mask=foo ...". The downside of using mask mode is
> that mask mode is last in a chain, so you can't apply rules or anything
> else. Using "guess mode", which would be simply nameless wordlist with
> only one word, would require less typing. That's all.
> Maybe would be wise to add the "Advanced options" button to the
> "Password Guessing" window, that would allow user to apply rules, mask,
> external filters, etc.
> 
> Best Regards,
> Marek
> 
PS. I forgot to mention about restoring sessions with --stdin option. It
is possible, but john will never be able to restore standard input -
it's on user's shoulders. And rules doesn't work with --stdin :-(
So if someone try to guess password "by hand" but with john's help the
best way to do that is creating a wordlist with one or a few words.
E.g.:
$ echo "foo" > guess_wordlist
$ ./john --wordlist=guess_wordlist --rules=all
--mask=?w?1?2?2?2?2?2?2?3?3?3?3?d?d?d?d --session=guess hashes

In guess.rec file will be name of wordlist, but without its content. If,
in the meantime, content of this wordlist will be changed, then we've a
problem.

-- 
Marek Wrzosek
marek.wrzosek@...il.com

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.