Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 16 Sep 2018 12:49:27 -0300
From: Claudio André <claudioandre.br@...il.com>
To: Solar Designer <solar@...nwall.com>
Cc: john-users@...ts.openwall.com
Subject: Re: John the Ripper on Windows (includes OpenCL on
 Windows)

Em 16/09/2018 11:50, Solar Designer escreveu:
> On Sat, Sep 15, 2018 at 10:04:28AM -0300, Claudio Andr?? wrote:
>> I would say that if you need John for Windows you should use
>> https://rebrand.ly/JtRWin64 [2][3]:
>> - it is 100% JtR magnum's source code;
>> - it is built and tested on an actual (and auditable) Windows machine;
>> - it works on CMD, no need to install CygWin, ...
>> - I (tried, at least, to) handled all details;
> Great, thanks!  In what way is that Windows machine "auditable"?  Isn't
> it a third-party machine that we know little about?

It means anyone can see what these machines have installed (packages and 
versions) [1].
- See https://www.appveyor.com/docs/build-environment/
   1. The history of build worker image updates can be found online.
   2. Before rolling out an image update they do perform some testing.
- I guess any customer (deploying directly from AppVeyor) can ask for a 
report about their environment.

=> In fact, AppVeyor allows us to run builds on our own cloud. So, if 
needed, it just a matter of money to control 100% the process.

> I'm also concerned
> about the third-party link redirect service and third-party file
> download hosting service (even if same company as the CI service where
> we build these).

This was on purpose (the link is):
- Upgradeable: At this very moment the ZIP points to a version from 20 
days ago. Later, today, I will update the ZIP to include latest changes 
(e.g., the ETA bug fix). The link will reflect the change.
- Safe: I'm not offering a ZIP file to download. I offer a full view of 
the build process. Anyone can see and analyze ALL build process and logs.
- Safe: I compute and print (using the read only log) the hash of the 
ZIP file. I want people to see notice the computed hash.

> https://openwall.info/wiki/john/custom-builds
>
> Even though I didn't verify these downloads in any way (beyond my https
> client checking the certificate's validity, which passed), I've just
> added copies to:

You have a hash to verify these ZIP files (the algorithm used is SHA256).


> Since my trust in these unofficial builds is limited, I am not
> PGP-signing them.  Unfortunately, this also means that if our server is
> compromised, we might serve compromised downloads with no easy way for
> users to detect that.
>
> Ideally, we should be making builds that we could trust, and would be
> willing to sign.

Again, you have a hash to verify these ZIP files (20 years in the 
future). Also, as a customer, people do deploy directly from the CI 
provider. So, it is just a matter of using your own cloud.

>
>> - CygWin OpenCL DLL needs proper ICD information;
> Most relevant is this comment:
>
> https://github.com/magnumripper/JohnTheRipper/issues/3191#issuecomment-404051085
>
> "arcfide commented on Jul 11
>
> Okay, I got this fixed up. If you see claudioandre-br's comment, that's where ICD Vendor files are mentioned. He also gives a working example of a build that seems to work. I've got this working now on the current build.
>
> It doesn't require any hard hacks, but I did figure out that the OpenCL drivers with Cygwin don't work without an ICD Vendor file. That means that there has to be a location to find such files. That means that the OpenCL support works on Windows if you run JtR from inside of a Cygwin installation.
>
> To make this work for me on Windows, I installed Cygwin with OpenCL, and then created the /etc/OpenCL/vendors/nvidia.icd file that included the Cygwin path to nvopencl.dll mentioned above. After I did that, I ran JtR from inside of the Cygwin Terminal, which mounts and makes available the /etc/ directory. That has fixed things, and I can now see all of my devices and I can run JtR on the GPU with the appropriate speedups."
>
> Claudio, I notice that your win_x64.zip includes:
>
>         33  08-09-18 18:42   etc/OpenCL/vendors/amd.icd
>         33  08-09-18 18:42   etc/OpenCL/vendors/nvidia.icd

Basically,
- CygWin is not needed to run JtR. But, of course, one can run JtR from 
inside CygWin
- From a user point of view, to run OpenCL on Windows from inside CygWin:
    - Install the OpenCL package and:
        "echo 'c:\Windows\System32\amdocl64.dll' > 
{john}/etc/OpenCL/vendors/amd.icd"
        "echo 'c:\Windows\System32\nvopencl.dll' > 
{john}/etc/OpenCL/vendors/nvidia.icd"
- For Intel, `strace`, I have no idea what is the filename.

> BTW, somehow it also includes what's probably a left-over from testing:
>
>      99286  08-09-18 18:43   run/john.log
>        355  08-09-18 18:43   run/john.pot

I'll take a look.

Claudio


[1] Build worker image is a template used to provision a virtual machine 
for your build. Physical implementation of the template depends on the 
build cloud platform and can be a master VHD for Hyper-V and Azure, 
snapshot or image for GCE or AWS.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.