Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 5 Dec 2018 08:26:25 -0500
From: Powen Cheng <madtomic@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Most efficient way to brute force

Hi Alexander,

I have tested mask mode and thank you for this suggestion.

As for now, I still need to figure how to create a GPU system properly
before I let this system run for the real task.
I am very limited with what driver and hardware I could use with Ubuntu
14.04.1 as in 16.04 the opencl was removed unless I am using Nvidia cards
and I still need to get pass this error.
OpenCL CL_INVALID_DEVICE (-33) error in opencl_common.c:452 - Error
querying PLATFORM_NAME

Thanks again for your help,
Po

On Tue, Nov 27, 2018 at 11:46 AM Solar Designer <solar@...nwall.com> wrote:

> On Mon, Nov 26, 2018 at 08:21:58PM -0500, Powen Cheng wrote:
> > This is the test setup that I am stuck with so I want to make sure that
> > these two commands are the most efficient way to brute force with 8
> threads
> > per video card.
> >
> > As per magnumripper, using two separate terminals.
> >
> > OMP_NUM_THREADS=8 ./john -dev=0 -node=1/2 -form=tezos-opencl
> > -ses=tezos1 tezos -inc
> >
> > OMP_NUM_THREADS=8 ./john -dev=1 -node=2/2 -form=tezos-opencl
> > -ses=tezos2 tezos -inc
>
> These may be fine (assuming you have at least 16 logical CPUs), but most
> importantly you need to focus the attack based on what you know/recall
> about the password.  You previously tried asking about that, and I
> recommended that you use mask mode, possibly along with other modes:
>
> https://www.openwall.com/lists/john-users/2018/10/28/3
>
> This remains my current recommendation.  Have you tried it?  How?
> What were the results?
>
> > I was told to use --incremental and I read that I could also create and
> use
> > my own custom Incremental.
>
> You could, but why would you?  Chances are that whatever you know/recall
> about the password is best expressed as a mask.
>
> > [Incremental:Custom]
> > File = custom.chr
> > CharCount = 95
> > MinLen = 6
> > MaxLen = 8
> >
> > So to use my own custom incremental. I would simply add -inc:custom -
> > is this correct?
> >
> > OMP_NUM_THREADS=8 ./john -dev=0 -node=1/2 -form=tezos-opencl
> > -ses=tezos1 tezos -inc:custom
> >
> > OMP_NUM_THREADS=8 ./john -dev=1 -node=2/2 -form=tezos-opencl
> > -ses=tezos2 tezos -inc:custom
>
> Yes, but you probably don't need to do that.
>
> > Since the MinLen starts at 6. I am guessing that it would start with
> > 000000 up to charset?
> > Then when Length of 6 is done, it would move to 7 or 0000000, etc.
> >
> > Please help me understand how incremental work with John.
>
> Under the hood, and in terms of ordering of candidate passwords tried,
> it's far more complex than that.  It will be switching lengths back and
> forth, and will be testing weird-looking sequences of characters, trying
> to optimize for non-increasing estimated probability of each being the
> password.  It estimates those probabilities based on previously known
> passwords - the training set used when the .chr file was generated.  For
> the .chr files bundled with JtR, the training set is the RockYou leak.
>
> If you generate your own .chr file, you re-train based on whatever is in
> your john.pot at that time.
>
> > I want to make sure that I using this brute force as efficient as
> possible.
>
> What approach is most efficient depends on what you know/recall about
> the password.
>
> Alexander
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.