Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 6 Aug 2019 12:10:50 +0200
From: magnum <john.magnum@...hmail.com>
To: john-users@...ts.openwall.com
Subject: Re: Truncated hashes with DYNAMIC mode

On 2019-08-02 16:42, Royce Williams wrote:
> On Fri, Aug 2, 2019 at 5:29 AM Solar Designer <solar@...nwall.com> wrote:
> 
>> On Wed, Jul 31, 2019 at 11:22:22AM -0400, Matt Weir wrote:
>>> I'm looking for a way to utilize dynamic mode to generate vanity hashes.
>>> For example, finding a raw-MD5 hash that starts with '12345'. I've been
>>> looking through the documentation for dynamic, but I'm missing how to
>> only
>>> check a subset of the final hash vs the target. Is that possible, and how
>>> would I go about doing that? Bonus points if I can utilize the command
>> line
>>> dynamic expressions.
>>
>> I'm afraid this isn't supported, but I'd like JimF to confirm this and
>> consider adding such functionality.
>>
> 
> That would be fantastic! I've long argued that such searching, if done in a
> way that is low overhead for the maintainers of the tool (who are usually
> not me, since my programming skills are limited), belong in the cracking
> suites themselves rather than reinvented poorly or narrowly in other
> frameworks. Of course, I understand that non-specialization also means that
> some optimization opportunities must be discarded, so I also support
> dedicated external tools when executed well. But I think that having this
> in dynamic mode would be worth the trade-off.

Well you could open an issue for it for RFC/discussion. For example, how 
would we format the input? Would we always want hashes that starts with 
"deadbeef" or sometimes only ends with it, or any of them? Or even 
"deadbeef" somewhere/anywhere in it (that would likely be awfully slow)?

Also, would we want the cleartext that produces such vanity hash to be a 
printable one actually usable as a password, or more or less any binary? 
As mentioned recently, binary brute-force hasn't been within our scope 
but we're considering changing that.

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.