Date: Tue, 26 May 2020 18:38:01 +0200 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: hashcat vs. JtR On Tue, May 26, 2020 at 05:36:24PM +0200, Solar Designer wrote: > [...] hashcat has "Combination" mode, which combines words > from multiple wordlists to form candidate passphrases. JtR's closest > built-in equivalent is PRINCE mode, kindly contributed by atom of > hashcat. Correction: I shouldn't have said "equivalent". It is not. It is merely the most similar, but it's also very different: "Combination" works on multiple wordlists, PRINCE works on one wordlist. My point here is precisely that neither tool covers the full range of attacks that the other tool is capable of. Another thing that's different is source code style and quality, as well as consistency of the feature set and consistency and quality of documentation. hashcat is a younger project (~10 years old vs. JtR's ~25 years old or ~23 years of evolution since last rewrite). hashcat has been more closely maintained by its original author during its entire lifetime so far, which results in greater consistency and code quality. While JtR core was also closely maintained, JtR jumbo was for a long time promiscuous in accepting contributions as long as they worked at all and added reasonable functionality. As a result, JtR jumbo's coding style and quality varies and is in many places much worse than desired. Recent extensive testing (Continuous Integration, testing and fuzzing on multiple platforms) mitigated this for the users (killing many actual bugs), but the code is in many places not pleasant to maintain and is in need of an overdue rewrite. Is hashcat's documentation also more consistent than JtR's? I don't really know, so won't make such claim. hashcat appears to include less documentation with itself, having most(?) of it on the wiki instead, which I think is a recipe for inconsistency. Someone more familiar with this should comment. > I also started writing a list of what's the same or similar between the > tools. It quickly got way too long to include in this same message, so > I abandoned it for now. I might try and "complete" and post it later. Well, not "complete", but posting anyway: What's currently mostly common about John the Ripper and hashcat: Both are cross-platform Open Source offline password crackers primarily aimed at professional users. Both are feature-rich and aim for high performance and high efficiency. Both are primarily command-line tools, with GUI or web front-ends available as separate wrapper programs. Both support OpenCL devices, most notably GPUs. Both can use multiple GPUs. "Offline" means that they probe passwords against data that is available on the computer locally (in files), and that they will not actively probe passwords against remote systems (unlike e.g. THC Hydra, which is an online password cracker). They may, however, probe passwords against data previously obtained from remote systems (e.g., password hash files copied using the administrator's privileged access to those systems, or Kerberos TGTs requested from remote Kerberos servers, or encrypted cryptocurrency wallets/backups requested from an online wallet service). They may also probe passwords against relevant data extracted out of previously recorded (sniffed) network traffic for authentication sessions that use challenge-response protocols allowing for subsequent offline attacks (e.g., Windows NTLM protocols, (MS-)CHAP, WiFi WPA-PSK). Either tool supports a few hundred different password (non-)hash types (JtR calls these "formats", hashcat calls them "modes"). These include classic password hashes (of user accounts on operating systems, web applications, business collaboration platforms, database management systems, etc.), as well as many kinds of password-encrypted data ("documents", archives, filesystems and full disks, cryptocurrency wallets, GnuPG and SSH private keys, etc.), password-derived tokens, and relevant network traffic captures. Either tool is able to generate candidate passwords to probe in a wide variety of ways (JtR calls these "cracking modes", hashcat calls them "attack modes"). Some may also be combined. These include simply reading candidate passwords from a wordlist (a text file with one entry per line), applying word mangling rules, potentially exhaustively searching a certain easily defined password space (e.g., all-lowercase up to a certain length) yet doing so in an optimized order (using Markov chains over groups of characters seen in a training set, such as in previously cracked passwords), exhaustively searching passwords that match a "mask" (such as for partially-forgotten passwords), etc. A primary purpose of both tools is to audit potentially large user account databases, identifying weak passwords. Both tools are able to efficiently probe passwords against millions of password hashes at once, but only for hashes that are of (almost) the same type. (For multiple types you need to invoke the program once per type, maybe concurrently.) For both tools, the native input format is text files with one password hash per line (and optionally other colon-separated fields). Input data other than password hashes in text files should be preprocessed with tools specialized to the input data format. Such tools that are part of JtR jumbo generally follow the *2john naming. There are also *2hashcat tools out there. There are also tools not associated with and not targeting JtR and hashcat projects, yet producing output usable by JtR and/or hashcat, such as the PWDUMP family of Windows password hash dumping tools. There's some cooperation between the projects, including in sharing and interoperability of the preprocessing tools. For example, JtR's bitcoin2john.py is also the tool that a hashcat user would use to preprocess a cryptocurrency wallet.dat file. Conversely, hashcat's 7z2hashcat.pl is the upstream project for JtR's 7z2john.pl. Cooperation also includes agreement on and cross-support for wordlist rule commands, hashcat's PRINCE (candidate passphrase generation) having been added to JtR, and some assorted GitHub pull requests by developers working primarily on one of these projects made and accepted into the other. Over the period since the start of hashcat git history in December 2015 and until this writing in May 2020, the numbers of direct contributors (git committers) into either project are similar (around 80). The number of commits and the ratio of commits made by a few top committers are comparable between the projects, although over the same period hashcat had almost twice more commits (6792 vs. 3463) and its share of commits by the top committer is higher (76% by atom vs. 46% by magnum). On the other hand, JtR's total commit count since the start of its revision control history in April 2002 is higher yet (15597, but this may be inexact due to CVS to git import peculiarities). Both projects made releases for a few years prior to the start of their fine-grained revision control (JtR since 1996, hashcat since 2010). Both were at some point mostly rewritten (JtR once in 1998, hashcat several times since 2010?), then proceeded to evolve. Both have made their currently latest releases 1-1.5 years ago (JtR in May 2019, hashcat in Dec 2018). As usual, I'd appreciate any comments and especially corrections. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.