Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 27 Oct 2020 21:02:49 +0100
From: Solar Designer <>
Subject: John the Ripper in the cloud update


This is an update to what I announced in August:

On Mon, Aug 10, 2020 at 11:45:29PM +0200, Solar Designer wrote:
> We've just launched Openwall Password Recovery and Password Security
> Auditing Bundle in AWS Marketplace:
> We provide a pre-generated Amazon Machine Image (AMI), which lets you
> start password recovery or a password security audit in minutes (if
> you've used Amazon Web Services before, or you need to sign up first).
> The Bundle features Amazon Linux 2 along with John the Ripper jumbo
> pre-built and pre-configured with multi-GPU (via OpenCL) and multi-CPU
> support (with AVX-512, AVX2, and AVX acceleration, and transparent
> fallback when run on older CPUs lacking the latest AVX extensions).  The
> Bundle has been tested on both GPU-enabled and CPU-only AWS instances.
> Also included are the "all.lst" wordlist from the Openwall wordlists
> collection, and sample Unix and Windows password hashes for testing and
> learning how to use the software.

There's now an updated version, Openwall Password Recovery and Password
Security Auditing Bundle version 1.1.  Summary of the changes:

John the Ripper jumbo updated to latest as of 2020/09/28 (much faster
sha512crypt-opencl and phpass-opencl on NVIDIA Tesla V100, reliability
fixes), built with optional libraries (gmp, bzip2, and libpcap added),
and extensively tested on p3.2xlarge instance's NVIDIA Tesla V100 GPU.
Repository of sample "non-hashes" added (encrypted archives, dmg files,
etc.) to let you get started on a known-password sample before going for
a real password recovery attempt.  SSH connection rate-limiting added.

> We provide a 5-day free trial, and you might actually complete your
> password recovery or audit within that timeframe.

We no longer provide the free trial.  The usage patterns so far were
such that people mostly ended up paying Amazon and not paying us.  This
experiment and effort on maintaining an AWS Marketplace product isn't
meant to provide free advertising for and bring customers to AWS
(although it does, and that's fine) - rather, it is meant to gauge the
interest and give us an idea on whether we can use something like it to
fund work on further cloud-focused functionality.

There's also a slight price increase, from $0.64/hour to $0.89/hour
(plus AWS fees) for usage of the Bundle on our recommended p3.2xlarge.

> We also don't charge
> for usage of the Bundle on the tiny 1 vCPU instances that are eligible
> for AWS free tier, which provides free usage of some AWS services within
> the first 12 months for new AWS users.  (AWS service fees apply for
> usage of their hardware outside of the free tier.)

This is still the case, and is now more fully explained on the "John the
Ripper in the cloud" homepage (including that these instances are,
unfortunately, of the "burstable" kind and what this means).

> And yes, this build of John the Ripper jumbo works reasonably well on a
> t2.micro instance, using AVX2 on the only vCPU.

The Bundle can now also be launched (and also without a fee charged by
us) on the newer and generally faster t3.micro and t3a.micro instances.
(And on t*.nano.)

> Simple usage fits in
> the 1 GB RAM.  So if you're new to AWS, you might get a year of free
> password cracking in the cloud - not exactly fast by modern standards,
> but reasonable for some simpler jobs.  For serious paid usage, we
> recommend current generation GPU instances that use Tesla V100 GPUs
> (starting with p3.2xlarge), or large CPU instances for hash types that
> we don't support on GPU yet.

This is still the case.  On the homepage, we now refer to and provide
benchmark results for 3 specific instance types: p3.2xlarge (NVIDIA
Tesla V100 GPU), c5.24xlarge (Intel Xeon, AVX-512), and c5a.24xlarge

> We also recommend taking advantage of AWS spot instance pricing

We still do, and we now include specific instructions for spot instance
usage (and recovery) on the homepage.

> Part of the motivation in creating this Bundle is to make sure we're
> able to get a product like this listed in AWS Marketplace, and to gauge
> the interest.  If very successful, this might enable us to invest in
> developing support for the FPGAs available in AWS F1 instances as we'd
> know we'd likely have this way to monetize the resulting FPGA designs
> and to sustain further development and maintenance for the FPGAs in the
> cloud as well as for the corresponding FPGA boards that one might buy.
> We'll view paid usage of the Bundle as voting for that project to start.

So far, we're seeing only casual usage, with much of it on the (almost)
free tiny instances and only briefly on the larger paid instances.  This
is very far from being successful enough for us to proceed further, but
we'll see.  I know there are organizations burning lots of money on
running things like this on AWS.  If a few of those choose to contribute
back (and thus invest into future enhancements) by running our Bundle,
that will make all the difference.

> Other ideas in extending the functionality include adding more of our
> software (maybe Johnny the GUI with some pre-configured way to access
> its remote desktop?), adding closely related third-party software (as
> licenses and agreements permit, maybe with payments to support those
> other projects as well), and adding cloud specifics (e.g., is anything
> needed to support spot instances better?)

So far, there's no spot instance support in code - there's only some in
documentation on the homepage.  I'm considering automatically running
"john --restore" on instance bootup in a future version, to allow for
more reasonable use of persistent spot instances.  Any comments on that?

> Any feedback and ideas are welcome on the john-users mailing list.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.