Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 22 Jan 2009 10:42:40 +0100
From: Samuele Giovanni Tonon <samu@...uxasylum.net>
To: john-users@...ts.openwall.com
Subject: Re: keyspace, mask password and dumb bruteforce

On Wed, 2009-01-21 at 17:37 +0300, Solar Designer wrote:
> On Fri, Jan 16, 2009 at 03:49:28PM +0100, Samuele Giovanni Tonon wrote:
> > A "collision free" algorithm is to simply scan through the keyspace by
> > going incremental (i.e. 0000 0000, 0000 0001, 0000 0002 and so on...) 
> > and splitting our work in to "chunks" for each client. 
> > These chunks must be big enough to make the client work for some time
> > (some hours/some minutes) and then give back a feedback to the server.
> > 
> > Then there's Jtr and his incremental mode which, for what i've
> > understand, will go to search the same keyspace as above but going to
> > test some "most likely to be" passwords first; This way, unfortunately,
> > is not higly distributed tough
> 
> Actually, it is not very hard to split the workload across multiple
> nodes in a collision free way and without consuming much bandwidth while
> still using JtR's incremental mode.  Please see:
> 
> 	http://www.openwall.com/lists/john-users/2005/11/21/2
> 
> (especially the last paragraph).
> 
solar you are a living search engine, i looked in to the list archives
for almost three days and never read that mesg :-)

> > even the wiki has a list of jtr distributed attempt;
> 
> This doesn't mean much.  People were implementing whatever they could
> think of and whatever they wanted to.

that conclusion came since there were many attempt to make a distributed
password cracker from john and none of them ever reached version 2.0 or
something stable which doesn't core dump in the next 3 hours, but i
guess my conclusions were wrong.
Also i don't wanna sound lame, i truly respect all the effort that has
been made in those distributed version of john, in fact they helped me a
lot by looking to their source code. 


> > As a quick solution to this problem i thought that maybe a solution is
> > to use "mask passwords list", which is not an innovative idea but could
> > work; with a mask password the user has the ability to restrict the
> > keyspace and it is still easy to split up chunks across the clients.
> > Basically it's making a bruteforce less dumb by using human brain other
> > than using heuristics and each client can easily self-produce the
> > keyspace to crunch, therefore saving network bandwith. 
> 
> If I understood you correctly, you're essentially suggesting to split
> the keyspace manually.  Yes, this is what I recommend most of the time -
> especially when the number of CPU cores to distribute the workload
> across is relatively small.  You might want to take a look at these
> older postings:
> 
> 	http://www.openwall.com/lists/john-users/2008/04/08/4
> 	http://www.openwall.com/lists/john-users/2005/08/24/4

yes, that idea came from reading exactly these two posts and extending
it to, why do i have to manually launch (or set up a script to do that) 
a cracker on each core or each pc when i could do a program to do that ?
however at the moment you made me look to new ways that i never thought
of due to lack of knowledge in this field, so i'm going back to the
bench and do some homework before saying stupid things :-)

Cheers
Samuele


-- 
While various networks have become deeply rooted, and thoughts have been
sent out as light and electrons in a singular direction, this era has
yet to digitize/computerize to the degree necessary for individuals to
become a singular complex entity.
  KOUKAKU KIDOUTAI Stand Alone Complex


-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.