Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 13 Apr 2012 21:27:58 +0200
From: Frank Dittrich <frank_dittrich@...mail.com>
To: john-users@...ts.openwall.com
Subject: Re: automation equipped working place of hash cracker,
 proposal

On 04/13/2012 03:11 PM, Simon Marechal wrote:
> On 09/04/2012 21:55, Frank Dittrich wrote:
>> To get the discussion going, may be you could elaborate a bit:
> 
> I will try to actually get it going by adding some notes ;)
> 
>> What would an optimal work flow look like?
> 
> This is the central question. I don't believe there is such a thing as
> an optimal work flow as it will depend on what you want to achieve :
> single user with multiple computing resources, several users sharing a
> single compute platform, local or remote usage, access control, etc.

In addition to that, as long as you don't have any knowledge about what
to expect, and you don't yet have any passwords cracked, you can only
start working based on experience you gained in previous cracking
sessions, contests, and so on, and adjust your strategy depending on
your findings during the cracking session.

> Describing a good workflow for the challenge would be perfectly acceptable.

Especially if you consider that a good workflow for the challenge is in
many aspects more complicated than a cracking session of a single user
with multiple computing resources or a team of pen testers working
together in a real-life scenario:

The available hardware, OS, and software versions will usually be much
less uniform.
People will probably even use different john versions (core or jumbo
with different release dates, compiler flags, ...
It might be best to make it easy for people to use the same version, and
reasonable config option, etc.
You should, however, allow  people to contribute even if they use
somewhat different setups - but in this case, the integration into the
"automation" of new cracking attempts might not be possible.

It is less predictable what hardware will be available at which time.

You have much less influence on what people do during the contest than
you have in a team of pen testers... (After all, many people will just
take part in the challenge because they think it is fun, and they'll
avoid doing things which they don't see as "having fun", even if this
might result in trying out things that are less than optimal.

Many people will be behind a firewall or router which prevents access
from outside (e.g., a central server), others might not want to grant
other people or a central server access to their systems, so you might
have to find ways to allow people fetching the next tasks to be
processed and sending back the results on their own.

If you are paranoid enough, you might even consider some kind of
detection of "malevolent contributors", who fetch tasks from the central
server, but submit faked results (e.g., not sending back all the cracked
hashes of wrong passwords). OTOH, you probably can't prevent those
people from just fetching the cracked passwords and submitting them for
other teams - otherwise you would also prevent team members from looking
at cracked passwords to detect patterns for possible future attacks.

In the past, people didn't always start with a new installation.
Instead, they accidentally submitted .pot files containing hashes and
passwords from earlier cracking sessions. You might not only want to
filter out these passwords from submitting them to KoreLogic, but also
from distribution to other team members.


If you want people to work together as effectively as reasonably
possible during the contest, you'll have to make "doing the right thing"
 easy and enjoyable for them.


Frank

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.