Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 2 Feb 2017 10:00:32 -0500
From: Rich Rumble <richrumble@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: to Single or not to Single

On Thu, Feb 2, 2017 at 8:16 AM, Patrick Proniewski <p+password@...atpro.net>
wrote:
>
> Well, that's exactly why I'm using single, in fact. As I wrote, I've got a
> very good individual candidate for every individual hash. My hash file does
> not contain anything else than hashes, so out of the box, Single would not
> apply. I though it could be smart to use my candidate password as a "login"
> and build a password file that would derive benefits from Single:
>
> candidate1:hash1
> candidate2:hash2


Yes that would be effective, but the same effect would be to have a
wordlist, and
use -rules=single. I'm not sure if that will save any mem, but the effect
will be the same.
./john hashes.txt -format=dynamic_25 -wordlist=cadidates.txt -rules=single
Single will try the candidates against all hashes, not just the hash it's
next to.

Any other method I know would require to blindly test thousands candidates
> on every hash (salted -> slow). And testing ~47 millions candidates
> (+rules...) on +47 millions salted hashes, on CPU only, is not something
> you want to do.
>

If you've got any cracks already, creating a charset would be logical to
do, it'd guess more likely candidates based on the leaned words. If most
passwords are based off of a few words a mask hybrid makes sense, and I
believe it's faster than the external mode "known-force".
./john hashes.txt -format=dynamic_25 -mask=password?a?a
I think you can do a wordlist/mask like so
./john hashes.txt -format=dynamic_25 -wordlist=candidates.txt -mask=?w?a?a
https://github.com/magnumripper/JohnTheRipper/blob/bleeding-jumbo/doc/MASK

I still find the performance debatable, and I wonder if this is my best
> option. May be I should split files again (100k lines instead of millions?)
> to maintain good perf?
>
>
John also has GPU support that *might* be good for that hash type (idk),
not sure about the amount of hashes. ./john --list=formats --format=opencl
HashCat is an alternative as well if you have a nice GPU. And as i think
your
aware (sounds like you've done your homework:) you can technically use
CPU/GPU
"at the same time" http://www.openwall.com/lists/john-users/2015/05/10/5
-rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.