Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 5 May 2018 11:34:15 -0700
From: Eric Oyen <eric.oyen@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: failed to break my own created password

will any of the BitCoin specific GPU modules (hardware) work for this? those are relatively cheap and can be run from a USB hub.

I have a Rasberry pie unit here that I am dedicating to Software Defined Radio (as a air spy server) but with the of a couple of these modules, it can also double as a BitCoin mining node as well as solving for password strength.

btw, I still have JTR running on the mac mini working on that password hash. I set min length to 8 characters and max length to 18 characters and am allowing only the use of 2 symbols (! and .). I am letting it run incrementally on the problem and will leave it alone. Since that is a multicore machine, I have multiple instances running (1 per core) and each one is set for it's own min and max length settings). I will get this, but it is going to take a little longer than I planned on. 

I might kill off one of the instances and do a run based on info given in this thread.

thanks for the helpful hints. 

-eric


PGP fingerprint: 6DFB D6B0 3771 90F1 373E 570C 7EA2 1FF3 6B68 0386

On May 5, 2018, at 7:43 AM, Solar Designer wrote:

> On Sat, May 05, 2018 at 01:55:45PM +0000, Royce Williams wrote:
>> If you suspect a typo, a variety of typos can also be simulated. Here's a
>> crude example of how to generate some rules for mis-key (rather than
>> transposition) typos:
>> 
>> https://gist.github.com/roycewilliams/9d8e98587cff105b2e05a9f0e8de8371
> 
> To do something different but similar (overstrikes and inserts) with
> JtR, put the supposed password in a wordlist file and use --rules=oi.
> This ruleset is already included in recent bleeding-jumbo, but in case
> of using an older version here it is:
> 
> [List.Rules:oi]
> o[0-9A-Z][ -~]
> i[0-9A-Z][ -~]
> o[0-9A-E][ -~] Q M o[0-9A-E][ -~] Q
> i[0-9A-E][ -~] i[0-9A-E][ -~]
> 
> This does one overstrike/insert up to length 36 and two up to length 14.
> With a fast hash like Eric's, this is very quick.
> 
> If leetization might have been applied to the original password, then it
> may also be passed through --external=Leet or the masks previously
> posted in here may be used prior to applying the rules above (with a
> separate invocation of JtR).
> 
> On Fri, May 04, 2018 at 10:12:21PM -0700, Eric Oyen wrote:
>> unbreakable without considerably greater resources than I have here.
> 
> Based on what you tell, this is primarily about adjusting the attacks
> you run and to a lesser extent about the resources you have.
> 
>> To that end, I am now considering a cluster approach using NFS as the primary filesystem and having a number of nodes all running JTR and all taking and putting data into the right files (this way, the load can be split). 
> 
> Bad idea, unless you'd do it for fun.  With just one hash to crack on
> just a few systems, it'll be easier for you to run different attacks or
> use the --node option on those nodes manually.  And no need for shared
> storage.  You'll take the one cracked password from whatever system
> cracks it.
> 
>> the man page is woefully under documented/incomplete.
> 
> Like I said, there's no official man page.  There's only Debian's.  Just
> don't use it - use our documentation under doc/ instead - but then it's
> probably too detailed.
> 
>> I will see if I can acquire a number of older machines
> 
> Bad idea, unless you'd do it for fun.  A factor of 10 or so difference
> in speed is very unlikely to result in your password getting cracked.
> In terms of improving your chances, your time is better spent on
> adjusting the attacks you run.
> 
> Also, if you do want to buy extra hardware anyway, buy some recent GPUs
> rather than some old machines.  And perhaps you already have some GPUs
> you could use, as well.
> 
>> (something in the range of 8 to 10 years old as they are dirt cheap)
> 
> They're also slow and not worth your time, unless you'd do it for fun.
> 
> Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.