Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <BLU0-SMTP3778972B703FBD4C50E9285FDD70@phx.gbl>
Date: Fri, 13 Jul 2012 11:56:48 +0200
From: Frank Dittrich <frank_dittrich@...mail.com>
To: john-dev@...ts.openwall.com
Subject: Re: Re: Aleksey's status report #10

Hi Aleksey,

I did not yet look at the code, so I'll probably reply with some more
thoughts/remarks later.

On 07/13/2012 11:19 AM, Aleksey Cherepanov wrote:
> Wrapper copies john.conf into the store. Though path to config should
> be specified always (could be in config). Includes are not handled.

Do you handle --config=other.conf?
If there are multiple --config= (or -conf: ---) options on the command
line, john will use the last one.
But we could also treat this as a bug in john, and write a patch so that
specifying multiple --config options on the command line results in an
error.

We probably need to handle includes in some way.
Another approach would be to add some functionality into john which
resolves the contents of the section(s) needed for a certain attack
so that it can be used by a script.

Something like

./john (parameters and options that specify an attack) --generate-config

which would write a minimum config file to stdout, including all the
sections (and either resolving or including sub-sections) needed for the
attack.

I am not sure how hard to implement this would be, but I assume it
shouldn't be too hard.
If such a functionality exists, You could upload an attack-specific
config file instead.
To further enhance this idea, --generate-config could also add
information about which files (not counting the password hash files)
will be needed for the attack into comments at the begin of the config file.
(If --generate-config doesn't resolve include files, all the required
includes need to be listed as files required for the attack in the
comments at the begin of the generated config file.)

But all this is certainly stuff to be considered after the contest.

> Frank, please, look onto the script.

Will do, but this will take some more time.

Frank

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.