Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <ea4f68244da7fa8cd7372e2e1151db48@smtp.hushmail.com>
Date: Thu, 20 Aug 2015 12:03:23 +0200
From: magnum <john.magnum@...hmail.com>
To: john-dev@...ts.openwall.com
Subject: Re: JtR encoding help needed

On 2015-08-20 10:08, Shinnok wrote:
>> On Aug 18, 2015, at 11:37 PM, magnum <john.magnum@...hmail.com> wrote:
>> On 2015-08-18 14:23, Mathieu Laprise wrote:
>>> Shinnok want to indicate non-printable or control chars in Johnny's
>>> Password field for core and jumbo. We're not really experimented with
>>> encoding. How does JtR prints ascii control chars in john --show ?
>>
>> It just prints them. A tab is printed as a tab, an \x07 might ring a bell. It's normally not an issue since no-one has them in real passwords.
>
> I think Frank asked for this in one of his Johnny reviews? Frank, have you ever encountered non-printable ASCII in passwords, maybe just in contests?
>
> What we can do is manually substitute the ASCII non-printable and control chars with their escaped hex or octal variant. I don't think there's a smarter way of handling this.

I'd prefer hex over octal, and perhaps standard stuff like \g too when 
available but anyway how will you know it's not literally \x07? Would we 
then escape the backspace? Either way we do it add some confusion.

Take "se\x07cret ninja\b\b\b\b\b     " for example. An alternative is to 
(either optionally or under certain conditions - or always) add a 
hex-dump of it:

root secret 73650763726574206e696e6a6108080808082020202020

A string like "se\gcret ninja\b\b\b\b\b     " would be easier to digest 
but hex output is the least ambiguous.

On a side note, I have considered using/adding hex in the .pot file. 
It's a canonical way to solve the problem with encodings. Especially the 
cases of -enc:raw or when encoding was incorrectly specified. This may 
eg. result in printing Щ instead of Ö but you'll know afterwards it was 
literally \x99 hex.

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.