Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20120711083514.GA10966@openwall.com>
Date: Wed, 11 Jul 2012 12:35:14 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: our own training pseudo contest before CMIYC 2012

Frank, Simon, Aleksey, all -

On Tue, Jul 10, 2012 at 05:48:47PM +0200, Frank Dittrich wrote:
> On 07/10/2012 02:28 PM, Aleksey Cherepanov wrote:
> > As you know there will be Crack Me If You Can contest on July 26-29
> > (or like). But it would be nice to make a training contest before it
> > to prepare ourself.
> 
> Wouldn't other preparations for the real contest more important?

Maybe, or maybe not, but one reason why I suggested doing this pseudo
contest to Aleksey is that the real contest would be a wrong time to
test out his MJohn tool for the very first time.  Our priority in the
real contest should be getting the hashes cracked, not learning a new
tool.  For example, in the real contest, unless we choose to focus
solely on our own stuff rather than on achieving a good score, I would
not even look at MJohn, unless I already tried it out in a similar
setting by that time and liked it (or at least did not hate it much).
I think it will/should be similar for others.

In fact, I have my doubts regarding how many of us would actually use
MJohn during the contest even if we try to practice with it in advance,
but at least it would have a chance then.  Without this practice, it has
no chance at all.  And without being tested in a real contest, MJohn
would also have little chance to evolve in a relevant direction later.

> May be the CMIYC 2012 hashes require conversion of hashes into john
> specific formats, as the PHDays Hash Runner files did.

What does this mean for our contest preparations?
I see no action item here yet.

> We also still need some easy way to create input files with uncracked
> hashes only, but not suppressing duplicate lines (as --show=LEFT does.

FYI, scripts I used on our contest server during CMIYC 2010 and 2011 did
not use --show=LEFT, but rather processed john.pot files directly.
Unfortunately, this fails for LM hashes (where --show is needed to merge
the halves), but for other contest hashes it worked fine, I think.
Maybe --show=LEFT would as well.  I must admit I don't see how the issue
with suppressing duplicate lines is relevant.  Can you explain, maybe
based on some contest-relevant example?

> I am sure there are other tasks which can be identified by looking at
> what prevented us from doing better at CMIYC 2012 or PHDays Hash Runner.
> And we might need to check and polish some scripts we used during the
> CMIYC contest, like the ones for validating new pot file entries...

Of course, there are many other tasks.  This does not mean that a trial
contest is not a good task.  Every time a real contest starts, we find
that we need to create accounts for new people joining, we have
coordination issues, we have bugs in recent revisions of our tools (not
tested enough yet), etc.  I think having a trial contest shortly before
the real one (just a few days earlier) will minimize such issues and
will also help us fix bugs in cutting-edge JtR code, including in
recently-added GPU code.

> May be we also need to look at thing competing tools can do better than
> john, and how we can compensate for it:
> -hashcat's mask mode
> -hash cats ability to generate password candidates from two separate
> inputs (left side + some rule / right side + some rule), where
> left/right side can either be a word list file or a mask (say ddds or
> whatever the syntax is for "3 digits, followed by a special character")
> -...?

I don't mind.  For processing 2+ separate inputs, I'd currently use my
Perl scripts to preprocess wordlists, although it does make sense to get
similar functionality into John proper eventually (not for this contest).

> Also, IIRC, hashcat recently had a contest to find "best 64" rules.
> May be we can prepare something similar.
> Use the default password.lst, converted to lower case, removing any
> resulting duplicates, but adding "rockyou".
> Then, try to find which rules in which sequence would be the best to
> crack dummy hashes generated from the rockyou password list.

This is a good idea, and I think Simon is the one to organize this
contest for us. ;-)  However, I think it is not sufficiently relevant to
CMIYC 2012 specifically.  It won't help Aleksey's project either - well,
unless we somehow use MJohn in that "best rules" contest (how?)

Summary: I support Aleksey's request/invitation to join our team for a
trial contest.  I think it can be 4 hours on July 21 and then maybe
another 4 hours for a second try on July 22 (leaving time between these
two days e.g. for Aleksey to fix MJohn bugs and for any of us to fix
John bugs).  The time of day should be chosen such that it'd be evening /
early night in Europe and western Russia, and morning in Americas.
For example, the pseudo contest could run from 17:00 UTC to 21:00 UTC.

What do you think?

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.