Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <56E1C5C5.4040603@gmail.com>
Date: Thu, 10 Mar 2016 20:06:45 +0100
From: Marek Wrzosek <marek.wrzosek@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Johnny's "Guess password" button

W dniu 09.03.2016 o 16:32, Marek Wrzosek pisze:
> W dniu 09.03.2016 o 14:44, Shinnok pisze:
>> Hi Marek,
>>
>>
>>
>> Indeed Johnny is using --stdin for Guess.
>>
>>> or:
>>>
>>> $ echo foo > single_word
>>> $ ./john --wordlist=single_word ...
>>>
>>> It would be easier to use rexgen with alphabet like this:
>>>
>>> $ ./john --guess=624686 --regex=alpha:T9='\0' --stdout
>>
>> There is no option --guess to john. I'm not sure how useful this could be in the main tool.
>>
>>>
>>> instead of:
>>>
>>> $ echo 624686 | ./john --stdin --regex=alpha:T9='\0' --stdout
>>>
>>> or even;
>>>
>>> $ ./john --regex='[mno6][abc2][ghi4][mno6][tuv8][mno6]' --stdout
>>>
>>> Instead of applying regex mode, it could be hybrid mask or word mangling
>>> rules (just like for wordlist mode).
>>
>> The rexgen approach is indeed interesting, though it would be a jumbo specific implementation. I don't remember it being proposed when Guess was being discussed, do you see any specific benefits  for considering this with a jumbo detection? (we already have some jumbo specific functionality in Johnny)
>>
>> Shinnok
>>
> 
> Hi Shinnok
> 
> If Johnny is using --stdin for "Guess password" function, then where is
> it in a "Console log"? ;-)
> I assume, that --stdin option was created for more complex command in
> mind, than "echo foo". In fact, it is for commands, that would generate
> way too long wordlists, that are practical to store uncompressed,
> because using wordlist mode is more practical.
> "Guess password" in Johnny is very poor comparing to using "echo
> foo|./john --stdin ...", because in john, user could do everything with
> that single word. In Johnny only this one word will be checked, it's
> closer to "./john --mask=foo ...". The downside of using mask mode is
> that mask mode is last in a chain, so you can't apply rules or anything
> else. Using "guess mode", which would be simply nameless wordlist with
> only one word, would require less typing. That's all.
> Maybe would be wise to add the "Advanced options" button to the
> "Password Guessing" window, that would allow user to apply rules, mask,
> external filters, etc.
> 
> Best Regards,
> Marek
> 
PS. I forgot to mention about restoring sessions with --stdin option. It
is possible, but john will never be able to restore standard input -
it's on user's shoulders. And rules doesn't work with --stdin :-(
So if someone try to guess password "by hand" but with john's help the
best way to do that is creating a wordlist with one or a few words.
E.g.:
$ echo "foo" > guess_wordlist
$ ./john --wordlist=guess_wordlist --rules=all
--mask=?w?1?2?2?2?2?2?2?3?3?3?3?d?d?d?d --session=guess hashes

In guess.rec file will be name of wordlist, but without its content. If,
in the meantime, content of this wordlist will be changed, then we've a
problem.

-- 
Marek Wrzosek
marek.wrzosek@...il.com

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.