Re: John the Ripper 1.7; pam_passwdqc 1.0+; tcb 1.0; phpass 0.0

["Aaron" <microchp () microchp org>]

Yes.  For example, a sysadmin may wish to just check a 
known set of used/common passwords against many machines. 
JTR is great for a single quick pass against a small 
dictionary thus to ensure people are not picking stupid 
passwords.  Some systems also do not support password 
complexity checking without some hacks (that can break 
other legacy functions).

Also keep in mind that there are not currently any rainbow 
table databases that cover all types of password cipher 
implementations in use.  JTR covers many of them.  Where 
JTR lacks, THC Hydra takes over.

I am sure there are many other reasons to use JTR, but 
these are just a couple of them.


Regards,

--Aaron




On Thu, 9 Feb 2006 15:44:25 -0500
 "Amin Tora" <atora () EPLUS com> wrote:
> Can a tool as this be as useful when there are rainbow 
> tables out there
> to utilize for this kind of cracking? 
>
>
> Amin Tora, CISSP,CHSP,CCSI
> Senior Security Consultant
> ePlus Technology Inc.
> Mailstop #168
> 13595 Dulles Technology Drive
> Herndon, VA 20171
> Office: (703) 984-8007
> Cell: (703) 675-0738
> Fax: (703) 984-8607
> web: http://www.eplus.com
> Nasdaq: PLUS
>
> -----Original Message-----
> From: Solar Designer [mailto:solar () openwall com] 
> Sent: Wednesday, February 08, 2006 9:07 PM
> To: bugtraq () securityfocus com
> Subject: John the Ripper 1.7; pam_passwdqc 1.0+; tcb 
> 1.0; phpass 0.0
>
> Hi,
>
> This is to announce several related items at once. :-)
>
> After 7+ years of development snapshots only (yes, I 
> know, that was
> wrong), John the Ripper 1.7 release is out:
>
>         http://www.openwall.com/john/
>
> John the Ripper is a fast password cracker, currently 
> available for many
> flavors of Unix (11 are officially supported, not 
> counting different
> architectures), DOS, Win32, BeOS, and OpenVMS (the 
> latter with a patch
> or unofficial builds by Jean-loup Gailly).  Its primary 
> purpose is to
> detect weak Unix passwords.  Besides several crypt(3) 
> password hash
> types most commonly found on various Unix flavors, 
> supported out of the
> box are Kerberos/AFS and Windows NT/2000/XP LM hashes, 
> plus many more
> with contributed patches.
>
> The changes made since the last development snapshot 
> (1.6.40) are minor,
> however the changes made since 1.6 are substantial:
>
>         http://www.openwall.com/john/doc/CHANGES.shtml
>
> John the Ripper became a lot faster, primarily at 
> DES-based hashes.
> This is possible due to the use of better algorithms 
> (bringing more
> inherent parallelism of trying multiple candidate 
> passwords down to
> processor instruction level), better optimized code, and 
> new hardware
> capabilities (such as AltiVec available on PowerPC G4 
> and G5
> processors).
>
> In particular, John the Ripper 1.7 is a lot faster at 
> Windows LM hashes
> than version 1.6 used to be.  John's "raw" performance 
> at LM hashes is
> now similar to or even slightly better than that of 
> commercial Windows
> password crackers such as LC5, -- and that's despite 
> John trying
> candidate passwords in a more sophisticated order based 
> on statistical
> information (resulting in typical passwords getting 
> cracked earlier).
>
> John 1.7 also improves on the use of MMX on x86 and 
> starts to use
> AltiVec on PowerPC processors when cracking DES-based 
> hashes (that is,
> both Unix crypt(3) and Windows LM hashes).  To my 
> knowledge, John
> 1.7 (or rather, one of the development snapshots leading 
> to this
> release) is the first program to cross the 1 million 
> Unix crypts per
> second boundary on a general-purpose CPU.  John 1.7 
> achieves up to 1.6M
> c/s raw performance (with no matching salts) on a 
> PowerPC G5 at
> 2.7 GHz (or 1.1M c/s on a 1.8 GHz) and approaches 1M c/s 
> on the fastest
> x86 CPUs currently available.
>
> Additionally, John 1.7 makes an attempt at generic 
> vectorization support
> for bitslice DES (would anyone try to set DES_BS_VECTOR 
> high and compile
> this on a real vector computer, with compiler 
> vectorizations enabled?),
> will do two MD5 hashes at a time on RISC architectures 
> (with mixed
> instructions, allowing more instructions to be issued 
> each cycle), and
> includes some Blowfish x86 assembly code optimizations 
> for older x86
> processors (Intel PPro through P3 and AMD K6) with no 
> impact on newer
> ones due to runtime CPU type detection.
>
> Speaking of the actual features, John the Ripper 1.7 
> adds an event
> logging framework (John will now log how it proceeds 
> through stages of
> each of its cracking modes - word mangling rules being 
> tried, etc.),
> better idle priority emulation with POSIX scheduling 
> calls (once
> enabled, this almost eliminates any impact John has on 
> performance of
> other applications on the system), system-wide 
> installation support for
> use by *BSD ports and Linux distributions, and support 
> for AIX,
> DU/Tru64 C2, and HP-UX tcb files in the "unshadow" 
> utility.
>
> Finally, there are plenty of added pre-configured make 
> targets with
> optimal settings, including for popular platforms such 
> as Linux/x86-64,
> Linux/PowerPC (including ppc64 and AltiVec), Mac OS X 
> (PowerPC and x86),
> Solaris/sparc64, OpenBSD on almost anything 32-bit and 
> 64-bit, and more.
>
> On a related note, pam_passwdqc and our tcb suite became 
> mature enough
> for their 1.0 releases.
>
> pam_passwdqc is a simple password strength checking 
> module for PAM-aware
> password changing programs, such as passwd(1).  In 
> addition to checking
> regular passwords, it offers support for passphrases and 
> can provide
> randomly generated ones.  All features are optional and 
> can be
> (re-)configured without rebuilding.
>
> pam_passwdqc works on Linux, FreeBSD 5+ (in fact, it's 
> been integrated
> into FreeBSD), Solaris, HP-UX 11+, and reportedly on 
> recent versions of
> IRIX.  Additionally, Damien Miller has developed and 
> contributed a
> plugin password strength checker for OpenBSD based on 
> pam_passwdqc.
> This plugin is now linked from the contributed resources 
> list on the
> pam_passwdqc homepage:
>
>         http://www.openwall.com/passwdqc/
>
> The tcb package contains core components of our tcb 
> suite implementing
> the alternative password shadowing scheme on Openwall 
> GNU/*/Linux and
> distributions by ALT Linux team.  This allows core 
> system utilities such
> as passwd(1) to operate with little privilege, 
> eliminating the need for
> SUID to root programs.  The tcb suite has been in 
> production use for
> some years and has proven to work well.  Its homepage 
> is:
>
>         http://www.openwall.com/tcb/
>
> The tcb suite has been designed and implemented 
> primarily by Rafal
> Wojtczuk, with significant contributions from me and 
> Dmitry V. Levin.
>
> Finally, I've developed and placed into the public domain 
> a portable PHP
> password hashing framework.  The intent is to allow PHP 
> application
> developers to use state of the art password hashing 
> without learning the
> arcane details of the PHP crypt() function.  The 
> homepage for this
> framework is:
>
>         http://www.openwall.com/phpass/
>
> Enjoy!
>
> --
> Alexander Peslyak <solar at openwall.com> GPG key ID: 
> B35D3598  fp: 6429
> 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598 
> http://www.openwall.com -
> bringing security into open computing environments