John the Ripper (JtR)
is a password-cracking utility developed at Openwall.
The recently-released 1.7.9-jumbo-6 version lands a number of important
features, such as the ability to unlock RAR, ODF, and KeePass files,
the ability to crack Mozilla master passwords, and the ability to
speed up cracking by using GPUs — for some, but not all, tasks.
Despite the heavy dose of crypto-speak in the documentation, in
practice JtR is a straightforward-to-use tool with which you can
recover lost passwords, open locked files, or test users' password
strength from the command line — recovering a password can be as
simple as running:
Of course, there is quite a bit going on behind the scenes in that scenario. For
starters, it is important to remember that JtR is built for recovering
passwords for which the encryption algorithm has not been broken, so
it is in effect a brute-force tool that tries every possibility as
quickly as possible. Such an approach can be hard on one's CPU, and also
on one's time (the FAQ
that a single crack for a weak password could take anywhere from one
second to one day), so JtR employs a variety of techniques to speed up
the guessing process. It can use word lists (with the addition of the
switch), it can search probabilistically
(i.e., trying more likely combinations of characters first, with the
switch), and it can tailor its guesses
based on information gleaned from the user account in question (for
which one needs superuser access, of course). It auto-saves its state
every ten minutes, and you can interrupt and resume cracking jobs to
better optimize your personal time.
JtR can be used to crack a single password or hash value on its own,
or it can be deployed against a file full of passwords, logging
its successes. There are switches to automatically skip accounts
without a shell or by group membership, and utilities to perform
related tasks such as emailing users with weak passwords. By default,
JtR uses its own encryption routines when cracking a password, but it
can also call the system's crypt(3) function, which may be helpful for
auditing password hash formats not yet supported by the program.
Not that there are a lot of unsupported formats; JtR tackles many
different encryption and hashing algorithms — around 30 in this
release. But the main program uses the same "batch cracking"
methodology regardless of the underlying format being cracked. Most
of the new formats are implemented as plugins, and indeed many of the
additions in this latest release were contributed by the JtR
community. Considerable effort is also expended on optimizing JtR's
performance, which naturally involves squeezing every available
advantage out of the architecture. As a result, the
optimizations available vary depending on the file format and the
New and improved
The latest release is named JtR 1.7.9-jumbo-6; the "jumbo" indicates
that it incorporates community-contributed code. For the sake of
comparison, the most recent non-jumbo release is 1.7.9, from November
2011. Openwall also sells a "pro" version of JtR for Linux and Mac OS
X, which is currently at 1.7.3, and rolls in a few additional hash
types, plus binary packages and a hefty multi-lingual wordlist file.
From what I can tell, the community-driven jumbo-6 packages now
implement most of the additional features and optimizations in the
"pro" version, but of course you get no company-provided support. If
compiling from source is too much of a headache, there are also community-contributed
builds for Linux (32- and 64-bit), Solaris, OS X, and Android.
According to the release
announcement, 1.7.9-jumbo-6 adds 40,000 additional lines of code
(that is, not counting changed lines) over the previous release. New
hash types supported in this version include IBM's Resource Access
Control Facility (RACF), GOST,
SHA512-crypt, SHA256-crypt, and several SHA-512 or SHA-256 derivatives
(such as those used by DragonFly BSD, EPiServer, and Drupal 7).
Several other web application password formats are on the list as well,
including Django 1.4, the forum package WoltLab Burning Board 3, and
the flavor of SHA1 used by LinkedIn (which reminds one of LinkedIn's
recent password troubles).
Just as interesting are the "non-hash" functions, which include a
number of encrypted file formats and authentication methods —
specifically, message authentication codes and challenge-response
protocols (which first require capturing the challenge-response
packets using Wireshark or another network sniffer). New in this
category are several password-storage formats
(Mac OS X keychains, KeePass 1.x files, Password Safe files, and
Mozilla master-password files) and general file types (OpenDocument
files, Microsoft Office 2007/2010 files, and RAR archives encrypted
with the -p option, which leaves metadata in plaintext). The
authentication methods added include WPA-PSK, VNC, SIP, and various
flavors of HMAC.
There are other "assorted enhancements" discussed in the announcement,
but the most interesting is GPU-based parallel processing. There are two
flavors supported: NVIDIA's Compute Unified Device Architecture (CUDA)
and the cross-platform OpenCL. Not every hash or algorithm handled by
JtR's normal CPU techniques has support for either, and few have
support for both. Some of the GPU-assisted cracking code is marked as
"inefficient" in the notes, and some have limitations on the specific
graphics chips required. The notes also caution that some ATI cards
can hang when running recent drivers.
As for whether or not CUDA and OpenCL result in faster password
cracking, the answer at the moment is mixed. It depends largely on
the hash or algorithm being cracked; for some (such as bcrypt), the
project reports that running solely on the GPU is slower than running
solely on the CPU. In addition, the benchmarks included in the
announcement note that the GPU still loses on price/performance ratio
when compared to CPUs. That may not matter if you are interested in
using JtR to spy on your corporate foes, but for standard system
administration tasks, it is an important factor. Yet even in those
CPU-dominated circumstances, piling on the GPU in addition to the CPU
should improve cracking times.
JtR already supports parallel processing with OpenMP for a far larger set of
hashes and file formats. All of the new non-hash file formats
supported in 1.7.9-jumbo-6 support OpemMP. The new release also
includes many new SIMD CPU optimizations, for SSE, XOP, AVX, and even
MMX. As a result, sorting out which options to use on which task may be a
complicated affair; fortunately when several days of processing time
may be required, a few minutes of research is comparatively small
Openwall's Alexander Peslyak (who goes by the moniker "Solar
Designer") wrote in the announcement that the GPU support "is just
a development milestone, albeit a desirable one" for the time
being, and that further optimization in future releases will improve
its performance. GPU support is not a silver bullet, though. Like any
task, password-cracking will always have bottlenecks — in JtR's
case, having the main process generate and distribute the candidate
passwords is frequently a bottleneck that GPUs cannot overcome. But
as Peslyak wrote
in 2011, even the question of whether or not it helps to move the
candidate-generation to the GPU depends largely on the algorithm or
hash. Password cracking is "is not so much about cryptography
as it is about optimization of algorithms and code," he said.
In that context, then, being able to make use of GPUs that would
otherwise sit idle is a tool that needs to be exploited, even if it
will not reduce the task to triviality.
Since I do not manage multi-user machines, it is difficult to weigh in
on JtR's password-auditing features. But for password- or
file-cracking, it is simple to get started and well-documented, which
is about all that one could ask for. Password recovery falls into the
category of "tools you hope you will never need," and when you find
yourself recovering a password, you are not likely to enjoy the
process. At least JtR makes it relatively painless — for you,
although maybe not for your hardware.
Comments (none posted)
Improved code and documentation quality – we’ve observed that
the peer pressure from 'Social Coding' has driven engineers to
make sure code is clean and well structured, documentation is
useful and up to date. What we’ve learned is that a component
may be 'Good enough for running in production, but not good
enough for Github'.
The Internet was done so well that most people think of it as a natural resource like the Pacific Ocean, rather than something that was man-made. When was the last time a technology with a scale like that was so error-free? The Web, in comparison, is a joke. The Web was done by amateurs.
— Alan Kay
Comments (6 posted)
EGenix has announced the release of its one-file Python interpreter PyRun, which is designed to provide "an almost-complete Python standard library" in a relocatable binary that does not demand system-wide installation. "Compared to a regular Python installation of typically 100MB on disk, this makes eGenix PyRun ideal for applications and scripts that need to be distributed to many target machines, client installations or customers."
Full Story (comments: none)
Version 1.10.0 of the Firebug web development tool has been released
Information on new features can be found on this
; they include a new cookie manager, command editor syntax
highlighting, autocompletion, CSS style tracing, and more. "Firebug
doesn’t slow down Firefox start-up time anymore! It’s loaded as soon as the
user actually needs it for the first time. Only the Firebug start-button
and menu is loaded at the start up time.
Comments (3 posted)
Firefox 14 has been released. As usual there are new features and lots of
bug fixes, including security bugs, in this release. The release
have the details. There are also release
for Firefox mobile.
Full Story (comments: 2)
Herman Grecco has released Lantz
, a Python library for controlling and automating laborartory instruments (test equipment, sensors, signal generators, etc.). The code contains Qt4 hooks, and is designed to replace "Domain Specific Languages (DSL) like LabVIEW and MatLab Instrumentation Toolbox.
Full Story (comments: none)
The Redphone encrypted voice-over-IP application for Android has been released
under the GPLv3 license. "As with TextSecure, we hope that making
RedPhone OSS will enable access to secure communication for even more
people around the world, with an even larger number of developers
contributing to make it a great product.
Comments (none posted)
Newsletters and articles
Comments (none posted)
Gentoo's Donnie Berkholz has written a treatise
on the methods the distribution uses to turn Google Summer of Code students into regular contributors, claiming an increase from 20% to 65%. "In my view (and therefore Gentoo’s view), the code produced during someone’s initial summer of work tends to serve its best purpose as inculcation to a community and its standards, rather than as useful code in itself. We regard that code as potentially throwaway work that is more of an experimentation than something on Gentoo’s critical path.
Comments (1 posted)
On his blog, Byron Jones explains
the new features of Bugzilla 4.2, focusing on the revisions to search functionality: "a major change between bugzilla 4.0 and bugzilla 4.2 comes in the form of changes to searching. the searching implementation in 4.2 was rewritten from scratch, removing some seriously convoluted code and adding a large amount of test cases.
" The changes include search result limiting, changes to relative time operators, and more consistent complex queries.
Comments (1 posted)
Page editor: Nathan Willis
Next page: Announcements>>