hons.un-excogitate.org

Making JTR-MPI perform a wordlist attack 2

Further analysis of the wordlist.c file, especially the outer do {} while (rules) loop (around the code that was looked at earlier - see Part 1) reveals that this cracking code works as follows:

1. open the main do/while loop (lines 191 - 233)
2. open the "check-rule" if loop that will check the current rule (lines 192 - 205)
3. check the current rule for formatting, then accept or reject. This is output to the logger (lines 194 - 204)
4. close the "check-rule" if loop at section 2
5. open the "perform-crack" while loop that will iterate through every word applying the rule and attempting to crack (lines 208 - 224)
6. try to crack a password using the current rule with the current word crk_process_key(word) (line 219)
7. close the "perform-crack" while loop at section 5
8. open the "next-rule" if loop, that will check for a new rule to be used (lines 226 - 232)
9. close the "next-fule" if loop
10. close the main do/while loop

This was tested by performing a simple wordlist attack on a shadow file. The command used was: ./john --wordlist=/usr/share/dict/words --rules shadow.

By then performing a tail -f john_log.0 and seeing when another rule was announced via a "Rule #7", for example, then clicking a key on the console running the john process, you could see which rule was being used.

The plain-text versions of the rules were being pulled from the john.conf file under the [List.Rules:Wordlist] section.

Modifying jtr-1.6.36-mpi to perform distributed wordlist attacks using MPI, jtr-1.6.36-mpi-wlcmf

Modifications to the wordlist.c file are listed as below:

1.Insert appropriate headers

  #include "mpi.h"
  #include "ryan.h"
  #include <time.h>


2. Encompass the computational while loop in an if statement that checks if the word number is for this node id

  if ( ((linenumber - 1) % mpip) == (mpi_id) ) {


3. Throw in a debugging option

Within the while loop an log_event() call was issued which will print out information, but this is not recommended to be used as it will fill flood the hdd's

Testing

To test the funtionality i compiled jtr with the debugging option (by passing mpicc the -DCMF_DBG option) - then tested john running as a single node, with 2 nodes, 3 nodes and 4 nodes. The tests were performed on an AMD K6-2 550MHz x86 machine with 256 MB's of SDRAM. Even though it was tested on a single machine, MPICH can connect to itself to run.

The resulting johnlog.* files were then analysed to see which words john attempted to crack. All the tests were a success. Analysing the johnlog files numbers 0 through 3 showed that each node would only check each nth word (where n equaled 1, 2, 3, or 4 - depending on which test)