For those who haven't seen it, here's a link to the talk:
http://mirror.netcologne.de/CCC/congress...ing_hd.mp4
My comments on this:
My impression is that UNHash is near to tools like wordhound, they could be called preprocessors.
I somehow missed the link how the talk on default passwords on the start is related to UNHash.
http://mirror.netcologne.de/CCC/congress...ing_hd.mp4
My comments on this:
- The first 10 minutes is mostly about default password stuff
- Default password stuff is mostly interessting for pentesters, not so much for forensics
- UNHash specific background seem to start at ~ 10:20
- I disagree, you can't crack (preimage) MD5 with only pen and paper (10:48)
- Agree, don't use brute-force for slow hashes (11:15)
- How can you crack passphrases? Easy, with PRINCE (11:39)
- UNHash introduces new rule syntax (11:46)
- A candidate generator should be able to produce non-english passwords, too (12:45)
- Agree, machine learning algorithm will fail for passwords (13:26)
- Postgres involved in this?! For large wordlists > 100 billion this propably will fail (14:56)
- Writing classifier is bad as it takes time and personal that knows about syntax (17:30)
- My gutfeeling tells me problems with escaping is preprogrammed (18:00)
- Theres no specific benefit for UNHash to use any wordlists you like. That's true for nearly all candidate generators (hashcat, prince, jtr, ...) (20:15)
- It would be interessting to know how fast UNHash can produce new candidates as this is one of the most important factors in password cracking (21:00)
- Author announced details about comparison but either he didn't do it or I missed it (21:21)
- Meassurement of guessing efficiency is still not standartized, but it's obvious is will go more into the guesses/cracks direction than it goes into time/cracks as this will work for all algorithms
My impression is that UNHash is near to tools like wordhound, they could be called preprocessors.
I somehow missed the link how the talk on default passwords on the start is related to UNHash.