Comments on UNHash talk at 31c3
#1
For those who haven't seen it, here's a link to the talk:

http://mirror.netcologne.de/CCC/congress...ing_hd.mp4

My comments on this:
  • The first 10 minutes is mostly about default password stuff
  • Default password stuff is mostly interessting for pentesters, not so much for forensics
  • UNHash specific background seem to start at ~ 10:20
  • I disagree, you can't crack (preimage) MD5 with only pen and paper (10:48)
  • Agree, don't use brute-force for slow hashes (11:15)
  • How can you crack passphrases? Easy, with PRINCE (11:39)
  • UNHash introduces new rule syntax (11:46)
  • A candidate generator should be able to produce non-english passwords, too (12:45)
  • Agree, machine learning algorithm will fail for passwords (13:26)
  • Postgres involved in this?! For large wordlists > 100 billion this propably will fail (14:56)
  • Writing classifier is bad as it takes time and personal that knows about syntax (17:30)
  • My gutfeeling tells me problems with escaping is preprogrammed (18:00)
  • Theres no specific benefit for UNHash to use any wordlists you like. That's true for nearly all candidate generators (hashcat, prince, jtr, ...) (20:15)
  • It would be interessting to know how fast UNHash can produce new candidates as this is one of the most important factors in password cracking (21:00)
  • Author announced details about comparison but either he didn't do it or I missed it (21:21)
  • Meassurement of guessing efficiency is still not standartized, but it's obvious is will go more into the guesses/cracks direction than it goes into time/cracks as this will work for all algorithms

My impression is that UNHash is near to tools like wordhound, they could be called preprocessors.
I somehow missed the link how the talk on default passwords on the start is related to UNHash.
Reply
#2
Thanks !

The audio on the video you gave is in german :/
Reply
#3
here's the english version
https://www.youtube.com/watch?v=_w1vaVNj8fc
Reply