johnny icon indicating copy to clipboard operation
johnny copied to clipboard

Published 20 hours ago verified publisher icon openwall

Non-printable or control chars in the Password field

Open shinnok opened this issue 9 years ago • 7 comments

We need to indicate non-printable or control chars too in the Password field. Maybe encoding to something like UTF would work for passwords containing such chars.

shinnok avatar Jun 26 '15 11:06 shinnok

I don't really understand this issue. Use case :

  1. We get a control char from John --show. 1) Which encoding is john --show, is it ascii or utf-8,utf-16 ? 2) Are we talking about the ASCII control characters only 0-31 (http://www.ascii-code.com/) ?
  2. We have lines :
    QByteArray output = m_johnShow.readAllStandardOutput(); QTextStream outputStream(output); We can set codec to the QTextStream there.

mathsoft-dev avatar Aug 13 '15 11:08 mathsoft-dev

Also, please explain me your theory on why using UTF could show unprintable characters in the table view ?

mathsoft-dev avatar Aug 15 '15 13:08 mathsoft-dev

Also, please explain me your theory on why using UTF could show unprintable characters in the table view ?

My current john.pot contains non-ascii character such as Д from the CMIYC contest and when I call outputStream.codec()->name() , without changing anything in current/master johnny code, I get "UTF-8" and this character is printed out correctly in the table view. So, maybe the Qtextstream already always choose utf or auto-detect it based on john --show output.

mathsoft-dev avatar Aug 15 '15 13:08 mathsoft-dev

Non-printable is different than non-ascii chars. Ascii includes non-printable chars like carriage return or backspace. UTF char space is not a problem given that we use Qt.

http://www.juniper.net/documentation/en_US/idp5.1/topics/reference/general/intrusion-detection-prevention-custom-attack-object-extended-ascii.html

shinnok avatar Aug 18 '15 10:08 shinnok

UTF support in JtR is only a recent thing and jumbo only afaik. I guess we have to work with what John outputs. The first thing to try is to see how JtR prints ascii control chars or ask on the list. I think Frank asked for this in a thread, track it down if you can and reply there.

shinnok avatar Aug 18 '15 10:08 shinnok

Here is magnum answer : On 2015-08-18 14:23, Mathieu Laprise wrote: Shinnok want to indicate non-printable or control chars in Johnny's Password field for core and jumbo. We're not really experimented with encoding. How does JtR prints ascii control chars in john --show ?

It just prints them. A tab is printed as a tab, an \x07 might ring a bell. It's normally not an issue since no-one has them in real passwords.

mathsoft-dev avatar Aug 18 '15 20:08 mathsoft-dev

Based on Frank's and Magnum's feedback I'm moving this task to a later milestone.

The way this should be handled, is to provide means for showing all passwords in hex encoding, via a checkbox or right click context menu.

shinnok avatar Aug 20 '15 13:08 shinnok