Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 13 Jun 2005 19:04:05 -1000 (HST)
From: newsham@...a.net (Tim Newsham)
To: solar@...nwall.com (Solar Designer)
Cc: john-users@...ts.openwall.com, newsham@...a.net
Subject: Re: Cracking japanese passwords?

> Sorry for the delayed response.  I am handling these in batches, as
> you can see. ;-)

Sorry for the late reply to your reply -- just noticed a ton of
mail got missorted and had to manually go back over them...

> It's nice to see you post here.  It'd be even better if you also were
> subscribed; it's not hard for me to copy you on this response knowing
> that you are not on the list, but others wouldn't know.

I dont mind, I'm following the list archives on the web..

> Alternatively, if you don't mind messing with John source code, you
> could implement a whole new cracking mode for Japanese passwords.
> You can check out external.c: do_external_crack() and wordlist.c:
> do_wordlist_crack() (and other functions in those source files) for
> a couple of examples.

Hmm.. I'll look into this...

> But it'd be easiest to implement your idea with an external script,
> such as in Perl.  You'd feed the output of such a script into
> "john --stdin ..." (if you do not require crash recovery) or you'd
> save it in a file and use that as a wordlist.  For the numbers you've
> provided above, the file size would be around 1 GB.

I was doing this in python so far.  I wasnt aware of the stdin
option (I'm fairly new to John), so I spit it out to a file, but
it was somewhat of a pain due to the slowness of python writing
to disk and having to generate small subsets of the list at a
time (I was in a small vmware at the time).  --stdin would definitely
have helped at the time :)

Perhaps I should just write a small C generator and submit that.

> Now, an idea you might not have considered: place all possible
> Japanese-like passwords into a fake john.pot, then use that to
> generate a japanese.chr.  Then define a new "incremental" mode and use
> that.  The new mode won't be limited to trying the passwords that were
> generated (although most of these will be tried earlier than others),
> but it'd also catch misspellings.

Hmm.. I'll have to look into the .pot files to understand what
you're describing.  Thanks for the lead.

> Any possible implementation of this would be a welcome contribution.

I'll let you know what I come up with.

> Alexander Peslyak <solar at openwall.com>

Tim N.

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ