Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 28 Jun 2006 05:14:13 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Problem with rules and Charset for french language

On Tue, Jun 27, 2006 at 05:19:25PM -0000, madfran wrote:
> - It is a LM hash
> - It begin with the letter "S"
> - The last character is "г" (french character)

When trying to pass that information into John, you must not forget that
John splits LM hashes of passwords longer than 7 characters into their
halves.  If John appears to load "2 hashes" for your LM hash, then this
applies to you.  If so, you should not restrict John to trying only
passwords starting with an "S" since the character in position 8 of your
password might not be an "S".  Similarly, you should not restrict John
to trying only passwords ending with your "French character" since the
character in position 7 of your password might be different.

It may make sense for you to apply such restrictions separately from
each other.  That is, you let John try candidate passwords (to be tried
against the LM hash halves) that either start with an "S" (likely
matches against the first half) or end with your "French character"
(likely matches against the second half).

> - I don't know the other characters bat I am sure it contents some of the
>   following french characters,
>   "баюгийхктношэ"

Well, it means that you can't just use the provided .chr files.

> I want to do:
> - Perform an attack fixing first and last character

Please see above.

You can implement that with an external filter(), in two ways: either by
filtering out candidate passwords that don't meet the criteria (too slow
to be used with the fast LM hashes) or by prefixing or suffixing other
candidate passwords with your known characters.  If your LM hash is in
fact being split into two (that is, if your target password is more than
7 characters long), you'd need to define two such external modes - and
use them on separate invocations of John.  You can find an example here:

	http://www.openwall.com/lists/john-users/2006/04/08/2

> - Use in the others positions the french characters (others than standard)

You may start by running a French or a multi-lingual wordlist.  You may
combine that with an external filter() as suggested above, although
wordlist runs against LM hashes are usually quick enough anyway (just a
few minutes even when you're letting John apply word mangling rules).

If that doesn't (fully) crack your password, you may proceed to define
and run a full-blown external mode.  You can start with the "8bit"
external mode example given in the following older john-users posting:

	http://www.openwall.com/lists/john-users/2006/02/16/1

This "8bit" mode may be good enough as-is to crack the second half of
your password if it is short.  Say, if the password is 10 characters
long, its second half is just 3 characters - so it'd get cracked quickly.

For longer password halves, you'd need a smarter external mode (that
would use a smaller character set, possibly different for each character
position) - or you could adjust the CHARSET_* settings in params.h,
re-compile, and generate a custom .chr file.  For the latter, you'd need
to have some passwords (or password-alikes) containing all of your
character set in your john.pot:

	http://www.openwall.com/lists/john-users/2006/01/29/1

You'd need to use --external=filter_lanman when generating your new .chr
file to let John take advantage of the fact that passwords input to LM
hashes are case-insensitive (for 7-bit characters).  Then base your new
"incremental" mode definition on [Incremental:LanMan] (the important
setting is "MaxLen = 7").

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ