Date: Wed, 6 Jun 2007 10:54:06 +0100 From: "Evo Eftimov, iSec Consulting, www.isecc.com" <evo.eftimov@...cc.com> To: <john-users@...ts.openwall.com> Subject: RE: all.lst in English only Alex thank you for the extremely comprehensive response. All - I highly recommend John the Ripper to anybody with password validation project - just by running the software in single and worldlist modes (with carefully tuned rules taking into account specific cultural and psychological factors relevant to the target environment) I've been able to obtain 45% success rate. The single mode was extremely effective to demonstrate some quick wins to the management. Regards Evo -----Original Message----- From: Solar Designer [mailto:solar@...nwall.com] Sent: 05 June 2007 23:22 To: john-users@...ts.openwall.com Subject: Re: [john-users] all.lst in English only On Tue, Jun 05, 2007 at 10:12:16AM +0100, Evo Eftimov, iSec Consulting, www.isecc.com wrote: > ... the Wordlist CD contains an English dictionary consisting of the > following parts/subdirectories: > > Tiny, Small, Large and Extra For others reading this: These wordlists can also be freely downloaded from under /pub/wordlists (or equivalent) on Openwall FTP archive mirrors listed at: http://www.openwall.com/mirrors/ > My question is whether they subsume each other or work independently of each > other - for example does small contain tiny, does large contain small etc For all languages with this kind of split wordlists (not just English): "large" contains all of "small", "small" contains all of "tiny", however "extra" (if present) does NOT have entries in common with any of "tiny", "small", or "large". In other words, "extra" is just that - questionable entries that did not qualify for smaller wordlists, and only those entries. Please note that all wordlist files in this collection start with comments that list input wordlist files that were used to generate each larger file. > Because if this is NOT true the following solution can be applied: > > cat password.lst, English/tiny/*, English/small/*, English/large/*, > English/extra/* > all_english.lst > > john --wordlist=all_english.lst --rules --stdout | unique > mangled_english.lst Yes, it would work fine (with the erroneous commas on the "cat" command dropped and "cat" replaced with "zcat"), regardless of whether or not there are any duplicate entries in the input wordlists due to your use of "unique". However, I recommend this: zcat passwords/* languages/English/3-large/* languages/English/4-extra/* | grep -v '^#!comment:' | unique English.lst or: zcat passwords/* languages/English/3-large/* languages/English/4-extra/* | grep -v '^#!comment:' > English-dupes.lst john --wordlist=English-dupes.lst --rules --stdout | unique English-mangled.lst For slow hash types, you might want to drop the "extras". Another improvement may be to apply the mangling rules to "passwords" lists first, then do it for "tiny", then for "small", and finally for "large" and maybe "extra" - and combine all of the results with "unique". The total number of entries will be the same, but the order might be more optimal. A similar approach has been used for mangled.lst included on the CD. > tr A-Z a-z < mangled_english.lst | sort -u > mangled_english_sorted.lst This is not a good idea. The documentation recommends this command "for use with default wordlist rule set" - that is, to be applied prior to the rule set. Also, it is only needed when you're not using "unique", to reduce the number of duplicates that word mangling rules produce. When you are in fact using "unique", you're better off not converting your input wordlists to all-lowercase as there are some entries where the original case of characters is valuable. Perhaps the documentation is confusing and needs to be corrected. > john --wordlist=mangled_english.lst mypasswd Right. Just don't forget to run "single crack" and "incremental" modes as well. > MINLENGHT and MAXLENGHT in the default john.conf seem to be relevant only to > Incremental mode Correct. In fact, they're specified within "incremental" mode sections (oh, and they're called "MinLen" and "MaxLen"). > - what is the way to make them valid for wordlist mode. There's no way to do exactly that. Instead, word mangling rules may be specified that would reject words that fall outside of the desired length range. If you're going to use your pre-mangled wordlist (and thus don't need the mangling rules anymore), you can replace the "[List.Rules:Wordlist]" section contents with just this one line: >3<6 With the above example, if you run John with a wordlist and "--rules", it will only use entries that are 4 or 5 characters long. The rule will also apply if you set "Wordlist = ..." in john.conf to point to your pre-mangled wordlist and run John with no options at all (letting it do "single crack", then pre-mangled wordlist with the above length restriction, and finally "incremental" mode). When you do in fact have a pre-mangled wordlist, you can as well apply the length restrictions just once, save the resulting file, and use that - with no need for any filtering to be done on further invocations of John. You can even do the filtering prior to "unique", which is likely to reduce the total processing time (because "unique" will have less work to do). Why would you want to do that, though? I don't recommend it. Perhaps you have your reason, and once you explain it I might be able to suggest something better. -- Alexander Peslyak <solar at openwall.com> GPG key ID: 5B341F15 fp: B3FB 63F4 D7A3 BCCC 6F6E FC55 A2FC 027C 5B34 1F15 http://www.openwall.com - bringing security into open computing environments -- To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply to the automated confirmation request that will be sent to you. -- To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply to the automated confirmation request that will be sent to you.
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux - Powered by OpenVZ