Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 27 Aug 2008 20:27:39 -0400
From: Adam Turk <bofh1234@...mail.com>
To: <john-users@...ts.openwall.com>
Subject: RE: generating a wordlist with john


> Date: Thu, 28 Aug 2008 03:43:44 +0400
> From: solar@...nwall.com
> To: john-users@...ts.openwall.com
> Subject: Re: [john-users] generating a wordlist with john
>
> I am sorry for not commenting on this earlier. I was hoping that
> someone else would, and in fact I wanted to encourage that...

Not a problem.  I was not in a hurry for a response.  

> 96 is correct. That's one empty password (because the default
> definition for "[Incremental:All]" has "MinLen = 0") plus the 95
> passwords that you mention.
>
> That's 1 empty password plus 95 passwords mentioned above plus 9025
> two-character passwords.
>
> The same applies to your three-character example.

The reason this came up is I was reading a posting at forums.remote-exploit.org that says I could use john to generate a wordlist.  I am researching different wordlist generators.  To find the size of a wordlist it is number of characters ^ to the length you want.  So using the 95 English characters and a length of 3, there should be 857,375 words.  John is generating 866,496 words.  So john is generating extra and I am guessing unusable words.

>The --stdout option does not specify a minimum length; its parameter
>only tells John to truncate passwords at the specified length (and John
>is smart enough to not even generate longer passwords most of the time).
>If you want to enforce a minimum length, you need to adjust MinLen
>(specific to "incremental" mode), use an external filter() (along with
>any other cracking mode), or use an external program such as grep.

Ah ok.  If I understand this correctly, using john --incremental=All --stdout=2 will just randomly generate a combination of characters and then truncate said combination to the length specified.  There is no guarantee that you would end up with every possible combination of 95 characters.  The generated list could have the same word multiple times and leave some out.  Is this right? 

Thanks,

_________________________________________________________________
Reveal your inner athlete and share it with friends on Windows Live.
http://revealyourinnerathlete.windowslive.com?locale=en-us&ocid=TXT_TAGLM_WLYIA_whichathlete_us
-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.