Date: Mon, 27 Jul 2009 06:01:04 -0500 From: "JimF" <jfoug@....net> To: <john-users@...ts.openwall.com> Subject: Generation method I used for prepend and append 'rules' Here are the steps I used to build a nice prepend / append ruleset for usage in John. This information is being provided as is. It was thrown together, to satisfy a personal test (successful) of my own. It was coded quickly, and not done in a very clean manner. I make no apologies for it. use it or modify it to your own needs. Or simply use the rules I have provided, prebuilt. NOTE this method can crack some pretty long, and pretty complex passwords. First a little information. The data used, was a set of cracked passwords. There were NOT a simple john.pot, but a list of all the passwords used. If there were multiple words of the same, I wanted to have each multiple copy. To do this, I took the cracked list, and used john -show and piped that to a file. Then used cut So Step 1. Crack a lot of passwords, or get a good cracked db Step 2. Run john -show -format=??? hashes_lst > crk Step 3. Get 'just' the passwords: cut -d: -f2 crk > pass_all Ok, now we have a list of the cracked passwords. What we now want to do, is to 'find' things that are added to normal dictionary words (the database I worked from was mostly English, so I used English words). Obtain the proper language dictionaries from openwall.net For this example, I used all of the dictionaries from the English directories. Step 4. Get the dictionary words. I concatenated all the word files from 'English' section from the openwall lists. Step 5. Sort this dictionary list. The sorted file is named english-sorted.all Step 6. Run the program pre_post_cnt and redirect output. NOTE as in original source, the file names pass_all and english-sorted.all ARE required names. pre_post_cnt > data the pre_post_cnt.cpp is provided. It is a simple hacked out program, not well done, but it works (for me ;) The output will be 3 fields The fields are: count 'string' (Type) Type will be (Pre) or (Post). As the program runs (it may take a couple minutes), it will inform you to stderr what it is doing (which password is being worked on). When all are done, it will output and exit. NOTE this file will only output (as written), if there are 11 instances or more of a prepend/append sequence. This can be adjusted by editing the source. Step 7. Grep out (Pre) grep (Pre) data > pre_data Step 8. grep out (Post) grep (Post) data > post_data Note, I use wc to make sure that all of the lines were accounted for, they should be, but it never hurts to check. Step 9. Now, sort both per and post data sort -n -r pre_data > prepend-lst sort -n -r post_data > append-lst The default pre_post_cnt.cpp only outputs if > 10 'hits', but if you have coded to see ALL of them, you most likely will want to remove all of the singleton and probably even more from your prepend-lst and append-lst files. Ok, we are almost home. Step 10, build prepend.lst and append.lst files. These files contain ONLY the string data. To get them do: cut -d\` -f2 prepend-lst > prepend.lst cut -d\` -f2 append-lst > append.lst NOTE the back quote under the ~ char If this char is used, modify the pre_post_cnt.cpp to use a different letter. NOTE2, there will usually be more append rules (not sure why, but this is what I saw). That being so, I will often make sure more prepends get added, by requiring fewer to 'keep' them in pre_post_cnt.cpp step 11. Build the rules. Run the program JohnWordMerge.c (sorry about the naming, but that is it :) JohnWordMerge > rules Step 12. Edit john.conf (or john.ini) and add these rules as a new [Rules.Wordlist] section. If using the newer version of john, that .Wordlist can be any value, and then the rules=wordlist can tell john which section to use. Enhancements: Some up-casing, lower-casing (all upper was pretty good), Case, w-space removal, w-space removeal lower/upper, upcase after preprocessing (best in my test), etc all can crack more passwords. Not nearly as many as the 'base', but by the time you get to using rules like this, much of the wordlist based cracking has been done and only the 'hard' crap is left. Also, devising a method of doing pre AND append on the same word would certainly crack some words. I have not tried doing this, but it is not beyond the grasp of techniques shown here. Good luck, and happy cracking, Jim. The pre-built set of rules I have originally put together for this can be found on the wiki page. It was too large to send to the email list. http://openwall.info/wiki/john/usage-examples View attachment "pre_post_cnt.cpp" of type "text/plain" (4577 bytes) View attachment "JohnWordMerge.c" of type "text/plain" (3512 bytes) -- To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply to the automated confirmation request that will be sent to you.
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux - Powered by OpenVZ