Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 8 Mar 2010 04:00:07 -0500
From: "Matt Weir" <cweir@...edu>
To: <john-users@...ts.openwall.com>
Subject: RE: generate passwords with wDDDwDDD template

>> I would like to generate a passwords list 
>> with wDDDwDDD template, where 'w' is a 
>> [a-Z] and 'D' is a [0-9]. 

You can do this using the preprocessor in JtR's rules file. I had written a
sample config showing how to compose similar targeted brute force rules a
while ago and I figure this is as good a time as any to re-upload it to the
web. It's labeled john_bruteforce.conf and you can download it here:

http://sites.google.com/site/reusablesec/Home/john-the-ripper-files/john-the
-ripper-sample-configs-1

Note, it assumes your run JtR in wordlist mode with an input dictionary
consisting of the 26 lower characters in the alphabet, one per line. Aka

a
b
c
d
...
z


While I don't have your rule in the sample config, it would probably look
like

:$[0-9]$[0-9]$[0-9]$[a-z]$[0-9]$[0-9]$[0-9]

I haven't tested it myself so there may be a typo.


>> I also wish to know how to generate the full 
>> list of words where each word is 8 symbols in length and word contains 
>> at least one digit or word.

I think I understand you. Aka you are trying to construct a bruteforce rule
to target passwords that were created under a password creation policy that
mandated passwords must be eight characters long and contain at least one
letter and one digit. That's much trickier considering the large number of
combinations and would require 256 rules using the above method. I'm a
little too lazy to write those myself ;)

One tool you might want to check out is crunch. It is a wordlist generator
and can be used in conjunction with John the Ripper by pipeing its output
into JtR using the -stdin option. I haven't played with it for a while but I
know at one point in time people were talking about adding the capability to
do what you were asking. Even if it doesn't, it's easier to use then writing
your own rules, though using JtR's preprocessor actually is much faster when
attacking quick hashes like MD5. You can download crunch here:

http://sourceforge.net/projects/crunch-wordlist/

I hope this helps,

Matt Weir
http://reusablesec.blogspot.com 

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.