Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 12 Aug 2010 09:17:40 -0400
From: Brad Tilley <brad@...ystems.com>
To: john-users@...ts.openwall.com
Subject: Consonant Vowel Patterns

I wanted to ask if others had experimented with consonant vowel patterns
in password cracking? Perhaps others know this approach by a different
name? I believe the proper term is phonology (I may be wrong on that).
Here is an example pattern:

CVCCVC

That pattern is common and found in many words. Here are some words
based on it:

batman
badguy
bigboy
(catfig)ht
(barfig)ht
(Falcon)s
bullet
defcon
...

That is just one common pattern, there are many others. One thing I like
about these patterns is that they are cheap to compute and once
computed, you have all passwords that fit that pattern.

The C list is only consonants and the V list is only vowels. N is only
numbers while S is only special chars.

C = 30s-40s (drop chars that are seldom used z,x,j if you like)
V = aeiouAEIOU
N = 1234567890
S = 30s (less if you only want the commonly used chars)

So any variation of batmanNN would be cracked by CVCCVCNN and it only
takes 40 * 10 * 40 * 40 * 10 * 40 * 10 * 10 = 25,600,000,000:

BATMAN78
Batman01
bAtMaN00
...

This is the approach I took with 16Crack in the KoreLogic contest. And
again, I lost by *a large margin* as I was only averaging about 80
cracks per hour and in order to be competitive I would need to average
about 800 cracks per hour. Nonetheless, it was interesting to me to see
how this approach would fair against the more conventional approaches.

There may be a mode somewhere in JTR that does this or something
similar. I only wanted to share it with the list just in case others
find it useful for some sort of attack. Obviously, it does not stand on
its own and needs other approaches combined with it to be competitive
and may be a bad idea altogether compared to traditional approaches.

Any advice on the approach or thoughts of its general worthiness is
appreciated!

Brad

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.