Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 26 Oct 2010 10:19:25 -0400
From: Charles Weir <cweir@...edu>
To: john-users@...ts.openwall.com
Subject: Re: Solution to this 'l33t' rules problem?

> Being thorough may be a bit too much especially if you
> have a lot of words to leetify
> There are: 19440 possibilities for the word: neglected

I fully agree with you Brad. This might be about time to spin off a
second thread, but now that we have some ways of generating full
replacement guesses, the next question of course is what replacements
are the best to use. This is especially true since there are other
mangling rules to consider as well. For example, if you wanted to add
two digits to the end of a guess in addition to doing full mangling,
in the case above the word 'neglected' would generate 1,944,000 unique
guesses. With a small to medium sized dictionary and a quick hash like
MD5, that's still doable, but we might want a smaller subset of
replacements to use in other cases.

I did some research a while ago trying to measure the frequency of
different replacements and identify new replacements using
edit-distance calculations, (if you're REALLY bored I have a short
write-up of what I did in chapter 3.3 of my dissertation). That
research desperately needs to be updated on some of the new datasets
I've collected. I also need to spend some time improving my analysis
tool so I can give it to other people to run on non-public datasets,
(and so it catches more mangling rules). Whether I actually get around
to doing that in the near future is iffy though, (especially after my
main computer suffered an unfortunate accident. Thank god for
backups).

In my limited testing, by far the most common replacements, (in
frequency order), were:
i->1
e->3
o->0
a->@
s->$
l->1
t->+

I need to go back and manually look for some of the less common replacements.

The other use of replacements though would be to mangle a dataset of
previously cracked passwords when targeting new password hashes. This
is actually what I've been working on recently and prompted some of my
previous posts to this list such as:

http://article.gmane.org/gmane.comp.security.openwall.john.user/3157/

This was actually inspired by a great paper presented in CCS by
Yinqian Zhang, Fabian Monrose and Michael Reiter titled: "The Security
of Modern Password Expiration: An Algorithmic Framework and Empirical
Analysis", which is available for download here:

http://www.cs.unc.edu/~yinqian/password.html

That's also why I've been looking at string replacements such as
replacing 2009 with 2010. Where this is also useful though is for
updating wordlists of previously cracked passwords, such as the
RockYou list. It would be nice to change all of those '2009's into
'2010' and soon '2011'. It also leads itself to targeted based
cracking sessions. If you know your target likes to use certain l33t
replacements, you really want to include those specific replacements
in future cracking sessions as well.

Matt

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.