Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20110322223511.GA3624@openwall.com>
Date: Wed, 23 Mar 2011 01:35:11 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: single mode

On Tue, Mar 22, 2011 at 08:25:16PM +0100, magnum wrote:
> I did that fprintf hack so I can answer most of this myself.

I'm sorry I was not quick enough.  Thank you for posting the answers!

> * All words from the GECOS field that starts with a letter and consists 
> of alphanumeric only (anything else is scrapped)

Not exactly.  loader.c uses these separator characters:

/*
 * Word separator characters for ldr_split_words(), used on GECOS fields.
 */
#define issep \
	"!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~\177"

And then there's this check in single.c:

		c = (unsigned int)first->data[0] | 0x20;
		if (c < 'a' || c > 'z') continue;

> [...] all possible pairs of these words (concatenated with no 
> delimiter) are tried. Also, another similar set of pairs is tried with 
> *first* word truncated to one character.

It is worth noting that the "first" word here is actually any word with
number below SINGLE_WORDS_PAIR_MAX (which is 4).  That is, by default
the first 3 words from the GECOS field will be additionally tested in
their truncated form (as initials).

>   jdoe      <- truncated pairs
>   djohn

Right, that's what I meant above.

> However, only the first four words are allowed as the first half of a 
> pair. If there are five words, the fifth will only ever be the second 
> half of a pair.

Not exactly.  The fifth (and on) won't be "paired" at all.  Here's what
happens (excluding combinations with the username, home directory name,
and initials):

w1
w1w2
w1w3
w1w4
w2
w2w1
w2w3
w2w4
w3
w3w1
w3w2
w3w4
w4
w5
w6

As you can see, w5 and w6 were not part of any pair.

> This is to limit the number of combinations and this 
> limit can be changed by altering SINGLE_WORDS_PAIR_MAX in params.h and 
> recompiling.

Exactly.

> >Would I ever need to swap 1 and 2 in  rules? I mean, if I have this rule:
> >
> >-p 1 $@ 2
> >
> >is there any reason to also have:
> >
> >-p 2 $@ 1
> >
> >or will that be tried anyway?
> 
> It will be tried anyway

Yes, except for the special case mentioned below.

> unless one of the words is word #5 or higher on the input line.

Yes, but in that case "-p 1 $@ 2" won't be trying the combination as well.

The special case, with default settings, is with word #4, which is never
tried as the first word in a pair (it's only tried as the second).

> There may be a little more to this that I haven't noticed but this is 
> the gist of it.

Right.  Thanks again!

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.