Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 10 Dec 2014 10:10:08 -0500
From: Matt Weir <cweir@...edu>
To: "john-users@...ts.openwall.com" <john-users@...ts.openwall.com>
Subject: Re: PRINCE approach from hashcat

I'm working on a long writeup of the PRINCE tool, (running some comparison
tests right now), but the short answer is that PRINCE is a password guess
generator and can be thought of as an advanced Combinator attack. Rather
than taking as input two different dictionaries and then outputting all the
possible two word combinations though, PRINCE only has one input dictionary
and builds "chains" of combined words. These chains can have 1 to N words
from the input dictionary concatenated together. So for example if it is
outputting guesses of length four, it could generate them using
combinations from the input dictionary such as:
4 letter word
2 letter word + 2 letter word
1 letter word + 3 letter word
1 letter word + 1 letter word + 2 letter word
1 letter word + 2 letter word + 1 letter word
1 letter word + 1 letter word + 1 letter word + 1 letter word
..... (You get the idea)

At0m had been talking about it replacing things like the progression JtR
does with Single  => Wordlist => Incremental. That's because depending on
the wordlist it will eventually do several mangling techniques, (like
append digits), brute force, (up to eight characters long), etc. The more
I've been playing with it though the less useful I've found it. Aka I
suspect in most cases you are better off using a scripted progression
attacks like JtR vs relying on PRINCE. That's actually why I'm running the
tests right now so I can verify that assertion. I'm hopeful I should have a
full writeup on it done by this weekend if not sooner.

Matt

On Tue, Dec 9, 2014 at 10:20 PM, Lukas Odzioba <lukas.odzioba@...il.com>
wrote:

> 2014-12-10 4:01 GMT+01:00 Royce Williams <royce@...ho.org>:
> > What's hashcat up to here?  I only skimmed the PDF briefly.
> >
> >     https://hashcat.net/tools/princeprocessor/
>
> For me it looks like combinator attack generalized to a given final
> password length.
>
> > – Generate password with chain
>
> It is not covered in the presentation but I assume it is string
> concatenation, but there could be some additional rule engine to build
> passwords from n "roots" or "base word sets", this in some cases would
> break chain length limit which I guess might be some kind of
> optimization.
>
> I like the idea, and it is good to see that someone is still working
> on new methods.
>
> Lukas
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.