Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 22 Jul 2012 19:09:14 +0200
From: Frank Dittrich <>
Subject: Patterns detected (single mode) ...

Hi all,

taking a break after 4 hours gave me time to think about what I did,
where I failed last year, and what information I got from others during
the first 4 hours of our pseudo contest.

Last year I thought with my limited hardware I had to concentrate on
fast hashes, and put much effort into cracking DES hashes (but not those
from the challenges).

Had I put more effort into mscash2 and other slow hashes, probably we
could  easily have about 50 more mscash2 hashes cracked.

So, while I again focused on fast hashes for the first 4 hours (minus
the time I wasn't productive at all, but still fighting with my setup),
I intended to improve in preparation for the second round.

Jim posted successful cracks from --single runs on slow hash formats.

The successful patterns were:
<* $[!@$#]
<* c Q $[!@$#]
<* T0 Q $[!@$#]

Last year, I found a similar pattern, but didn't notice that the real
pattern was much more specific than I assumed.
I just  used this one:
-c <*T[0-9A-Z]Q$[ -/:-@[-`{-~]

So I thought, I might try other mangling rules + $[!@$#].
I always tried a new single mode rule set on saltless / fast hashes
first, and moved on to slower hashes when I was successful.

This was the first great success: instead of toggling case for the first
character, I could just as well try to toggle the second ... last:

T[1-9A-F] Q $[!@$#]

I should at least have used
<* T[0-9A-F] Q $[!@$#]

But if you quickly want to test a new idea, faster implementation also
has its merits.

Then I thought, what if I toggle more than one character (again, this is
not the most efficient way):
<* T[0-9A-E] Q M T[1-9A-F] Q /?u $[!@$#]
<* T[0-9A-D] Q M T[1-9A-E] Q /?u M T[2-9A-F] Q $[!@$#]

And this was successful as well, but I noticed something else.

Often, the letter that was converted to upper case was always the same.
e.g., i had all 2 or 3 'e' characters converted to 'E', or 'a' to 'A'.

Then I thought, leet mangling rules + $[!@$#] might work even better.
And they did.

First I used what I could think of.
Then, I used the leet rules from korelogic.conf on fast hashes, and
noticed that I missed these mappings:

/i si|
/l sl[!|]

So I tried these (separately, and in combination with my other leet
rules + optionally toggling the first character before applying leet
rules) on slow hashes as well.

Now I have 49 cracked mscash2 hashes (including the ones , all cracked
using single mode rules - this is with the 6 password which only append
a character and optionally toggle the first character. These probably
have been found by Jim.

We also have 50 cracked bf hashes using the above mentioned single mode

So, the *real* pattern is much faster (covering a smaller part of the
key space) and more successful (cracking more hashes) than what I had
"found" last year when trying single mode on fast hashes.

I also noticed something else:

For mscash2, bf, and the 94 phpass passwords, only passwords of user
names starting with 'a' have been cracked using these rules.

Had I detected this pattern earlier, I would have split the password
files, and tried user names starting with letter 'a' first.
So, for other user names we might yet have to find other single mode
rules that work.
If we are lucky, we identify those rules when cracking faster hashes
using more single mode rules. (Did anybody try T[0*]Az"20[10][102-9]"?)

I really hope MJohn will be in place for the real contest, so that we
see what has already been tried (especially on the slow hash formats).
If collecting this information happens more or less automatically, then
we can rely upon it.
(Users who are busy cracking hashes will probably be less likely sharing
what they try and/or reading what others try.
Unless we also manage to automate attacks, to save manual effort.
I would have liked to use something like:

for f in <list of formats, from saltless, fast to slow>
  ./john <attack> uncracked-$f.txt --format=$f --session=<name>_$f

And one more observation which I could not yet make much use of:
The mscash2 hashes don't have unique salts.
There are 6 salts which appear 3 times, and 84(?) which appear 2 times.

You can extract them using
./john --show=LEFT hashes-all.txt-1 --format=mscash2 --salts=2 |sort >

I am currently running a markov mode session on the 6 salts which appear
3 times - so far without success.

Therefor, I prepared the stats file from
LC_ALL=C grep -v "[^ -~]" rockyou.txt|grep -v "^[0-9]*$"
because I wanted to avoid non-ascii passwords and digits-only passwords,
assuming those had already been tried last year, and I wanted to find
something new.

Then, I used

for i in `seq 0 24`; do typeset -i j;j=i+1;echo $i $j; ./john
--markov=fd-r:175:${i}%:${j}%:27 --session=mkv-fd-r-175-$j
--format=mscash2; done

Because I have 4 cores on my laptop, in 3 other terminals, I use
`seq 25 49`, `seq 50 74` `seq 75 99`.

You may think of this as cheating, but I was afraid I might not have
time today evening. at least not 4 hours.
(Even If I will have time, I will probably be too busy trying out
something else, instead of taking the time to write long mails.)

That's why it is only fair that I made use of my 4 hours before you did.
(In the real contest, this is similar to learning something new from
reading mails of other users who have been cracking and/or searching for
patterns while you were asleep.)

I just uploaded a diff'ed john.pot (containing only what I didn't upload
earlier and what I didn't download from the server.), named


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.