Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 9 Feb 2009 23:32:53 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: 2 known letters + wordlist word --> is new format definition best way?

On Mon, Feb 09, 2009 at 07:20:23AM +0000, P PO1434 wrote:
> I have a question regarding a long list of partially known passwords that use a simple MD5 hash. In my case, I know the first 2 characters (digits), however I would like john to use the wordlist for the remaining characters.

Are those two known characters the same for all partially known passwords
on your list or do they differ per password?

> My options seemed to me to be:
> 
> 1) Make a new rule in [List.Rules:Single] 
> 
>    ^[0-9]^[0-9]
> 
>    This worked quite well, but of course not I'm not using the known digits, so 100 x slower than necessary.

What stops you from specifying the known digits in that rule?  Also, the
section [List.Rules:Single] is for "single crack" mode only.  You need
to use [List.Rules:Wordlist] for wordlist mode.

> 2) Make an external/incremental rule like the one in the wiki that forces the 2 digits in at the front, then goes through every combination of alpha letters.
> 
>    Not very efficient, given I expect the word will be in list.

What stops you from using the external mode filter() that prepends the
two known characters along with wordlist mode?  For example, you can
take the PrependSalt external mode from this posting:

	http://www.openwall.com/lists/john-users/2009/01/21/2

and use it along with a wordlist like this:

	./john -w=password.lst --rules --external=PrependSalt --format=raw-md5 passwd

I added "--rules" here simply because it makes little sense to go for an
external mode if all you need is to prepend two known characters to all
"words"; that can be done with wordlist mode rules as explained above.
A possible reason to use an external mode here is thus if you want to
use the rules as well, for a different purpose (e.g., keep and use the
default wordlist ruleset, along with prepending the known characters).

> 3) Write a xxx_fmt.c based on rawMD5go_fmt.c
> 
>    Struggling with this at the moment, but it looks like the best option (?)

If your two known characters as the same for all passwords you want to
be cracking at once, then you don't need to modify any C files.  The
approaches mentioned above will work.

However, if your two known characters differ per password, then you may
in fact prefer to implement what you need in C instead of having to run
JtR for each different 2-character prefix separately.  Please refer to:

	http://www.openwall.com/lists/john-users/2009/01/21/5

> My questions are:
> 
> a) Am I even barking up the right tree creating a new xxx_fmt.c based on rawMD5go_fmt?

Maybe not.  You need to start by defining your task fully.

> b) If a new fmt is the right way, will it be a matter of just 'overriding' the set_key function?

Given the way you have worded the question above, the answer is no.
Specifically:

Defining a new "format" (or patching an existing one) only appears to be
the right way to approach your task if you essentially implement salts -
that is, if your two known characters differ per password hash.  In that
case, no, "overriding" set_key() won't be sufficient.

On the other hand, "overriding" set_key() will be sufficient if the two
known characters are the same for all loaded password hashes.  However,
in that case defining a new "format" (or patching an existing one) does
not appear to be the right way to approach the task - cleaner and easier
ways have been mentioned above.
 
> c) Is it possible/correct to create external rules that use a wordlist, or are these rules just exhaustive searches?

An external mode can't use a wordlist directly, however an external
filter() can be used along with any other cracking mode, including along
with the wordlist mode.  As you already know, filter() can do more than
just filter some "words" out - it can also modify the "word".

Alexander

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.