Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 4 Aug 2010 00:35:32 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: 1337 aka Leet Rules

I'll quote a little bit more context this time:

On Mon, Aug 02, 2010 at 09:52:04AM -0400, Rich Rumble wrote:
> >> r3member, rem3mber, rememb3r, r3memb3r, r3m3mber, rem3mb3r, r3m3mb3r
> >
> > Here's how you can do it:
> >
> > /e op3
> > %2e op3 /e op[e3]
> > %3e op3 %2e op[e3] /e op[e3]
> > %4e op3 %3e op[e3] %2e op[e3] /e op[e3]
> 
> Thanks! This cracked many of the passes I failed to in the last audit,
> I created other rules that mirror this with o,i,a,s and g.
> What is the best method to combine such rules, e.g.
> %2e op3 /e op[e3] %2o op0 /o op[e0]
> or is there a more efficient way to do this variation of leet replacement?

Your suggested line is not very inefficient, but it does not "fully" do
what you might have expected it to.

To produce all combinations of "e" to "3" and "o" to "0" replacements in
a word containing 2 instances of each of these characters, you can use:

%2e vap0 %2o vbp0 /e vcp0 /o op[o0] oc[e3] ob[o0] oa[e3]

For "goodbeef", it produces:

goodbeef
goodbe3f
go0dbeef
go0dbe3f
goodb3ef
goodb33f
go0db3ef
go0db33f
g0odbeef
g0odbe3f
g00dbeef
g00dbe3f
g0odb3ef
g0odb33f
g00db3ef
g00db33f
words: 16  time: 0:00:00:00 100%  w/s: 1600  current: g00db33f

Notice that it includes the original word as well (obviously, that's one
of the 16 combinations).  To avoid that in the trivial way, add "Q" to
the end of the line, but that's currently inefficient (one of the 16
rules generated by the preprocessor will be a reject-all rule then,
which would cause JtR to freeze for a little while when it goes through
the wordlist rejecting every word until it gets to the next rule).
Also, this will reject all input words that don't contain at least two
instances of each of the letters to replace.  This may or may not be as
desired (depends on what other rules you have).

An alternative that does not require 2 instances of each letter may be:

/e op[e3] /o op[o0]
%2[eo] op\p[30] /\r[eeo] op\p[e30]
%2[eo] op\p[30] /e op3 /o op0
%2e op3 %2o op0 /e op[e3] /o op[o0]

For "goodbeef", it produces the same 16 candidate passwords as above,
but it will also produce some for words with fewer letters to replace.
It requires at least one "e" and at least one "o".

To avoid producing an unmodified instance of the word, this may be
further revised to:

/[eo] op\p[30]
/e op3 /o op0
%2[eo] op\p[30] /\r[eeo] op\p[e30]
%2[eo] op\p[30] /e op3 /o op0
%2e op3 %2o op0 /e op[e3] /o op[o0]

(the first line was replaced with two different ones).  For "goodbeef",
it produces just 15 candidate passwords (no "goodbeef" itself).

This gets tricky as you can see, and the choice depends on what other
rules you have.

> I'm sure my additional leet rules can be optimized as well?
> ....
> l/a/e/l/o/ssa4se3sl1so0ss5
> l/a/e/l/o/ssa4se3sl|so0ss5
> l/a/e/l/o/ssa@...sl1so0ss$
> l/a/e/l/o/ssa@...sl1so0ss5

The four lines above can be shortened to:

l /a /e /l /o /s sa4 se3 sl[1|] so0 ss5
l /a /e /l /o /s sa@ se3 sl1 so0 ss[$5]

This produces exactly the same candidate passwords as your lines did.

Since you'll likely want to try more combinations (which was merely
inconvenient for you to specify without making use of the preprocessor),
you can use this single line instead:

l /a /e /l /o /s sa[4@] se3 sl[1|] so0 ss[$5]

> I personally think they should be in the default rules list, but I'm biased :p

I think there should be multiple default rulesets, for use on different
occasions.  There may also be a top-level cracking mode that will list
combinations of wordlists and rulesets to try (small wordlists with large
rulesets and large wordlists with small rulesets), as well as other things.

> Thanks again, I had a great time with this contest, let me know
> if there are any additional stats you want from me, I only ended up using
> 8 of my 14 available processors.

Yeah, we lacked people who would figure out and implement patterns to
test, so many CPUs remained idle.  I don't think we need more stats from
you, unless we're unable to answer a specific question we're asked
without that.  Thank you for your participation!

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.