Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 12 Aug 2010 09:17:40 -0400
From: Brad Tilley <brad@...ystems.com>
To: john-users@...ts.openwall.com
Subject: Consonant Vowel Patterns

I wanted to ask if others had experimented with consonant vowel patterns
in password cracking? Perhaps others know this approach by a different
name? I believe the proper term is phonology (I may be wrong on that).
Here is an example pattern:

CVCCVC

That pattern is common and found in many words. Here are some words
based on it:

batman
badguy
bigboy
(catfig)ht
(barfig)ht
(Falcon)s
bullet
defcon
...

That is just one common pattern, there are many others. One thing I like
about these patterns is that they are cheap to compute and once
computed, you have all passwords that fit that pattern.

The C list is only consonants and the V list is only vowels. N is only
numbers while S is only special chars.

C = 30s-40s (drop chars that are seldom used z,x,j if you like)
V = aeiouAEIOU
N = 1234567890
S = 30s (less if you only want the commonly used chars)

So any variation of batmanNN would be cracked by CVCCVCNN and it only
takes 40 * 10 * 40 * 40 * 10 * 40 * 10 * 10 = 25,600,000,000:

BATMAN78
Batman01
bAtMaN00
...

This is the approach I took with 16Crack in the KoreLogic contest. And
again, I lost by *a large margin* as I was only averaging about 80
cracks per hour and in order to be competitive I would need to average
about 800 cracks per hour. Nonetheless, it was interesting to me to see
how this approach would fair against the more conventional approaches.

There may be a mode somewhere in JTR that does this or something
similar. I only wanted to share it with the list just in case others
find it useful for some sort of attack. Obviously, it does not stand on
its own and needs other approaches combined with it to be competitive
and may be a bad idea altogether compared to traditional approaches.

Any advice on the approach or thoughts of its general worthiness is
appreciated!

Brad

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.