Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <BLU0-SMTP115CAD6AF8B9CEE09C20CD5FD900@phx.gbl>
Date: Sun, 1 Jan 2012 10:06:47 +0100
From: Frank Dittrich <frank_dittrich@...mail.com>
To: john-users@...ts.openwall.com
Subject: Re: John as a wordlist creator

On 12/31/2011 03:12 PM, Alex Sicamiotis wrote:
> I downloaded some extra rules that I merged in john.conf, and while they increased the cracking efficiency,
>
> a) they were very time consuming (it's to be expected)
> b) they had significant overlap due to mangled worlds appearing the same
>
> for example
>
> guesses: 2  time: 0:00:21:43 7%  c/s: 7991K  trying: Alex2194 - Alekshs2
> guesses: 2  time: 0:00:22:48 7%  c/s: 8006K  trying: Giannis2 - Giannhs2
> guesses: 2  time: 0:00:23:17 7%  c/s: 8008K  trying: Alex2521 - Alekshs2
>
> Alekshs2 appeared a few hundred times, and that means it has been tried a few million times :P


This is caused by the hash type being limited to password length 8, and 
the rules you used were not taking this into account.

I guess the rules appended 4 digits (possibly after capitalizing the word).

So, from the input word "giannis" or "Giannis" , the password candidate 
"Giannis2194" has been created. But later on, john did cut the password 
candidate to length 8.

Unfortunately, you didn't mention the rules you used.

To convert "Giannis" into "Giannis2194", the rule could have been

$2$1$9$4
or
Az"2194"
or
Azx2194x
or something similar like
<-$2$1$9$4

To avoid generating passwords that exceed the maximum password length 
for you4 hash type, you could change the rule to

$2$1$9$4<+
or
Az"2194"<+

Then, the password candidate generated from the  input "Giannis"would 
have been skipped, because the resulting password would be too long.

Possibly, your rule(s) appended all possible 4-digit combinations, like 
this:

$[120-9]$[0-9]$[0-9]$[0-9]
or
Az"[120-9][0-9][0-9][0-9]"

In this case, appending "<+" would be less effective, because john would 
generate 10000 password candidates, and reject all of them.

In this case, adjusting the rules to

<-Az"[120-9][0-9]<-Az"[0-9][0-9]"

or something similar would be better.
This rule (or, rather, these 10000 rules) reject(s) input words unless 
their length is shorter than (max. length - 1), then 2 digits are 
appended, then the result is rejected if unless the length is shorter 
than (max. length - 1), then 2 more digits are appended.

If you know you want to use these rules only for hash types with 
password length 8, you could even use

<5Az"[120-9][0-9][0-9][0-9]"

Of course, skipping rules when the resulting password candidate would 
have been too long usually only makes sense when you tried rules 
appending shorter sequences of digits first.

So, with more sophisticated rules you can reduce the risk of producing 
duplicate password candidates.
(You can not avoid duplicates, because this also depends on your input 
word list. IF you have a rule which replaces all vowels with '*', 
different input words can be converted into the same password candidate.)

Regards,
Frank

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.