Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 16 Apr 2012 17:46:16 -0500
From: "jfoug" <>
To: <>
Subject: RE: .chr files

I agree (somewhat).  There is a ton of chaff.

I am seeing a lot of:

md5(md5($p))       (dynamic_2)
md5(md5(md5($p)))  (dynamic_3) (not a whole lot, but some)
md5(sha1($p))      (dynamic_22)
md5(md5(sha1($p))) (no builtin type in john, and not sure how many of
md5(md5($p).$s)    (dynamic_6, VBulletin).  (the 3 byte salts)

Also, there is a LOT of 'random' 6, 7, 8 (and likely longer) text values
(johns inc:all). The reason I say 'random', is there is no visible pattern
behind them. Also, if you use john's .chr files, you will get a pretty even
find rate, all the way to the end, meaning that johns 'enhancement' do to
the incremental mode, nets very little, and a simple search like aaa aab aac
aad ... would have been just as quick.

In all, I have found about 500k of them to be dynamic_6.  That is ONLY
searching for the words from johns password.lst file.  Finding these when
the salt has not been provided is VERY slow, and pretty hard to do.  But I
would guess, there might be 10m to 50m of this type, alone. I am pretty sure
it was from harvesting the hashes which were posted for years into the
InsidePro forums.   I saw the same garbage type hashes there.  Yes the
hashes 'are' real, but are pretty much garbage, due to loss of salt.  Also,
those are the OLD hashes (the 3 byte salt).  The newer versions of the BBS,
have a 16 byte salt (or variable byte?)   There is NO way to crack those,
without having the salt provided.  And if there are this many of the very
old 3 byte form, then I would bet there are a high number of the longer salt
types also.

Just my observations.


>From: Stephen John Smoogen []
>On 16 April 2012 02:43, Simon Marechal <> wrote:
>> On 16/04/2012 00:01, Frank Dittrich wrote:
>>> So may be we might need some tests on real-life passwords.
>>> Either a large set of saltless hashes, or even a large list of
>>> cracked passwords from various hashes, converted for --format=dummy.
>> This :
>In going through this data.. I think there is a lot of chaff in the
>md5 passwords. It looked actually like someone had taken the KoreLogic
>dictionary set from the 2010 contests and md5sum'd it 1:1. While some of
>those are probably passwords.. other items (like the md5summing of all
>the facebook accounts) might introduce more noise than is useful.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.