Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 2 Sep 2012 16:19:57 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: m3g9tr0n rules

Hi,

In the recent blog post, m3g9tr0n has also included paste2.org links for
two JtR rulesets.  I've just tested them and uploaded them to:

http://openwall.info/wiki/john/rules

On this wiki page, it's "m3g9tr0n's rules set 1 and set 2 as referenced
in the "Cracking Story - How I Cracked Over 122 Million SHA1 and MD5
Hashed Passwords" blog post".

In my testing, these were not very effective if run after other rulesets
and attacks.  Specifically, I ran both of them against
cmiyc_2012_password_hash_files/hashes-7.nt.txt from the recent contest,
after having our contest-time-cracked hashes:passwords already in
john.pot.  I used our cracked password list (from the contest), our
base words list (also from the contest), and all.lst as wordlists.
After a few minutes on FX-8120 (all cores in use), I only got one more
password cracked:

$NT$46d150cd35244fc21cec74ec2863edaa:Interl_aken

Then these test runs terminated.  So while not very effective rulesets
at least for the fake passwords of the contest, they did point out that
we somehow missed an "insert any character anywhere" rule.  That's
weird, since we were doing things like that even in the 2010 contest
(albeit mostly on previously-cracked passwords rather than on wordlists).

Adding these rules:

>[1-9A-Z] i\0[ -~]
o[0-9A-Z][ -~] Q

and running the same wordlists against hashes-7.nt.txt cracked these
additional passwords:

$NT$3cf3bb6b06e02499a04faffbe3136f7a:Ipnterlaken
$NT$137c00fe752a5004b2766a863a84970b:ex=austed
$NT$a1d63379e35a20687abc27e4e4ca9d7b:Int0erlaken
$NT$8898911a7cecb5e058533d8163bca95d:Interla?ken
$NT$607e66c11e9d2cb21f3604118ca73b9a:InterYlaken
$NT$9cf4aa9432a2d596d516ac3d086c6be7:kikugalanet10121101
$NT$16402a57a3be2c23a5f16978ce5e010a:w,velengths
$NT$137c00fe752a5004b2766a863a84970b:ex=austed
$NT$bc33119cb00d39e6d3492533ba019cfe:do#trines
$NT$f70a13a236691a2d766d666fe6da4fee:c mplement
$NT$a2f044d625ed5369d353bca29e8e061c:dFscending
$NT$c0f29e97ee4ebd2524083771248431e3:with"rew
$NT$1f84c73f3c93a91ab88e4138f63d3c18:visitatiVn
$NT$abfe9fea1a6de97074872778bbf98045:videot'ping
$NT$1c34c8774b3c07503aafadd76299ccc9:domestic=te
$NT$b6c36431b5625d215b7f0bf5ca9d9508:contradictiQns

Yes, we also partially missed the 8-digit variation of the kikugalanet
pattern during the contest - this is something Aleksey Cherepanov
already found shortly after the contest.

The ">[1-9A-Z]" range and length check assumes that prepending and
appending an arbitrary character is tested with separate rules.

I think we need to add these two ruleset lines (or similar) to standard
config, perhaps to Extra, although there's some overlap with:

# Insert/overstrike some characters...
!?A >[1-6] l i\0[a-z]
!?A l o0[a-z]
!?A >[1-7] l o\0[a-z]

which we need to deal with.  Also, the standard Single ruleset only does
arbitrary character prepends/appends along with lowercase or capitalize,
but not to the input words verbatim (possibly mixed-case) - this may be
something to correct, too, although it'd be tricky to avoid producing
duplicates.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.