Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 11 Sep 2012 13:28:19 -0400
From: Matt Weir <cweir@...edu>
To: john-users@...ts.openwall.com
Subject: Re: Re: Passphrase Creation

So I figured I'd outline a couple of passphrase cracking strategies
along with some rambling thoughts:

Name: Dumbforce
Description: Like a bruteforce attack but instead of bruteforcing
letters, use words instead. For example, using the diceware dictionary
and trying all possible 3/4 letter combinations
Target PW creation strategy: Very short passphrases and "random"
passphrases along the lines of "correct horse battery staple"
Comments: Nice for shorter passphrases, but as you can imagine has
serious scaling issues when you get beyond a couple words. When
designing it you may have other mangling rules applied as well. For
example spaces/no spaces, capitalization, adding punctuation/numbers
at the beginning/end, etc.

Name: Mad Libs
Description: Remember those Mad Libs books where you had to fill in
blanks, such as "Proper-noun verbs a noun", and you'd end up with
sentences such as "Bob calls a kangaroo"? That's basically describes
this attack where you have a sentence structure and fill each part in
using a special dictionary. This closely resembles "Mask" attacks in
Hashcat, (you can do the same thing in JtR but the Hashcat term seems
to be the most popular), but instead of characters you are using
words.
Target PW creation strategy: Shorter passphrases and phrases that tend
to follow a set pattern. The best example would be "AliceLovesBob"
passwords where you have "propernounLovespropernoun".
Comments: I've seen enough variations of the AliceLovesBob passwords
that I think this has the potential to be an effective attack. Using
skullsecurity's facebook name dictionary and a couple of "loves"
structures I have cracked passwords in the past. I'm fairly confident
that other common structures could be identified as well. To help out
with more advanced structures, (where verbs, nouns, etc are used), I
created a scraper for wikitionary that can create dictionaries based
on the word category, (noun, verb, etc). Like all my other scrapers,
there's a lot of room for improvement, but hey at least it's a start.
I thought I had that online but apparently not, so I'll post a link to
that later.

Name: Dark and stormy night (name based on Kevin's example)
Description: Scrape passphrase sources, (twitter, books, facebook
post, etc), and create guesses with different start/end positions in
the sentence. For example, "was a dark and stormy", "a dark and
stormy", "dark and stormy night"....
Target PW creation strategy: Passphrases based on famous or popular quotes.
Comments: I did this using Moby Dick as my input, (since hey if you
are going to do an English language based test you gotta use Moby
Dick...) and the number of possible phrases was ginourmous. That being
said, Kevin's certainly had success with this. My gut feeling is that
creating phrases with different start/stop locations is essentially a
brute force solution to a scraping/data mining problem. There's
probably a lot of logic we could build that would make how we
extract/use these phrases much more intelligent. Aka a passphase might
be unlikely to start with 'was' so don't bother with possible phrases
starting with it.

Name: Context Free Grammars
Description: It doesn't have to be a CFG, but a PCFG would be the type
of grammar I'd try starting out. In a nutshell, use a grammar to
generate possible sentences much like we use Markov probabilities in
incremental mode.
Target PW creation strategy: Passphrases that aren't based on famous
quotes, don't follow a popular "mad libs" structure, and are too long
to use dumbforce against.
Comments: This is more of a hail mary attack of last resort. You very
quickly get into a "infinite number of monkeys on an infinite number
of keyboards" type of search space, but at least using a PCFG you can
search it somewhat intelligently. If you really want to get fancy and
have a prior corpus of written or spoken work from the target you
could even train your grammar based on it to generate passphrases
tailored specifically for that target. BTW whenever I talk about this
approach now I feel like the following XKCD comic ;p
http://xkcd.com/1090/

I'll leave all the passphrase mangling rules, (such as one=1,
to/too/two=2, not=!), for another post (or for someone else more
competent to cover). Once again though, I'd like to state that I still
don't have a very good idea of how people actually create passphrases.
I need to spend more time coming up with training sets from the
existing pw corpuses.

Matt

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.