Date: Mon, 19 Nov 2012 16:52:21 -0600 From: Richard Miles <richard.k.miles@...glemail.com> To: john-users@...ts.openwall.com Subject: Re: How does incremental mode works? Hi Simon, Thanks for answer, very appreciated as always. On Mon, Nov 19, 2012 at 12:14 PM, Simon Marechal <simon@...quise.net> wrote: > On 11/19/2012 04:59 PM, Richard Miles wrote: > >> > In most cases, you don't know how the passwords you want to crack will > >> > look like. > >> > In this case, the rockyou list probably is a safe bet. > >> > Please note that it might not be if password policy enforces passwords > >> > which are way more complicated than the average rockyou password. > >> > > > And what do you recommend as a dictionary to generate a stats file for > > companies using password policy enforcement? > > This will usually not work too well. This is not a silver bullet ... > > You need a different model in order to account for this kind of > passwords. Mangling rules are probably more effective here ... > > These days I do not have a good source of "real corporate passwords", I > only work on the public leaks, so I really can't answer this ... > I understand. If you don't mind I would like to ask more two questions about Markov. 1) Suppose that: - I tested 55 NTLM hashes with Markov using dict1.txt and it recovered 5 passwords with level 220. - I tested 55 NTLM hashes with Markov using dict2.txt and it recovered 4 passwords with level 220. When merging this files (such as cat dict1.txt dict2.txt |sort -u > dict-final.txt) and generating a new stats file not all 9 passwords are identified under the same level 220. Is it expected? If it's expected I believe that there is no special trick in merging dict files for Markov, the best approach should be run multiple sessions with different stats files, right? Or am I doing something wrong? 2) Suppose that I will generate a dictionary following my password policy enforcement, for example: - All passwords must be at least 6 chars long. - At least 1 number. - At least one capital letter. And I will use this dictionary to generate a stats file and I also define that under Markov configuration no passwords with 6 chars should be generated / tested. My question is, all candidates generated by Markov on this conditions will always contains at least 1 number and 1 capital letter? Thanks.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.