Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 19 Nov 2012 16:52:21 -0600
From: Richard Miles <>
Subject: Re: How does incremental mode works?

Hi Simon,

Thanks for answer, very appreciated as always.

On Mon, Nov 19, 2012 at 12:14 PM, Simon Marechal <> wrote:

> On 11/19/2012 04:59 PM, Richard Miles wrote:
> >> > In most cases, you don't know how the passwords you want to crack will
> >> > look like.
> >> > In this case, the rockyou list probably is a safe bet.
> >> > Please note that it might not be if password policy enforces passwords
> >> > which are way more complicated than the average rockyou password.
> >> >
> > And what do you recommend as a dictionary to generate a stats file for
> > companies using password policy enforcement?
> This will usually not work too well. This is not a silver bullet ...
> You need a different model in order to account for this kind of
> passwords. Mangling rules are probably more effective here ...
> These days I do not have a good source of "real corporate passwords", I
> only work on the public leaks, so I really can't answer this ...

I understand. If you don't mind I would like to ask more two questions
about Markov.

1) Suppose that:

- I tested 55 NTLM hashes with Markov using dict1.txt and it recovered 5
passwords with level 220.

- I tested 55 NTLM hashes with Markov using dict2.txt and it recovered 4
passwords with level 220.

When merging this files (such as cat dict1.txt dict2.txt |sort -u >
dict-final.txt) and generating a new stats file not all 9 passwords are
identified under the same level 220. Is it expected?

If it's expected I believe that there is no special trick in merging dict
files for Markov, the best approach should be run multiple sessions with
different stats files, right? Or am I doing something wrong?

2) Suppose that I will generate a dictionary following my password policy
enforcement, for example:

- All passwords must be at least 6 chars long.
- At least 1 number.
- At least one capital letter.

And I will use this dictionary to generate a stats file and I also define
that under Markov configuration no passwords with 6 chars should be
generated / tested.

My question is, all candidates generated by Markov on this conditions will
always contains at least 1 number and 1 capital letter?


Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.