Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 9 Nov 2016 17:11:58 +0100
From: p+password@...atpro.net
To: john-users@...ts.openwall.com
Subject: Re: alter default rules or filter, best way to focus on proper candidates?

Thank you Jim,

If I understand correctly, this kind of exclusion let the rule create the candidate, and just drop it if it does not match the exclusion parameter.
If I take a look at lines +517 of john.conf (bleeding-jumbo at 20161106):

# Weird order, eh? Can't do anything about it, the order is based on the
# number of successful cracks...
<* d
r c
-c <* (?a d c
...

I could change rules #2 and #3 to remove capitalization:

r l
-c <* (?a d l

hence it would be far more efficient, but of course way more complicated, considering the amount of possibilities that can lead to upper case characters. And I'm pretty sure I can't do it properly.
The possibility to reject the word at rule level is still very interesting and I'm confident it's more efficient than --external filtering.

I would end with those rules:

!?u r c
-c !?u <* (?a d c

but those just don't work as I think they would. I've defined this config:

[List.Rules:exclude]
!?u r c
-c !?u <* (?a d c

[List.Rules:NO_exclude]
r c
-c <* (?a d c

[List.Rules:NO_cap]
r l
-c <* (?a d l

and made these tests:

$ ./john --wordlist=password.lst --rules=NO_exclude --stdout | egrep -c '[A-Z]'
Press 'q' or Ctrl-C to abort, almost any other key for status
6920p 0:00:00:00 100.00% (2016-11-09 16:45) 295253p/s Ssssss
6500

$ ./john --wordlist=password.lst --rules=exclude --stdout | egrep -c '[A-Z]'
Press 'q' or Ctrl-C to abort, almost any other key for status
6592p 0:00:00:00 100.00% (2016-11-09 16:46) 281258p/s Ssssss
6178

$ ./john --wordlist=password.lst --rules=NO_cap --stdout | egrep -c '[A-Z]'
Press 'q' or Ctrl-C to abort, almost any other key for status
6920p 0:00:00:00 100.00% (2016-11-09 16:45) 295253p/s ssssss
0

List.Rules:exclude (using !?u as rule prefix) fails at filtering upper case candidates. If I remove every candidate that includes an upper case character from --rules=NO_exclude and --rules=exclude outputs, then make a diff, I got those candidates for NO_exclude while they don't show in exclude output:

1071ccn
1lehcim
218uo
242tnorf
321cba
700dnob

they obviously should have been present in an output where only candidates with upper case char. are excluded (unless those are upper case digits.... :) )
I'm surely a newbie with rule syntax, but these results look really odd to me.

Using:

r c !?u 
-c <* (?a d c !?u

yields to very different results: 420p only, but not a single upper case character.

It looks List.Rules:NO_cap is the best choice, even if it creates about 290 duplicates.


On 9 nov. 2016, at 16:09, jfoug <jfoug@...nwall.net> wrote:

> What you need to do is look in the "Character class and similar commands" section of ./doc/RULES file.  Specifically the 'reject the word ...." rules.
> 
> !X    reject the word if it contains character X
> !?C    reject the word if it contains a character in class C
> /X    reject the word unless it contains character X
> /?C    reject the word unless it contains a character in class C
> =NX    reject the word unless character in position N is equal to X
> =N?C    reject the word unless character in position N is in class C
> (X    reject the word unless its first character is X
> (?C    reject the word unless its first character is in class C
> )X    reject the word unless its last character is X
> )?C    reject the word unless its last character is in class C
> %NX    reject the word unless it contains at least N instances of X
> %N?C    reject the word unless it contains at least N characters of class C
> U       reject the word unless it is valid UTF-8 (use with -u rule reject)
> 
> 
> So if you wanted to test every candidate that are lower case, then add this to your rule (put it as the VERY first thing in the rule)
> 
> !?L  rest_of_rule
> 
> If you want to exclude any with digits:
> 
> !?D  rest_of_rule
> 
> If you want words that END with a digit:
> =m?d  rest_of_rule
> 
> If you want words that END with a digit:
> =m?d  rest_of_rule
> 
> etc.   You can have more than one reject rule primitive added to a single rule.
> 
> NOTE, this may make things appear to slow down (in fast formats). This is because the rejections do not get counted in the crack stats in any way, but they take time. They do however take a whole lot less time than even fast formats, thus the wordlist+rules gets completed much faster than it would have without the reject, even though the ending speed appears to be slower.
> 
> Hope that helps some.  Jim.
> 
> On 11/9/2016 7:50 AM, p+password@...atpro.net wrote:
>> Hello,
>> 
>> I would like to use mangling rules with --wordlist or --loopback in a way they produce a reduced set of candidates, like "every candidates that are lowercase", "every candidates that have no digits", etc.
>> 
>> What would be the best way to use (jumbo's) wordlist rules that come with John but without any of them that creates candidates featuring upper case characters (or lower case, or digits…). I guess I could use a john process to create candidates then filter out those that don't match my criteria, but on fast hash I'm not sure it's interesting.
>> I'm currently trying to modify every single rule that can produce upper case characters, but it's a lost battle: so many different rules, so many possibilities, and in the end work has to be re-done when I want to get rid of candidates including digits or whatever other type of character.
>> 
>> I've made a few test with/without --external :
>> 
> 

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.