Date: Sat, 5 May 2018 16:43:17 +0200 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: failed to break my own created password On Sat, May 05, 2018 at 01:55:45PM +0000, Royce Williams wrote: > If you suspect a typo, a variety of typos can also be simulated. Here's a > crude example of how to generate some rules for mis-key (rather than > transposition) typos: > > https://gist.github.com/roycewilliams/9d8e98587cff105b2e05a9f0e8de8371 To do something different but similar (overstrikes and inserts) with JtR, put the supposed password in a wordlist file and use --rules=oi. This ruleset is already included in recent bleeding-jumbo, but in case of using an older version here it is: [List.Rules:oi] o[0-9A-Z][ -~] i[0-9A-Z][ -~] o[0-9A-E][ -~] Q M o[0-9A-E][ -~] Q i[0-9A-E][ -~] i[0-9A-E][ -~] This does one overstrike/insert up to length 36 and two up to length 14. With a fast hash like Eric's, this is very quick. If leetization might have been applied to the original password, then it may also be passed through --external=Leet or the masks previously posted in here may be used prior to applying the rules above (with a separate invocation of JtR). On Fri, May 04, 2018 at 10:12:21PM -0700, Eric Oyen wrote: > unbreakable without considerably greater resources than I have here. Based on what you tell, this is primarily about adjusting the attacks you run and to a lesser extent about the resources you have. > To that end, I am now considering a cluster approach using NFS as the primary filesystem and having a number of nodes all running JTR and all taking and putting data into the right files (this way, the load can be split). Bad idea, unless you'd do it for fun. With just one hash to crack on just a few systems, it'll be easier for you to run different attacks or use the --node option on those nodes manually. And no need for shared storage. You'll take the one cracked password from whatever system cracks it. > the man page is woefully under documented/incomplete. Like I said, there's no official man page. There's only Debian's. Just don't use it - use our documentation under doc/ instead - but then it's probably too detailed. > I will see if I can acquire a number of older machines Bad idea, unless you'd do it for fun. A factor of 10 or so difference in speed is very unlikely to result in your password getting cracked. In terms of improving your chances, your time is better spent on adjusting the attacks you run. Also, if you do want to buy extra hardware anyway, buy some recent GPUs rather than some old machines. And perhaps you already have some GPUs you could use, as well. > (something in the range of 8 to 10 years old as they are dirt cheap) They're also slow and not worth your time, unless you'd do it for fun. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.