Date: Fri, 31 Aug 2018 18:47:05 +0200 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: partially forgotten kdbx pw / help recover partially known pw Hi, I'm sorry no one commented on this sooner. Please see inline: On Mon, Aug 27, 2018 at 04:38:27PM +0300, Александр Наумов wrote: > The first part is known to me, its like ABC12 (3 capital letters and 2 numbers). I know this part. > Then there is one or two quite simple words like 'work', 'home', 'best', 'now' etc. No numbers are placed here, no capital letters. > The max length of the whole password is between 10 and 20 characters. > Generally it looks like ABC12bestwork OR ABC12worknow etc. > I generated the hash for the kdbx file Great. You can obtain a common English words list e.g. from one of these URLs: https://www.ef.edu/english-resources/english-vocabulary/top-100-words/ https://www.ef.edu/english-resources/english-vocabulary/top-1000-words/ https://www.ef.edu/english-resources/english-vocabulary/top-3000-words/ https://github.com/first20hours/google-10000-english/blob/master/google-10000-english.txt You'll need to copy-paste just the list of words to a text file, or in the case of the GitHub URL you can click on "Raw". You can also use lower.gz from: http://download.openwall.net/pub/wordlists/languages/English/1-tiny/ If so, "gzip -d" it first. But it's probably unnecessarily long, and isn't as focused on the top words as the above lists are. Then you can use a combination of PRINCE and mask modes like this: ./john --prince=top-1000-words.txt --prince-elem-cnt-min=2 --prince-elem-cnt-max=2 --mask='ABC12?w' --min-length=10 --max-length=20 hashfile This may produce a handful of duplicates, which you can filter out if you like (makes sense if each guess takes a long time to test): ./john --prince=top-1000-words.txt --prince-elem-cnt-min=2 --prince-elem-cnt-max=2 --mask='ABC12?w' --min-length=10 --max-length=20 --stdout | ./unique to-test.txt ./john -w=to-test.txt hashfile where "unique" is a symlink or program located in JtR's run directory. Alternatively, the old-fashioned way to do it (prior to us getting PRINCE, kindly contributed by atom of Hashcat) was to use Perl scripts such as those I attached here, e.g.: ./double.pl top-1000-words.txt > top1000x2.txt Similarly to the above, you can optionally filter out the few duplicates that might appear in the combined list with: rm top1000x2.txt ./double.pl top-1000-words.txt | ./unique top1000x2.txt Then use JtR e.g. like this: ./john -w=top1000x2.txt --mask='ABC12?w' hashfile With the mix.pl script, you can use two different input lists e.g. if you know that one of the words is more common than the other. The scripts also let you specify a word separator easily (e.g., there's a commented-out line for separating the two words with a space). > and wanted to try this: > john --session=01 --mask=ABC12\u\u\u\u\u\u\u\u\u\u\ hashfile > and then create several (10) sessions for each. > The mask command didn't work for me This mask is wrong, and even if you corrected it e.g. to: ./john --mask='ABC12?l' --min-length=10 --max-length=20 hashfile it'd take far too long to complete unless your password's length happens to be close to the minimum. Feel free to give this a try while you're preparing the wordlist, though - you might get lucky. There's no need to run a session per length - the mask automatically expands to higher lengths as specified by the options. Just to provide yet another option (more efficient than mask mode alone, but less efficient than a focused wordlist), you can combine incremental and mask modes: ./john --incremental=lower --mask='ABC12?w' --min-length=10 --max-length=20 hashfile Unlike mask mode alone, this will consider character triplet frequencies, but unlike the wordlist it won't focus on whole words. If you're unsure the minimum length is 10, just omit "--min-length=10" in all of these commands. This is probably a good idea since testing of shorter passwords is relatively quick anyway. I hope this helps. Alexander View attachment "double.pl" of type "text/plain" (139 bytes) View attachment "mix.pl" of type "text/plain" (348 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.