Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 28 Oct 2018 14:15:56 +0100
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: brute force unknown chars

Hi,

Thank you for helping answer the question, Rich!

On Sun, Oct 28, 2018 at 08:43:52AM -0400, Rich Rumble wrote:
> On Sun, Oct 28, 2018 at 7:39 AM Powen Cheng <madtomic@...il.com> wrote:
> > Example: I know the password begins with "Password" but is 12 characters
> > long.
> > So, I would need to brute force the last 4 char using thecustom.chr that I
> > created.

> A custom.chr file might be faster, but depending on the hash type (fast or
> slow) you could bruteforce 4 remaining chars very quickly with a mask,

In cases like this, mask mode is typically the way to go.

> or even the external-mode "knownforce".

The KnownForce external mode pre-dates the introduction of mask mode and
is now pretty useless except as an example and a template for its
revisions like the DateTime mode.

> I'd do the following:
> ./john -format=nt hash.txt -session=mask -mask=Password?a?a?a?a
>  (Assumes your hash type is NTLM aka -format=nt)

Right.  Explicit specification of "--format" isn't always necessary -
JtR will generally auto-detect the hash type if it's of a specific
enough format.

> That will try all characters appended to the end of the word "Password", if
> the real password contains "?'s" escape them -mask=asdf\?lkjh?a?a?a?a
> https://github.com/magnumripper/JohnTheRipper/blob/bleeding-jumbo/doc/MASK

There are two kinds of escaping that might be required: for the shell
that JtR is invoked from, and for JtR itself.  In Rich's example, the
backslash may end up being eaten by the shell, leaving the question mark
unescaped when it reaches JtR.  I recommend putting the entire mask in
single quotes for the shell, and then using JtR mask's escapes inside
the mask as necessary.  For question marks, I recommend escaping them by
doubling (which is also the syntax that works for character classes in
wordlist rules), although a backslash also works (when not eaten by the
shell).  For example:

--mask='asdf??lkjh?a?a?a?a'

> If you have more than one thread/CPU you may consider using Fork as well
>  ./john -format=nt hash.txt -session=mask -mask=Password?a?a?a?a -fork=4
> That will spit the load out to 4 threads

Actually, 4 processes.

> just in case your hash type is not benefiting from OMP

Use of processes (with "--fork") generally results in higher cumulative
c/s rate than use of threads (with OpenMP) even for hash types that are
benefitting from OpenMP.

> https://openwall.info/wiki/john/parallelization

This wiki page is currently badly out of date.  I wouldn't refer to it.
(And we should probably update it.)

> I think you can use your charset by adding a new rule like this to john.conf
> [wordlist:append]
> :Az

I guess you meant something like:

Az"[a-z][a-z][a-z][a-z]"

>  and running a command like
> ./john -stdout -i=thecustom.chr | ./john -pipe -format=nt
> -session=custom-in -rules=append -w=word.txt hash.txt
> This will output your characters from your custom charset and pipe them
> into the next instance of john, and that instance is set to format NTLM,
> use the rule in john.conf, a wordlist containing the known part of the
> password, and then agains the hash you have in hash.txt.

This is erroneous (can't use both "-pipe" and "-w" at once - what would
this even mean if it were supported?) and overly complicated.

Instead of the above mix, something like this can be used:

./john --incremental=custom --mask='Password?w' hash.txt

It's that simple.  The ?w in the mask refers to whatever "word" comes
from another cracking mode, in this case incremental.  If the password
length is known, it can be specified as:

./john -inc=custom -mask='Password?w' -min-len=12 -max-len=12 hash.txt

In fact, for only 4 characters to find the default incremental mode
might work well enough, leaving us with:

./john -inc -mask='Password?w' -min-len=12 -max-len=12 hash.txt

> Check out some of the older questions on John's mailing list too

This is always a good suggestion.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.