Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 21 Sep 2019 13:19:36 +0200
From: Solar Designer <>
Subject: Re: Rules for Known Password Structure

On Fri, Sep 20, 2019 at 08:54:37PM +0000, Dave Coleman wrote:
> I have the following known passwords:
> ss15-vyp1wh1k1qeh82sm20-4d44qfek1zjnvsm26-hp3iibat127n6sm27-n6fqycthh3mcd

A password like this is way too long to crack even if you target its
specific pattern.  You're out of luck cracking anything like this unless
you have additional information or there's a vulnerability in the
password generator program, which you'd then need to have someone
research and exploit for you.

> I would like to create a rule for these known passwords to find an unknown password, but don't know where to start.
> I saw a prior post with these commmands:	const std::string one 	= "Ll";
> 	const std::string two 	= "o0";
> 	const std::string three	= all;
> 	const std::string four 	= all;
> 	const std::string five	= "-_";
> 	const std::string six	= all;
> 	const std::string seven	= all;
> 	const std::string eight	= "nN";However, I'm not sure where to edit/insert/create this text, or if this even proper syntax.
> Can someone point me in the right direction?

What you found isn't a syntax you should use.  Please disregard that
"prior post" you found, it would merely continue to confuse you.

If you had a chance of cracking that password (which you almost
certainly don't), then you'd use "mask mode" for this, and the syntax
would be something like:

> My thoughts for this rule:-18 characters total-lowercase s for the first character-lowercase s or m for the second character-numeric characters for characters 4 and 5-a '-' for character 5-lowercase letters and numbers for the remaining characters

./john -2='?d?l' --mask='s[sm]?d?d-?2?2?2?2?2?2?2?2?2?2?2?2?2?2?2?2?2?2-?2?2?2?2?2?2?2?2?2?2?2?2?2?2?2?2?2-?2?2?2?2?2?2?2?2?2?2?2?2?2?2?2?2?2-?2?2?2?2?2?2?2?2?2?2?2?2?2' hash.txt

You do not need to edit john.conf, nor any other file.

But your chances of actually cracking a password with this are
practically non-existent, so there's no point even trying.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.