Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 10 Dec 2019 20:22:03 +0200
From: Greg Burne <gburne@....co.za>
To: John <john-users@...ts.openwall.com>
Subject: Re: Finding Password to Spareseimage

Hello Alexander,

Thank you for your prompt reply, much appreciated.

I have a very good idea of what characters are in which place. I may be out of luck, but I would still like to give it a go. 

The exact special characters used are known, and the exact uppercase and lowercase letters used are known including their position in the password, it is just the length that would really vary, and based on the length would determine the number of special characters used, but the actual password potion I would be able to hit bang on.

I know the passwords, baring the exact number of special characters and length. Other than that I know what to work with.

From a time wise point of view, I have a separate machine I could setup for this purpose and just leave running if need be.

From a specifics point of view, should I share the details of the password and structure? I would have stop using them then. 
First prize would be if I could keep the passwords secret.

What are your thoughts, where to from here?

Greg

> On 10 Dec 2019, at 19:24, Solar Designer <solar@...nwall.com> wrote:
> 
> Hello Greg,
> 
> On Tue, Dec 10, 2019 at 05:58:10PM +0200, Greg Burne wrote:
>> I have two sparseimage files which I would like to find the passwords to. 
>> 
>> I have a very good idea on the structure of the password, special characters used, letters in upper and lower case and numbers, but just can't workout the password I set. The password is also somewhere between 8 and 16 characters.
>> 
>> I have run dmg2john and have the hashes and I'm able to run 'john file.txt'
> 
> "Somewhere between 8 and 16 characters" suggests you probably also don't
> have a sufficiently good idea of what characters are in what places.
> Reading this, my current expectation is that you're out of luck cracking
> those passwords, unfortunately - but maybe you do recall more?
> 
>> I tried using crunch to create a wordlist,
> 
> There's no need to use Crunch along with JtR, because JtR is even more
> capable of generating a stream of candidate passwords on its own.  But:
> 
>> but it wants to create a file over a PB!
> 
> File size isn't the worst problem here.  The real problem is this
> expected file size suggests you also wouldn't realistically test all of
> those passwords in reasonable time, because attacks on sparsebundles run
> slowly.  You need to focus the attack far more in order to arrive at a
> set of candidate passwords that you could actually have JtR test.
> 
>> I'm working on a MacBook Air running Kali in VirtualBox.
> 
> OK.  Given a sufficiently focused attack, this can work.
> 
>> I'm not sure on if I should be creating a wordlist, or going about it in another way.
> 
> This depends on specifics of what you recall about the password.  If you
> don't mind sharing more specifics with the list, we can probably suggest
> specific JtR commands for you to use.
> 
> For example, you might recall a portion of the password and that certain
> characters are of certain types.  If so, you'd use JtR's mask mode.
> 
> Alternatively, you might feel you almost recall the password, and have
> already tried entering a few passwords that you thought could work but
> did not.  If so, you can put those few passwords in a wordlist file and
> use JtR's wordlist rules to have it test passwords that have short edit
> distance from those (perhaps 1 or 2 edited characters).
> 
> I hope this helps.
> 
> Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.