Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 1 Jan 2020 20:04:52 +0100
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: [Prince mode] Generate passwords following some rules?

Hi,

On Sat, Dec 28, 2019 at 07:43:22PM +0100, john-user@...elsurfer.com wrote:
> I am trying to recover my own lost password that I am unable to remember.
> 
> But I hope I do remember the password's "structure" correct. As far as I remember it could be something very easy: Some capitalized words concatenated followed by zero to four digits and an optional exclamation mark xor number sign (#).
> 
> If I had to express it as a regex it would be: ^((?:[A-Z]?[a-z]+)+)([0-9]{0,4})(!|#)?$
> 
> You could also abstract three groups:
> 
> 1. Concatenated capitalized words
> 2. Zero to four digits (may also following some ???format???, e.g. date)
> 3. Zero or one special characters

You can use something like this:

./john --prince=words.txt --mask='?w?d?d?d?d[!#]' hash.txt

as well as variations of this command with shorter masks and without the
special characters.

> Now I have collected some guesses for group 1 (the "capital words" that need to get concatenated), group 2 (the digits) and obviously group 3 (the special characters).

It's tricky to encode all of this for use by JtR at once.  Maybe the
experimental regex mode will handle this, but I've never used that mode
myself - so I'll leave it to someone familiar with it to possibly
provide that answer.

What you can do is save the PRINCE mode words in a text file with:

./john --prince=words.txt --stdout > prince.txt

and then use prince.txt and text files with your group 2 and group 3
character sequences as input e.g. to a Perl script that would combine
the groups in their correct order.  Like this:

./mix.pl prince.txt group2.txt > step1.txt
./mix.pl step1.txt group3.txt > step2.txt

Then use step2.txt as a wordlist for JtR.

The script can be:

---
#!/usr/bin/perl

die "Usage: $0 WORDLIST-FILE-1 WORDLIST-FILE-2" if ($#ARGV != 1);

open(W1, '<' . $ARGV[0]) || die;
open(W2, '<' . $ARGV[1]) || die;

while (<W1>) {
	chop;
	$w1[$#w1 + 1] = $_;
}
close(W1);

while (<W2>) {
	chop;
	$w2[$#w2 + 1] = $_;
}
close(W2);

foreach $a (@w1) {
	foreach $b (@w2) {
		print "$a$b\n";
	}
}
---

> Unfortunately I was not able to tell Prince mode to follow some "design rules" for its concatenation procedure.

It can't do that.

> Additionally I don't think that generating a bunch of "invalid per design" passwords and filtering them afterwards via an external filter is the right decision concerning speed and my personal case (I don't want to get as much correct passwords as possible but only one single).

If the full set of candidate passwords prior to filtering is of a
manageable size (e.g., up to a billion, but not much more), then
filtering it e.g. with grep wouldn't be that bad.  Something like:

./john --prince=words.txt --stdout | egrep '^((?:[A-Z]?[a-z]+)+)([0-9]{0,4})(!|#)?$' > filtered.txt

and then use filtered.txt as a wordlist (or you could pipe this into a
second instance of JtR with a different session name).

> Apart from the possibility of coding some script that generates appropriate candidate passwords and handing those over to JtR (btw: I think I have not correctly understood the difference between --stdin and --pipe: does JtR read in both cases from stdin but only allowing modifications to the input (rules / masks) by using --pipe?)

It's slightly trickier than that, but yes you need "--pipe" to be able
to apply "--rules" to the input stream.  Some other modifications work
with either option - e.g., masks and external mode filters (which can
modify words) work with "--stdin" as well.

> is there any chance to simply tell Prince mode which "design rules" it should follow, e.g. by providing some regex or the like.

No.

> If this is currently not possible, I think this would be a great feature. Wouldn't it?

I doubt it should be part of PRINCE mode.  It's more like a "combinator"
mode (I think hashcat calls it that), ideally being fed by multiple
other modes rather than only by multiple pre-generated wordlists.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.