Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 25 May 2020 20:37:23 +0200
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: questions regarding incremental mode

On Mon, May 25, 2020 at 02:42:39PM +0200, Johny Krekan wrote:
> Hello I would like to ask what parameters to use in John to generate 
> passwords for attack which resemble words.
> I want the number of generated passwords is for example 5% of total 
> passwords combinations for example 26^6*0.05.

Like you say below, you can achieve this by interrupting incremental
mode when it reaches 5% of progress.

> This method is used by following products:
> http://lastbit.com/psw2.asp
> also
> http://lastbit.com/msohelp/prm.htm
> https://support.passware.com/hc/en-us/articles/115002145927-What-Password-Recovery-Attacks-can-I-use-#Xieve

All of these look like worsened alternatives to incremental mode,
requiring the user to decide on how much to search in advance.  JtR's
Markov mode also has this drawback, compared to incremental mode.  While
you actually ask for just that, I don't recommend it.

> My goal is that I want to try something like incremental attack but I 
> want to specify other parameters to
> prevent this attack from testing all 26^6.
> Because standard incremental when I select for example minlen and 
> maxlen=5 it will test all 26^5, but I want
> to test only fragment of this and then automaticaly terminate it.
> Which parameter should I use?

Normally, you'd just manually terminate the session when it reaches 5%.
I guess you'd want it to terminate automatically only in some special
cases, such as if you run JtR from a script and intend to start another
attack right after this one terminates, or if you're running simulations
for research purposes.  In other cases, there's hardly a good reason to
terminate the session at 5% when you're not around to make any other use
of the computer and could as well let it run slightly further.

So to automatically terminate the session you can use "--max-candidates"
or "--max-run-time".  Unfortunately, there's no way to specify a
percentage, but you can use a calculator like "bc" to calculate the full
keyspace and then take your desired percentage from it, e.g.:

$ echo 26^6*0.05 | bc
15445788.80

and then you specify "--max-candidates=15445789".  This also lets you
"--restore" a session like this and have it search another 5% -
something I guess those other tools/methods you referenced would be
incapable of.

Another approach would be reduced CharCount in the corresponding
john.conf section.  This isn't literally the number of different
characters, but is the number of different character indices, where the
actual characters vary by length, position, and 2 preceding characters.
So if you set "CharCount = 25" in a revision of "[Incremental:Lower]",
you'll almost certainly have all 26 characters tested somewhere in the
passwords anyway, but will have the least likely combinations skipped.
To limit a length 6 run to roughly 5% of the full keyspace, you'd set
"CharCount = 16", as seen with:

$ echo 'scale=5; 16^6/26^6' | bc
.05431

This is generally worse than early termination of an otherwise
unrestricted incremental mode run, in two ways: (1) it'd skip some
combinations that JtR finds reasonably likely to test within the first
5% of running time (e.g., indices 0 for all but one character, yet index
16 for the remaining character) and (2) you won't be able to change your
mind and continue cracking without incurring duplicate work.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.