Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 2 Mar 2021 16:20:56 +0100
From: Marek Wrzosek <>
Subject: Re: Implementing mixed mask attack

There is more than one way to skin a cat in JtR. I don't know, if
policies are better or not in your case. I thought it would be easier
with regex mode to define just one regular expression, that will
generate all passwords the 16 masks would, but I've found out it's
harder to build rexgen these days, that it was before. I don't think the
current rexgen will work with JtR now, you would need the correct
version of rexgen and its requirements. I wouldn't say it is a
dependency hell, but more like a dependency purgatory. So, never mind.

According to:

"To define an external cracking mode you need to create a configuration
file section called [List.External:MODE], where MODE is any name that
you assign to the mode. The section should contain some functions
programmed in a C-like language. John will compile and use the functions
if you enable this cracking mode via the command line."

If I were you, I would copy the [List.External:Policy] section with
modified name (e.g. [List.External:MyPolicy]) to your john-local.conf
(or john.local.conf) because otherwise you won't be able to pull a newer
version from git. Modify the required functions and run john with option
--external=MyPolicy (I don't know if the name of external mode is case

But I haven't done anything like this, yet.

W dniu 02.03.2021 o 13:45, Michał Majchrowicz pisze:
> If policies are not for that than what do you use them for ? I have
> seen some "C-like" code in john.conf for filtering but couldn't find
> an info on how it is used. Do you implement is as part of your own
> tool? As part of john? Is it automagically compiled at runtime ? :D
> Regards.
> On Tue, Mar 2, 2021 at 12:06 PM Marek Wrzosek <> wrote:
>> Hi,
>> I think that regex mode would be more appropiate for this job. I don't know if this mode is still in JtR, it required some additional library and wasn't enabled by default. Also, there were some issues with session restoring, when it was in use.
>> Best regards,
>> Marek
>> Dnia 2 marca 2021 11:28:16 CET, "Michał Majchrowicz" <> napisał(a):
>>> Hello.
>>> I would like to ask about a possibility of making a attack with mask
>>> based on some password patterns. I have described the idea here:
>>> solardiz for such approach Policy might be useful. So i would like to
>>> repeat my question on how can this be utilised? Can create my own
>>> policy to filter only "good" pw candidates in mask mode?
>>> Regards.
>> --
>> Marek Wrzosek
>> -- Wysłane za pomocą K-9 Mail.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.