Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Mar 2021 12:35:19 +0100
From: Solar Designer <>
Subject: Re: Implementing mixed mask attack

On Tue, Mar 02, 2021 at 10:53:40PM +0100, Micha?? Majchrowicz wrote:
> For now I tried both all and jumbo rules on a 133MB(version of)
> rockyou.txt.


> Problem with "my masks" is that I don't know which one
> should I use :) For now I only know remaining pws are NOT in ?l?d
> keyspace of 8 char descrypt. I also tried single uppercase letter.
> What remains is that either there are pws with more uppercase letters,
> special chars or possible some are even not ascii. I just noticed two
> patterns in pws that I found (myself or other people). On IoT devices
> pws have some commond "schema" like part of company name and some
> "random junk" or they are (what looks to be) completely random. I
> assume also if those devices DO have telnet (enabled by default or via
> some cmd) that those pws are in fact ascii.

So there are two approaches here:

1. Manually identify portions of keyspace to test next, keep track of
what you've already tested, exclude that from further runs.  Rinse and
repeat.  Tricky, can be a lot of effort, easy to get wrong or suboptimal
(miss a portion of keyspace, or have something tested multiple times),
generally also not optimal order of candidate passwords tested (thus,
lower successful guess rate).  This sounds pretty bad, but the advantage
is that you can then know and describe which portions you've completed -
and not in terms of implementation specifics, but in simple terms (list
the specific patterns).

2. Let JtR's incremental mode take care of all of this.  Easy in terms
of getting the attack running and having it test candidate passwords in
an optimized order.  No need for any manual adjustments, restarts, etc.
Just let it run for any duration you like, interrupt at any time.  You
can then continue, interrupt again, continue again - all of this easily
(as long as you preserve the .chr and .rec files.  However, a drawback
is that you cannot describe which portions you've completed other than
in terms of those implementation-specific files.

There's also a mixed approach:

3. Use incremental mode, but do separate runs for low lengths (or a
range in one run), so that you'd know you've searched those to
completion.  Let your main never-ending incremental mode run switch
lengths as it deems optimal, but only among higher lengths that you
can't search exhaustively e.g. in the first day.  This is slightly less
optimal in terms of expected successful guess rate (but not as bad as
masks), and it does let you describe some of what you've completed.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.