Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 2 Jan 2010 07:17:57 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Rule AN"STR"

On Fri, Jan 01, 2010 at 02:42:53PM -0500, Charles Weir wrote:
> :[lc] A[0-12],[ a-z!@...%^&*\-=_+.?|)(:'"],
> 
> The problem is the A[0-12]. The rule preprocessor essentially treats
> this as A[0-1] + A[2], since the '-' only works with one character
> values. So that's the problem you are having. Normally you could use
> A-Z to specify the numbers 10-35, but playing around with it, when I
> tried to use A[0-C], I received the error: "Invalid position code".

That's because the preprocessor works with ASCII codes.  It does not
know anything about character position codes (and it is not specific to
those).  For a range specified as [0-C], it will generate many rules
with characters with ASCII codes from that of '0' to that of 'C' in that
character position.  Some of those characters won't be valid position
codes (and not what you want anyway), resulting in the error message.

> I tried to assign a numerical variable, using the vVNM command but still
> received the same error when I ran the command using A[0-a].

That's because the preprocessor is just that.  It is invoked per config
file line prior to any other parsing, and its output is a set of rules.
The numeric variables, on the other hand, exist during actual processing
of the rules with specific input words.  The "v" command assigns value
to such a numeric variable separately for each rule and for each input
word.  There's no way such a variable could affect the number of rules
the preprocessor would generate for a given config file line.  In fact,
there's currently no way to have a non-constant number of rules, except
that some rules could be rejected or effectively turned into no-ops (or
worse - into duplicates - but you should avoid that when you can) under
some conditions.

> Ok, so here is the kludge. There's almost certainly a more elegant way
> to do this.
> 
> :[lc] A[0-9A-C],[ a-z!@...%^&*\-=_+.?|)(:'"],

Actually, [0-9A-C] is the correct way to do it.  That's what I do in
such cases.  For example, the default john.conf included with JtR 1.7.4
contains:

# Toggle case...
-c <+ )?u l Tm
-c T0 Q M c Q l Q u Q C Q X0z0 'l
-c T[1-9A-E] Q M l Tm Q C Q u Q l Q c Q X0z0 'l
-c l Q T[1-9A-E] Q M T\0 Q l Tm Q C Q u Q X0z0 'l
-c >2 <G %2?a [lu] T0 M T2 T4 T6 T8 TA TC TE Q M l Tm Q X0z0 'l
-c >2 /?l /?u t Q M c Q C Q l Tm Q X0z0 'l
# Deleting chars...
>[2-8] D\p[1-7]
>[8-9A-E] D\1
-c /?u >[2-8] D\p[1-7] l
-c /?u >[8-9A-E] D\1 l
=1?a \[ M c Q
-c (?a >[1-9A-E] D\1 c

Notice how length checks, back-references, and parallel ranges are
used to avoid producing duplicate candidate passwords in case the
character position being dealt with is beyond the end of the input word.
In some other cases, the "Q" command (memory query) is used for a
similar purpose.

john.conf as updated in 1.7.4 could be an interesting read if you're
into the rules.  You could also want to check out the CVS log and diffs
of the individual commits:

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/john/john/run/john.conf

I have in fact spent extra time to commit different kinds of changes
separately, documenting them in the commit messages quite well.

> Using this, the rule-preprocessor was able to sort it out and insert
> everything between 0-12, with the [0-9] handling the first 0-9 spots,
> and the [A-C] handling the 10-12 positions.

Right.

> I hope this helps, and once again, the above only works with John the
> Ripper 1.7.4

Yes, but the newly-introduced "A" command is being misused here.  The
same could be written in a form understood by older versions of JtR:

: [lc] i[0-9A-C][ a-z!@...%^&*\-=_+.?|)(:'"]

We use the "i" command here (insert a character) instead of "A" (insert
a string).  There's no point in using "A" when we know we're only
inserting one character.

To avoid producing duplicates with short input words or/and with
length-limited or case-insensitive hashes, use:

-[:c] \p1[lc] ^[ a-z!@...%^&*\-=_+.?|)(:'"]
-[:c] >[0-9A-B] \p1[lc] M i\p2[1-9A-C][ a-z!@...%^&*\-=_+.?|)(:'"] Q

Now this actually requires 1.7.4+.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.