Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 07 Sep 2012 19:12:48 +0000
From: kevin.p.young@...il.com
To: Richard Miles <richard.k.miles@...glemail.com>, kevin.p.young@...il.com
Cc: john-users@...ts.openwall.com, Ron <ron@...llsecurity.net>, 
	kzug <kzug10@...il.com>
Subject: Re: Re: Passphrase Creation

Hello everyone...answers follow below...

On , Richard Miles <richard.k.miles@...glemail.com> wrote:
> Hi Kevin, John-users and Ron,

> I'm a bit late to answer on this thread, sorry about that.

> I'm copying Ron from SkullSecurity because he has an amazing job in my  
> opinion and he maintain an awesome web-site with great wordlist  
> collection (http://www.skullsecurity.org/wiki/index.php/Passwords). And I  
> hope he may helps or maybe include this kind of pass-phrase list in a  
> next update.


When I first started cracking passwords the words from SkullSecurity were  
some of the first ones I used.


> Kevin, based on your description it's very clear to me that create robust  
> pass-phrase lists is a LOT of work and requires a good amount of disk and  
> even processing / creation and customization of scripts and tools. Should  
> be very nice if we could re-use most of your things instead of begin from  
> zero. Are you considering releasing your tools, scripts and pass-phrase  
> lists?


Some of the tools I used were Linux BASH shell scripts, others were custom  
written applications. Even now, I'm still modifying them as they continue  
to evolve. For instance, the HashCat splitlen.exe is great for breaking  
large wordlists up into smaller pieces -- but it truncates everything at 16  
characters. JTR, on the other hand, takes longer phrases; a quick check of  
LinkedIn shows hundreds are over 18 characters.

> I noted that you worked with lower case for all pass-phrase lists, I know  
> some real pass-phrase passwords that I learned from different people  
> doing pen-test is to use the first letter of the word upper case, such as:


> It

> It Was

> It Was a

> It Aas A Dark

> It Was A Dark And

> Also, I think that from all cases that I saw (real admins in different  
> companies) no spaces were used. Well, to say the truth just one time, I  
> remember very clear because it called my attention.


Agreed, but rather than take up disk space I let mangling rules solve the  
uppercase problem. You're right again...between Matt and I we have over 80%  
of LinkedIn cracked and only a very small percentage have use the space  
character.


> I don't know the quality, but I found a pass-phrase based on wikiquotes:

> https://sites.google.com/site/reusablesec/Home/custom-wordlists


I hadn't heard about this source, I'll have to check it out. I have mined  
public domain book sites for thousands of titles, the US Library of  
Congress, several thesaurus sites (with a usable API), congressional  
records, news sites, and sites with common cliches. There are still a lot  
of things on my checklist as well.


> If there is no public available pass-phrase list available, there are  
> users interested in build it? If there are a good number of active users  
> interested in build it I'm available to help.

> Kzug gave an good idea in my opinion that is TextWrangler and AppleScript  
> to use against books / web-sites with famous quotes. However scan a  
> web-site and proper parse the web-sites is a pain, in special because of  
> too different formats, too different structures, links and formats. This  
> will require a BIG amount of job in my opinion.


> Someone else also pointed diceware, but I'm unsure how practical such  
> pass-phrase would be.

Haven't heard of this utility. I'll have to check that out as well.

> I also was reading a blog about how to use twitter queries for common  
> phases to list other potential pass-phrases. It was just an idea in a  
> comment, so, I don't think if it's practical.



Yes, Josh came upon the Twitter idea one day when we were talking it over  
at work. It works well for words that are trending at the moment because it  
gives us related words. For those who haven't seen it you can find it here:  
http://7habitsofhighlyeffectivehackers.blogspot.com/2012/05/using-twitter-to-build-password.html

The only hook is that, generally speaking, unless it's a common word, most  
likely it was only recently used as a password. As such, it isn't in some  
of the older dumps that happened last year (Stratfor, militarysingles,  
LinkedIn, EHarmony, etc.) We have used it as a feeder once we start  
cracking words. This often launches us into new directions and ideas.

> Thanks.

> On Fri, Aug 17, 2012 at 11:04 AM, Kevin Young kevin.p.young@...il.com>  
> wrote:

> Hello everyone,



> First off, thanks to Matt, Solar Designer, and the other John-users for

> inviting me to participate in the CMIYC contest. I learned a lot and had a

> great time.



> I've been using passphrases for several months now and have seen some

> chatter on the subject so I thought I'd chip in. Most of my phrase  
> creation

> is contained in a bash shell script. But I'm sure there's someone out  
> there

> with a much better tool, method, or way to do this.



> Step 1. Find a good source of words

> As mentioned in other posts, the Gutenberg project is a good source. I've

> also tried mining the Library of Congress, and a few others.



> Step 2. Store and organize

> Storage proved an early challenge as I underestimated the space

> requirements. The 15,000 raw (unprocessed) books I currently have fill a

> 300GB drive. It doesn't sound like much, but things grow quickly. A SSD

> helps as disk I/O becomes a bottleneck.



> Step 3. Download your material

> I use a simple wget loop here. Don't saturate the bandwidth of your source

> or you'll get booted.



> Step 4. Scrub raw input

> Strip special characters and punctuation. Convert to lowercase and remove

> excess space characters (sed and awk). Convert between file formats if

> necessary (dos2unix, unix2dos, or unix2mac). Using these commands I create

> a single long "sentence".



> Before:

> It was a dark and stormy night. All the animals were asleep.

> Somewhere overhead a flash of lightning illuminated the canyon walls

> followed by the thunder's rumble.



> After:

> it was a dark and stormy night all the animals were asleep somewhere

> overhead a flash of lightning illuminated the canyon walls followed by the

> thunders rumble



> Step 5. Phrase length and create phrases

> I've tried phrase lengths from 3-10 words. Using the above example, a

> 5-word length, and custom app (arrays and recursion are your friend here)

> phrase creation begins:



> it

> it was

> it was a

> it was a dark

> it was a dark and

> was

> was a

> was a dark

> was a dark and

> was a dark and stormy

> a

> a dark

> a dark and

> a dark and stormy

> a dark and stormy night

> dark

> dark and

> dark and stormy

> dark and stormy night

> dark and stormy night all

> and

> and stormy

> and stormy night

> and stormy night all

> and stormy night all the



> I also create a no-space version at the same time. (Is there a mangling

> rule that can handle this?)



> itwas

> itwasa

> itwasadark

> itwasadarkand

> wasa

> wasadark

> wasadarkand

> wasadarkandstormy



> Step 6. Optimize and reduce

> As expected there are lot of duplicates so my script performs a dictionary

> sort and filters out the duplicates (sort and uniq). I also filter out

> (grep) things like open source verbiage, distribution notices, credits,  
> etc.



> Step 7. You're done

> I typically get 1-5 million phrases per book. It isn't optimal but the

> combinations are vast. (See sample phrases submitted for CMIYC 2012.) I've

> plucked thousands of similar phrases from LinkedIn and Stratfor -- some

> were as long as 28 characters. = : )



> So there it is...I'm sure there are better ways to do this and I clearly

> have a lot to learn. (Perhaps mangling rules can solve many of the above

> mentioned hurdles?) I still have a LOT of things to do to improve the

> process but I'll save those tricks for CMIYC 2013 ;)



> Thanks go to Matt Weir for his willingness to share a password dialog. I

> also throw a shout to @joshdustin (

> http://7habitsofhighlyeffectivehackers.blogspot.com/ ) for his insight,

> assistance, and suggestions -- the guy is a linux wizard, white-hat  
> genius,

> and great friend.



> If anyone has suggestions for improvement or questions look me up.



> Best of luck,



> -Kevin-





> CMIYC 2012 sample:

> ----------------------

> He pondered a moment

> rummaged in his pack

> She was ashamed to

> shorter space of time

> to look at some

> treatment of the slaves

> I must be aware

> you and your master

> back of his head

> panel in the wall

> to his aid

> more capable of giving

> fathers shall eat

> establishment of so many

> have been here before

> There are a few

> upperhand

> a thousand years ago

> then he was thinking

> shall they utter

> Iamsorry1

> been able to find






Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.