Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 20 Oct 2013 16:26:06 -0400
From: Vincent Bédard-Tremblay <vn@...talgeek.net>
To: john-users@...ts.openwall.com
Subject: vn's hashrunner 2013 writeup

I'm not member of this list, but thought I could publish it there.

http://www.hackfest.ca/en/2013/vn-writeup-hashrunner-2013

If possible, could I get any replies on this topic?  Don't want to be
crunched under another deluge of another list of mails :)

---------------------------------

Password cracking - correlation of words in various languages to build
wordlists [hashrunner 2013 writeup]

I initially wanted to fully involve in hashrunner, but being in the last
week of a job, finishing migrations and the preparation of a local CTF, I
got overwhelmed and only put like 2-3 hours on it.

I did put at first a Radeon 7970, and an i7-920 at work for uncracked md4
hashes when I could, on many rulesets and wordlists, regular, huge,
compilations and that did crack some hashes.

However, I’ve mostly been involved in wordlist pattern research,
translation of cracked words and wordlist creation based on these.  Not the
first time I did that, as demonstrated in a local security event talk seen
here<http://www.hackfest.ca/2013/hackerspace-slides-et-screencast-du-28-janvier-2013-why-ntlm-sucks>
.

First, I’ve been tasked to find something similar to Umlungu that is a
slang word borrowed from Zulu language to racially refer to white people.
 However, as I learnt from a recent african travel, there are so many bantu
languages and they’re very similar...could be swahili, swati, xhosa or
others..  Did a small search on the word and derivated words,
apartheid-related in various southern african languages, based on Google
searches, Wikipedia, some african contacts and my recent african learnings.
 I came with a 40-50 words list, and gave it to someone to process it with
mangling rules, case toggling, masks, generic combination and hybrid
attacks without luck.

Later, someone cracked 2 more passwords based on the words Andriamanitra &
Makaako; I wondered what language these words could be.  I could see right
on spot that one was in malagasy language and the other one was more
obscure but after some googling, narrowed it to tagalog/cebuano (both
filipino languages) and both were god-related.  Did a Google search with
both terms and got only...3 results and one of
them<https://www.google.ca/search?q=andriamanitra+makaako&aq=f&oq=andriamanitra+makaako&aqs=chrome.0.57.25774&sourceid=chrome&ie=UTF-8>had
a complete list of god-related names and words in so many exotic
languages.  sftp came to the conclusion that keccak was mostly based on
exotic words; not surprising, knowing keccak is kinda exotic by itself.
 More cracks came, like “Tabaldak”-based passwords, which is an Abenaki
deity, Ulunguve, …

That contest taught me how to think better in order to discover more cracks
in contests.  However, that doesn’t necessarily apply to real passwords
lists, unless they are huge and you need more contexts to crack into.

Also, weeks later, I learnt we could use Google Docs to “script”
translation of various words in formulas such as stated in this
link<http://edutraining.googleapps.com/Training-Home/module-4-docs/chapter-4/4-6>.
 Very interesting, yet approximate to grow exponentially your wordlists in
other languages.  Something even better could be to also grab the
alternatives a manual translation would yield on gTranslate.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.