Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 13 May 2015 22:19:29 +0100
From: Demian Smith <demian.smith@....de>
To: john-users@...ts.openwall.com
Subject: Re: Advise on best approach (truecrypt pw based on pdf
 file)

Hi list,

still working on my truecrypt hash - in the meantime I have converted
all pdfs in a folder to txt and created the "first letter only" candidates.

I am currently running the truncate rule that magnum thankfully provided
me with on the wordlist (>[4-9A-Z]'\0 )

As this had not been succesful yet even though I assume the correct pdf
had been used I was wondering could a rule be written to do the
"opposite" of truncate?

So instead of truncating
Abcdefgeh to Abcd | Abc | Ab it would start from the back and
"truncates" to fgeh | geh | ge instead. I hope by doing so I fetch out
the stuff I have not tested as yet, in case I started at some random
spot in the sentence...

I am not sure whether this question even makes sense at all, but I am
getting really desperate here, and quickly so...

Thanks for reading,
Marcel


 ★ On 15/05/10 10:38 p.m. Demian Smith wrote ★
> Hi Magnum,
> 
> thanks for your ongoing patience with a young Padawan :s
> 
> I am kind of lost, in my opinion the truncate should have easily cracked
> the hash, but to no avail. I ran your sed magick again over the txt file
> (without linebreaks) and used the truncate rule on it, no luck.
> 
>> wordfile had 10686 lines and required 85488 bytes for index.
>> 0:00:00:00 - suppressed 1 duplicate lines and/or comments from wordlist.
>> 0:00:00:00 - 31 preprocessed word mangling rules
> 
> So I am afraid I did something utterly stupid (like starting with the
> last art of a sentence and making it a new sentence, typos, adding a
> number at the beginnin or end - which I doubt -  et cetera) and hence
> will have to go back to incremental and keeping fingers crossed. Unless
> someone else has another good idea ...
> 
> It is anyway good to start learning about the rules, in case I ever need
> them again :)
> 
> Cheers,
> Demian
> --
> 'It's no measure of mental health to be well adjusted
> to a profoundly sick society.'
> 
> Sinéad O'Connor
> 
>  ★ On 15/05/10 06:24 p.m. Magnum wrote ★
>> On 2015-05-10 19:03, Demian Smith wrote:
>>>   ★ On 15/05/09 11:37 p.m. Magnum wrote ★
>>>> Here's a quick'n'dirty one:
>>>>
>>>> [List.Rules:truncate]
>>>>> [5-9A-C]'\0
>>>>
>>>> Put the above in john.conf and use it with "--rules=truncate". For an
>>>> input word of Tbontbtistqaiaqwsbabtcofm it will output these 8
>>>> variations:
>>>>
>>>> Tbont
>>>> Tbontb
>>>> Tbontbt
>>>> Tbontbti
>>>> Tbontbtis
>>>> Tbontbtist
>>>> Tbontbtistq
>>>> Tbontbtistqa
>>>
>>> I have taken your advise and am running it with A-Z and have as well
>>> intentions to look into the "rules" doc to see what 5-9 in this
>>> instance means.
>>
>> There's nothing special about 5-9, 5 means 5 and 9 means 9. The special
>> is rather that that A means 10 and so on.
>>
>> Here's a simple rule that truncates to length 5:
>>
>> '5
>>
>> Here's one that's enhanced to skip words that weren't at least length 5
>> in the first place:
>>
>>> 5'5
>>
>> The >5 means that the rule only applies to words longer than 5
>> characters, and the '5 is the actual truncation.
>>
>> The bracket thing is pre-processor stuff. [5-9A-C] will expand to one
>> rule with that whole bracket string replaced with "5", another line
>> using "6", and so on. And the \0 means "repeat the last bracket
>> expansion". So our pre-processor rule of
>>
>>> [5-9A-C]'\0
>>
>> will look like this after pre-processing:
>>
>>> 5'5
>>> 6'6
>>> 7'7
>>> 8'8
>>> 9'9
>>> A'A
>>> B'B
>>> C'C
>>
>> So if you look in the log file, it should say that your one-line "rule"
>> is actually 8 rules after pre-processing. Or in case of 5-9A-Z, 31 rules
>> (covering lengths 5 through 36, save for fence-post errors).
>>
>> magnum
>>
>>
> 

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.