Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 13 Dec 2006 21:30:26 +0300
From: Solar Designer <>
Subject: Re: wordlist generator

This is somewhat off-topic, however one thing that I'd like to have
documented in here is that John the Ripper can in fact be used as a
"wordlist generator".  The --stdout option makes JtR output the
candidate passwords that it would be trying, and you can redirect the
output to a file or pipe it into another program.

On Wed, Dec 13, 2006 at 10:37:09AM -0500, RV Tec wrote:
> I've lost a password of a proprietary software.

If you have a copy of this program, then you can likely either extract
the password from it (if the password is stored in plaintext or in a
reversible form) or patch it to bypass the check.  However, these
actions might violate your license terms for the program.

> Actually, it's a passphrase, and I'm only missing the case combination.
> I've already put up a shell script to brute force this mentioned software, 
> but I need to assemble a wordlist. The problem is that I havent found a 
> way of building a wordlist with all the case combination from a 
> passphrase.

You do not need these combinations stored in a "wordlist" file.  You
merely implement a trivial script (e.g., in Perl) that both generates
candidate passwords and tries them against your program.

> Does anynone have any clues on how I can proceed? Does anyone know a 
> software (UNIX or Windows, whatever) that makes this possible?

Perl is that software.  John the Ripper with its --stdout option is also
that software (for your specific task, either external or wordlist mode
can be used, although doing it all in Perl is likely easier given that
you'd need another script anyway).

> Since the passphrase contains only 35 chars, to build a file with all 
> combinations possible, performance wont be problem.

If I understood you correctly, the file would occupy over 1.2 TB of disk
space (perhaps on a RAID array).  (The file may be smaller if some
character positions contain non-letters - e.g., spaces or digits - and
the "wordlist generator" is smart enough to take advantage of that.)
Also, you might run into issues with (lack of) large file support with
some software if you're on a 32-bit system.  Are you sure you want that?
There is no need to have those candidate passphrases stored in a file,
as I have mentioned above.

Also, for producing all possible case permutations in a passphrase that
is 35 characters long, JtR's wordlist mode might not work well.  For a
much shorter passphrase, I would suggest the use of something like this
example from the default john.conf:

# Case toggler for cracking MD4-based NTLM hashes (with the contributed
# patch), given already cracked DES-based LM hashes.
# Rename this section to [List.Rules:Wordlist] to activate it.

This one is for up to 14 characters.  However, for longer passphrases
this approach doesn't work well as JtR will attempt to validate the
syntax of all preprocessor-expanded rules and that will be taking a long
time (in your case, there will be over 34 million of such rules).  Also,
RULE_RANGES_MAX in src/params.h would need to be increased (it defaults
to 16 for JtR 1.7).

Alexander Peslyak <solar at>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15 - bringing security into open computing environments

Was I helpful?  Please give your feedback here:

To unsubscribe, e-mail and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.