Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 6 May 2009 11:05:43 -0500
From: Minga Minga <>
Subject: Re: generating john.conf rules from password lists

On Wed, May 6, 2009 at 10:28 AM, SL <> wrote:
> Are there any serious approaches to generate john.conf wordlist rules based
> on existing password lists (or a fairly large john.pot, for example)?

Using a single pwdump output file, I made a shell script to automatically
make rules based on previously cracked passwords. Its not pretty
but it works.

This script for example - does a --show on a pwdump file, then finds
the 100 most popular FIRST three characters - then creates a john.conf
rule to prepend all the wordlists with those three characters. This
isn't the prettiest solution but it worked for me. I don't know that I would
do this for a whole john.pot file though because different places
use different patterns.

# more
john -show -format:nt $1 | cut -d: -f 2 | perl -pe 's/^(...).*/\1/' |
sort | uniq -c | sort -rn | awk '{print $2}' |head -n 100  > a.txt
echo "[List.Rules:KoreLogicRulesPrependList]"
cat a.txt | sed -e 's/^./i[0][&]/' | sed -e 's/..$/i[1][&]/' | sed -e

Here is a shell script that finds all 9 character passwords from a
pwdump output file - then makes a list of the 100 most popular
3-character ending strings.

# more
john -show --format:nt $1| cut -d: -f 2 | egrep ^.........$ | cut -b
7-10 | sort | uniq -c | sort -nr| awk '{print $2}' |head -n 300| tail
-n 100 > a.txt
echo ""
echo "[List.Rules:KoreLogicRulesAppend3List]"
cat a.txt | sed -e 's/^./$[&]/' | sed -e 's/..$/$[&]/' | sed -e
's/.\]$/\]$\[&/'  | sed -e 's/^/c/g'

I have a few others, but they are all variations on the same idea. Obviously
those shell scripts could be written better - feel free to improve.


> Is my approach well understood? (And reasonable at all?)
> Now -- how can I transform this into reasonably crafted mangling rules?
> Minga? Anyone?

At least using my john.pot (over 2 million entries) I noticed the
following popular patterns:

  72460 Word00
  30531 word0
  24581 UUUUUU0
  19697 Ulll0000
  19589 word00
  11229 Word0000

I think the lesson here is:
1) Your dictionaries should be all lower case (Let john
    capitalize the characters)
2) Dont worry about all the UUUU's - That just LANMAN

I dont know if I have posted this rule or not but it should get most of those
patterns above. I believe john.conf's default rules will as well.



Other things I noticed in my output:
   6051 Word00.

Thats a simple:

I have a rule like this as well - but for 4 numbers after the special char:



I don't know of a way to automatically write rules based on your output.
(Besides a massive sed/awk script)

I still doing the analysis / rule writing my hand. But I like your approach!



To unsubscribe, e-mail and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.