Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <5f4239740905060905x7e05f44wa48df0d829d9dc75@mail.gmail.com>
Date: Wed, 6 May 2009 11:05:43 -0500
From: Minga Minga <mingakore@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: generating john.conf rules from password lists

On Wed, May 6, 2009 at 10:28 AM, SL <auditor@...chat.de> wrote:
> Are there any serious approaches to generate john.conf wordlist rules based
> on existing password lists (or a fairly large john.pot, for example)?

Using a single pwdump output file, I made a shell script to automatically
make rules based on previously cracked passwords. Its not pretty
but it works.

This script for example - does a --show on a pwdump file, then finds
the 100 most popular FIRST three characters - then creates a john.conf
rule to prepend all the wordlists with those three characters. This
isn't the prettiest solution but it worked for me. I don't know that I would
do this for a whole john.pot file though because different places
use different patterns.

# more convert-3char-list-to-johnconf.sh
john -show -format:nt $1 | cut -d: -f 2 | perl -pe 's/^(...).*/\1/' |
sort | uniq -c | sort -rn | awk '{print $2}' |head -n 100  > a.txt
echo "[List.Rules:KoreLogicRulesPrependList]"
cat a.txt | sed -e 's/^./i[0][&]/' | sed -e 's/..$/i[1][&]/' | sed -e
's/.\]$/\]i\[2\]\[&/'

-----------------
Here is a shell script that finds all 9 character passwords from a
pwdump output file - then makes a list of the 100 most popular
3-character ending strings.

# more convert-3char-list-to-johnconf-most-popular-ending-strings.sh
john -show --format:nt $1| cut -d: -f 2 | egrep ^.........$ | cut -b
7-10 | sort | uniq -c | sort -nr| awk '{print $2}' |head -n 300| tail
-n 100 > a.txt
echo ""
echo "[List.Rules:KoreLogicRulesAppend3List]"
cat a.txt | sed -e 's/^./$[&]/' | sed -e 's/..$/$[&]/' | sed -e
's/.\]$/\]$\[&/'  | sed -e 's/^/c/g'

I have a few others, but they are all variations on the same idea. Obviously
those shell scripts could be written better - feel free to improve.

------------------------


> Is my approach well understood? (And reasonable at all?)
> Now -- how can I transform this into reasonably crafted mangling rules?
> Minga? Anyone?

At least using my john.pot (over 2 million entries) I noticed the
following popular patterns:

instances|pattern
  72460 Word00
  30531 word0
  24581 UUUUUU0
  19697 Ulll0000
  19589 word00
  11229 Word0000

I think the lesson here is:
1) Your dictionaries should be all lower case (Let john
    capitalize the characters)
2) Dont worry about all the UUUU's - That just LANMAN

I dont know if I have posted this rule or not but it should get most of those
patterns above. I believe john.conf's default rules will as well.

[List.Rules:KoreLogicRulesAppendJustNumbers]
$[0123456789]
$[0123456789]$[0123456789]
i[0][0123456789]i[1][0123456789]
i[0][0123456789]
$[0123456789]$[0123456789]$[0123456789]
c$[0123456789]$[0123456789]$[0123456789]
c$[0123456789]$[0123456789]$[0123456789]$[0123456789]
$[0123456789]$[0123456789]$[0123456789]$[0123456789]
$[0123456789]$[0123456789]$[0123456789]$[0123456789]$[0123456789]
c$[0123456789]$[0123456789]$[0123456789]$[0123456789]$[0123456789]
#c$[0123456789]$[0123456789]$[0123456789]$[0123456789]$[0123456789]$[0123456789]
#$[0123456789]$[0123456789]$[0123456789]$[0123456789]$[0123456789]$[0123456789]

------------

Other things I noticed in my output:
   6051 Word00.

Thats a simple:
c$[$!@...&*?.+\-_=`~()|]$[0123456789]$[0123456789]

I have a rule like this as well - but for 4 numbers after the special char:

[List.Rules:KoreLogicRulesSpecial4num]
c$[$!@...&*?.+\-_=`~()|]$[0123456789]$[0123456789]$[0123456789]$[0123456789]
$[$!@...&*?.+\-_=`~()|]$[0123456789]$[0123456789]$[0123456789]$[0123456789]

------------

I don't know of a way to automatically write rules based on your output.
(Besides a massive sed/awk script)

I still doing the analysis / rule writing my hand. But I like your approach!

-Minga

KoreLogic

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.