Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <5f4239740905060905x7e05f44wa48df0d829d9dc75@mail.gmail.com>
Date: Wed, 6 May 2009 11:05:43 -0500
From: Minga Minga <mingakore@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: generating john.conf rules from password lists

On Wed, May 6, 2009 at 10:28 AM, SL <auditor@...chat.de> wrote:
> Are there any serious approaches to generate john.conf wordlist rules based
> on existing password lists (or a fairly large john.pot, for example)?

Using a single pwdump output file, I made a shell script to automatically
make rules based on previously cracked passwords. Its not pretty
but it works.

This script for example - does a --show on a pwdump file, then finds
the 100 most popular FIRST three characters - then creates a john.conf
rule to prepend all the wordlists with those three characters. This
isn't the prettiest solution but it worked for me. I don't know that I would
do this for a whole john.pot file though because different places
use different patterns.

# more convert-3char-list-to-johnconf.sh
john -show -format:nt $1 | cut -d: -f 2 | perl -pe 's/^(...).*/\1/' |
sort | uniq -c | sort -rn | awk '{print $2}' |head -n 100  > a.txt
echo "[List.Rules:KoreLogicRulesPrependList]"
cat a.txt | sed -e 's/^./i[0][&]/' | sed -e 's/..$/i[1][&]/' | sed -e
's/.\]$/\]i\[2\]\[&/'

-----------------
Here is a shell script that finds all 9 character passwords from a
pwdump output file - then makes a list of the 100 most popular
3-character ending strings.

# more convert-3char-list-to-johnconf-most-popular-ending-strings.sh
john -show --format:nt $1| cut -d: -f 2 | egrep ^.........$ | cut -b
7-10 | sort | uniq -c | sort -nr| awk '{print $2}' |head -n 300| tail
-n 100 > a.txt
echo ""
echo "[List.Rules:KoreLogicRulesAppend3List]"
cat a.txt | sed -e 's/^./$[&]/' | sed -e 's/..$/$[&]/' | sed -e
's/.\]$/\]$\[&/'  | sed -e 's/^/c/g'

I have a few others, but they are all variations on the same idea. Obviously
those shell scripts could be written better - feel free to improve.

------------------------


> Is my approach well understood? (And reasonable at all?)
> Now -- how can I transform this into reasonably crafted mangling rules?
> Minga? Anyone?

At least using my john.pot (over 2 million entries) I noticed the
following popular patterns:

instances|pattern
  72460 Word00
  30531 word0
  24581 UUUUUU0
  19697 Ulll0000
  19589 word00
  11229 Word0000

I think the lesson here is:
1) Your dictionaries should be all lower case (Let john
    capitalize the characters)
2) Dont worry about all the UUUU's - That just LANMAN

I dont know if I have posted this rule or not but it should get most of those
patterns above. I believe john.conf's default rules will as well.

[List.Rules:KoreLogicRulesAppendJustNumbers]
$[0123456789]
$[0123456789]$[0123456789]
i[0][0123456789]i[1][0123456789]
i[0][0123456789]
$[0123456789]$[0123456789]$[0123456789]
c$[0123456789]$[0123456789]$[0123456789]
c$[0123456789]$[0123456789]$[0123456789]$[0123456789]
$[0123456789]$[0123456789]$[0123456789]$[0123456789]
$[0123456789]$[0123456789]$[0123456789]$[0123456789]$[0123456789]
c$[0123456789]$[0123456789]$[0123456789]$[0123456789]$[0123456789]
#c$[0123456789]$[0123456789]$[0123456789]$[0123456789]$[0123456789]$[0123456789]
#$[0123456789]$[0123456789]$[0123456789]$[0123456789]$[0123456789]$[0123456789]

------------

Other things I noticed in my output:
   6051 Word00.

Thats a simple:
c$[$!@...&*?.+\-_=`~()|]$[0123456789]$[0123456789]

I have a rule like this as well - but for 4 numbers after the special char:

[List.Rules:KoreLogicRulesSpecial4num]
c$[$!@...&*?.+\-_=`~()|]$[0123456789]$[0123456789]$[0123456789]$[0123456789]
$[$!@...&*?.+\-_=`~()|]$[0123456789]$[0123456789]$[0123456789]$[0123456789]

------------

I don't know of a way to automatically write rules based on your output.
(Besides a massive sed/awk script)

I still doing the analysis / rule writing my hand. But I like your approach!

-Minga

KoreLogic

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.