Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E9B8840FA72E46BA93E6FB9C71BF17C3@ath64dual>
Date: Mon, 27 Jul 2009 06:01:04 -0500
From: "JimF" <jfoug@....net>
To: <john-users@...ts.openwall.com>
Subject: Generation method I used for prepend and append 'rules'

Here are the steps I used to build a nice prepend / append
ruleset for usage in John.   This information is being
provided as is.  It was thrown together, to satisfy a
personal test (successful) of my own. It was coded quickly,
and not done in a very clean manner.  I make no apologies
for it.  use it or modify it to your own needs. Or simply
use the rules I have provided, prebuilt.  

NOTE this method can crack some pretty long, and pretty 
complex passwords.

First a little information.  The data used, was a set of 
cracked passwords. There were NOT a simple john.pot, but
a list of all the passwords used. If there were multiple
words of the same, I wanted to have each multiple copy.
To do this, I took the cracked list, and used john -show
and piped that to a file. Then used cut  So

Step 1.  Crack a lot of passwords, or get a good cracked db

Step 2.  Run john -show -format=???  hashes_lst > crk

Step 3.  Get 'just' the passwords:   cut -d: -f2 crk > pass_all

Ok, now we have a list of the cracked passwords. What we now
want to do, is to 'find' things that are added to normal 
dictionary words (the database I worked from was mostly 
English, so I used English words). Obtain the proper language
dictionaries from openwall.net  For this example, I used
all of the dictionaries from the English directories.

Step 4.  Get the dictionary words.  I concatenated all the 
word files from 'English' section from the openwall lists.

Step 5.  Sort this dictionary list.  The sorted file is 
named english-sorted.all


Step 6.  Run the program pre_post_cnt and redirect output. NOTE 
as in original source, the file names pass_all and 
english-sorted.all ARE required names.

   pre_post_cnt > data    

the pre_post_cnt.cpp is provided. It is a simple hacked out
program, not well done, but it works (for me ;)  The output
will be 3 fields The fields are:
count 'string' (Type)    Type will be (Pre) or (Post). As the
program runs (it may take a couple minutes), it will inform
you to stderr what it is doing (which password is being worked
on).  When all are done, it will output and exit.
NOTE this file will only output (as written), if there are 11
instances or more of a prepend/append sequence.  This can be 
adjusted by editing the source.

Step 7.  Grep out (Pre)   grep (Pre) data > pre_data
Step 8.  grep out (Post)  grep (Post) data > post_data
Note, I use wc to make sure that all of the lines were accounted
for, they should be, but it never hurts to check.

Step 9.  Now, sort both per and post data

sort -n -r pre_data  > prepend-lst
sort -n -r post_data > append-lst

The default pre_post_cnt.cpp only outputs if > 10 'hits', but 
if you have coded to see ALL of them, you most likely will want
to remove all of the singleton and probably even more from your
prepend-lst and append-lst files.

Ok, we are almost home.

Step 10, build prepend.lst and append.lst files.  These files
contain ONLY the string data.  To get them do:

cut -d\` -f2 prepend-lst > prepend.lst
cut -d\` -f2 append-lst  > append.lst     
NOTE the back quote under the ~ char  If this char is used, modify
the pre_post_cnt.cpp to use a different letter. 
NOTE2, there will usually be more append rules (not sure why, but
this is what I saw). That being so, I will often make sure more
prepends get added, by requiring fewer to 'keep' them in
pre_post_cnt.cpp

step 11.  Build the rules.  Run the program JohnWordMerge.c  
(sorry about the naming, but that is it :)  

JohnWordMerge > rules

Step 12.  Edit john.conf (or john.ini) and add these rules as
a new [Rules.Wordlist] section.  If using the newer version 
of john, that .Wordlist can be any value, and then the 
rules=wordlist can tell john which section to use.

Enhancements:

Some up-casing, lower-casing (all upper was pretty good), Case, 
w-space removal, w-space removeal lower/upper, upcase after 
preprocessing (best in my test), etc all can crack more passwords.
Not nearly as many as the 'base', but by the time you get to using
rules like this, much of the wordlist based cracking has been done
and only the 'hard' crap is left.

Also, devising a method of doing pre AND append on the same
word would
certainly crack some words. I have not tried doing this, but it is 
not beyond the grasp of techniques shown here. 

Good luck, and happy cracking,  Jim.

The pre-built set of rules I have originally put together for this can be
found on the wiki page.  It was too large to send to the email list.

http://openwall.info/wiki/john/usage-examples
View attachment "pre_post_cnt.cpp" of type "text/plain" (4577 bytes)

View attachment "JohnWordMerge.c" of type "text/plain" (3512 bytes)

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.