Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20101008235742.GA19195@openwall.com>
Date: Sat, 9 Oct 2010 03:57:42 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Rule to replace strings

On Fri, Oct 08, 2010 at 05:04:50PM -0500, Minga Minga wrote:
> On Fri, Oct 8, 2010 at 3:03 PM, Solar Designer <solar@...nwall.com> wrote:
> > /?d Dp =p?d Dp =p?d Dp =p?d Dp Ap"[0-9][0-9][0-9][0-9]"
> 
> That is really cool. It took me a while to completely understand it.
> My only question is, why is there not a 4th   =p?d      ? If you add
> it, there is no output so its obviously correct.

We're matching 4 "old" digits - one with "/?d" (this command finds the
position of the first digit and puts this position into "p") and three
with "=p?d" (at specific positions - right after the previous digits).

> /?d        -> reject the word if it doesn't have any digits

Yes, and set "p" to the position of the first digit.

> Dp         -> Delete the character at position 'p'

Exactly.  This also makes "p" the position for the next character.

> =p?d      -> reject the letter at position 'p' if its not a digit

Not exactly; the entire word is rejected if the character at "p" is not
a digit.

> Ap"[0-9][0-9][0-9][0-9]"   -> add 4 numbers at location 'p' where you just
>                                        removed 4 numbers

Correct.

Obviously, there are actually 10000 separate rules (after preprocessor
expansion) - one for each 4-digit number to introduce as a replacement.

> Fyi: I used your rule on some NTLMs that I've been cracking a LOOONG time
> using    'cut -d: -f2- john.pot | sort -u > john.pot.dic'  as my wordlist. And
> I cracked some good passwords that I previously missed that were just 4-digits
> different that previous passwords.

Great.  Yes, I actually meant this for use on already-known passwords
(or just common passwords) as the "wordlist".

> I created these for my own use:

That's very nice.

Did you exclude the single-character replacements on purpose, though?
Maybe because they'd be mostly redundant with the substitution rules you
already have?  Well, not exactly: those apply to all instances of a
letter, whereas these would apply to the first instance only (and you
can add variations for the second instance only, 1st & 2nd, 3rd only,
etc.)  Some of these would be redundant with an overstrike-all line,
though - much like what we (john-users) used during the contest.

For example:

%[1-4]?d op[0-9] Q

produces with "test2010" in the wordlist:

test0010
test1010
test3010
...
test8010
test9010
test2110
test2210
...
test2810
test2910
test2000
test2020
...
test2080
test2090
test2011
test2012
...
test2019
words: 36  time: 0:00:00:00 100%  w/s: 3600  current: test2019

without duplicates. :-)  (Of course, there may be duplicates with other
input wordlists, due to similarities between different input lines.)

Thanks,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.