Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20101008235742.GA19195@openwall.com>
Date: Sat, 9 Oct 2010 03:57:42 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Rule to replace strings

On Fri, Oct 08, 2010 at 05:04:50PM -0500, Minga Minga wrote:
> On Fri, Oct 8, 2010 at 3:03 PM, Solar Designer <solar@...nwall.com> wrote:
> > /?d Dp =p?d Dp =p?d Dp =p?d Dp Ap"[0-9][0-9][0-9][0-9]"
> 
> That is really cool. It took me a while to completely understand it.
> My only question is, why is there not a 4th   =p?d      ? If you add
> it, there is no output so its obviously correct.

We're matching 4 "old" digits - one with "/?d" (this command finds the
position of the first digit and puts this position into "p") and three
with "=p?d" (at specific positions - right after the previous digits).

> /?d        -> reject the word if it doesn't have any digits

Yes, and set "p" to the position of the first digit.

> Dp         -> Delete the character at position 'p'

Exactly.  This also makes "p" the position for the next character.

> =p?d      -> reject the letter at position 'p' if its not a digit

Not exactly; the entire word is rejected if the character at "p" is not
a digit.

> Ap"[0-9][0-9][0-9][0-9]"   -> add 4 numbers at location 'p' where you just
>                                        removed 4 numbers

Correct.

Obviously, there are actually 10000 separate rules (after preprocessor
expansion) - one for each 4-digit number to introduce as a replacement.

> Fyi: I used your rule on some NTLMs that I've been cracking a LOOONG time
> using    'cut -d: -f2- john.pot | sort -u > john.pot.dic'  as my wordlist. And
> I cracked some good passwords that I previously missed that were just 4-digits
> different that previous passwords.

Great.  Yes, I actually meant this for use on already-known passwords
(or just common passwords) as the "wordlist".

> I created these for my own use:

That's very nice.

Did you exclude the single-character replacements on purpose, though?
Maybe because they'd be mostly redundant with the substitution rules you
already have?  Well, not exactly: those apply to all instances of a
letter, whereas these would apply to the first instance only (and you
can add variations for the second instance only, 1st & 2nd, 3rd only,
etc.)  Some of these would be redundant with an overstrike-all line,
though - much like what we (john-users) used during the contest.

For example:

%[1-4]?d op[0-9] Q

produces with "test2010" in the wordlist:

test0010
test1010
test3010
...
test8010
test9010
test2110
test2210
...
test2810
test2910
test2000
test2020
...
test2080
test2090
test2011
test2012
...
test2019
words: 36  time: 0:00:00:00 100%  w/s: 3600  current: test2019

without duplicates. :-)  (Of course, there may be duplicates with other
input wordlists, due to similarities between different input lines.)

Thanks,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.