Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <BANLkTimQY3hAzXz35U8AnZWJ-qDiFt_O2Q@mail.gmail.com>
Date: Mon, 9 May 2011 10:09:57 -0400
From: Rich Rumble <richrumble@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Supercharged John the Ripper Techniques by Rick
 Redman of KoreLogic

On Thu, May 5, 2011 at 4:07 PM, minga <minga@...ga.com> wrote:
> Fyi.
>
> Rick = Minga = CrackMeIfYouCan = Me.
>
> That is my presentation for people "new" to password cracking and not really
> john experts. I had to remove LOTS of john-specific information from there
> because I never got in front of an actual group of john-users. i.e. markov,
> ETC.
>
> The URL to that site is private. But sites like that do exist - and are
> actively being used to compromise stolen passwords. That was the point of that
> slide. i.e. no one is safe .. blah blah blah.
>
> Also - that PDF was made to be geared toward members of OWASP - so there are
> multiple references to web development/web passwords/etc.
>
> -Minga

M$'s password complexity requirements, which I don't think are applied
by default, and
only apply to domain accounts (but can be applied to against local
accounts) have
the following requirements:
http://technet.microsoft.com/en-us/library/cc786468%28WS.10%29.aspx
Passwords must contain characters from three of the following five categories:
1  Uppercase characters of European languages (A through Z, with
diacritic marks, Greek and Cyrillic characters)
2  Lowercase characters of European languages (a through z, sharp-s,
with diacritic marks, Greek and Cyrillic characters)
3  Base 10 digits (0 through 9)
4  Nonalphanumeric characters: ~!@...^&*_-+=`|\(){}[]:;"'<>,.?/
5  Any Unicode character that is categorized as an alphabetic
character but is not uppercase or lowercase. This includes Unicode
characters from Asian languages.

These are applied to every AD install I've audited for the past few
years. I was looking
through John.conf and noticed the "External:Policy" (as well as a few
others) mode.
I see this is a recent addition, and one I plan on testing right now,
I'd like to make
changes and additions to cover the various possible combinations, of
which there are
many... with 3 of the 5 being the minimum, a password could contain 4
or all 5 of
the various requirements.
The 5th (unicode) doesn't occur much in my experience, so maybe I'll
focus on the
other 4 that I do see.
8 chars is the minimum I've seen for an AD password in recent years
this is getting
longer and longer, and the LM hash is fading from storage as well.
I'll just poke around
and mess things up for a bit, then cry for help here later :)
-rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.