Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAJ9ii1FDZkj+AKjXMSxEB-pKKzVN1yO6xKDcgoS8c7p0hVcS8A@mail.gmail.com>
Date: Wed, 10 Dec 2014 10:10:08 -0500
From: Matt Weir <cweir@...edu>
To: "john-users@...ts.openwall.com" <john-users@...ts.openwall.com>
Subject: Re: PRINCE approach from hashcat

I'm working on a long writeup of the PRINCE tool, (running some comparison
tests right now), but the short answer is that PRINCE is a password guess
generator and can be thought of as an advanced Combinator attack. Rather
than taking as input two different dictionaries and then outputting all the
possible two word combinations though, PRINCE only has one input dictionary
and builds "chains" of combined words. These chains can have 1 to N words
from the input dictionary concatenated together. So for example if it is
outputting guesses of length four, it could generate them using
combinations from the input dictionary such as:
4 letter word
2 letter word + 2 letter word
1 letter word + 3 letter word
1 letter word + 1 letter word + 2 letter word
1 letter word + 2 letter word + 1 letter word
1 letter word + 1 letter word + 1 letter word + 1 letter word
..... (You get the idea)

At0m had been talking about it replacing things like the progression JtR
does with Single  => Wordlist => Incremental. That's because depending on
the wordlist it will eventually do several mangling techniques, (like
append digits), brute force, (up to eight characters long), etc. The more
I've been playing with it though the less useful I've found it. Aka I
suspect in most cases you are better off using a scripted progression
attacks like JtR vs relying on PRINCE. That's actually why I'm running the
tests right now so I can verify that assertion. I'm hopeful I should have a
full writeup on it done by this weekend if not sooner.

Matt

On Tue, Dec 9, 2014 at 10:20 PM, Lukas Odzioba <lukas.odzioba@...il.com>
wrote:

> 2014-12-10 4:01 GMT+01:00 Royce Williams <royce@...ho.org>:
> > What's hashcat up to here?  I only skimmed the PDF briefly.
> >
> >     https://hashcat.net/tools/princeprocessor/
>
> For me it looks like combinator attack generalized to a given final
> password length.
>
> > – Generate password with chain
>
> It is not covered in the presentation but I assume it is string
> concatenation, but there could be some additional rule engine to build
> passwords from n "roots" or "base word sets", this in some cases would
> break chain length limit which I guess might be some kind of
> optimization.
>
> I like the idea, and it is good to see that someone is still working
> on new methods.
>
> Lukas
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.