Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20170428204446.GA6306@openwall.com>
Date: Fri, 28 Apr 2017 22:44:46 +0200
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: How to stop consideration of repeated characters

Hello Bill,

On Fri, Apr 28, 2017 at 01:30:40PM -0700, B B wrote:
> I am new to JtR and am trying to recover a lost password for which I have both a probable beginning and end. I also have a limited character set for the middle of the password.
> 
> I have been using Crunch to generate word lists but these lists have repeated characters such as [known}aaab[known]. I know for a fact there are NO repeated characters in my lost password but can not find any mention of a rule? to reject them. 

This is tricky and most likely unreasonable to do.  What hash or file
type are you attacking?  How fast does the attack go?  It is unlikely
that reducing the keyspace by such a small margin is going to
significantly improve your chances of cracking that password within the
timeframe you're willing to allocate.

> Another question, to get around the use of Crunch, is can I quote a fixed/known character string at the beginning and the end in a rule?
> 
> Such as ???pass???A-z???word????

You don't need Crunch.  With recent JtR -jumbo, you can achieve the same
with its mask mode, e.g.:

john -9='?l?u' --mask='pass?9?9?9?9word' passwd-file-here

or e.g.:

john -9='?l?u' --mask='pass?9?9[aeiou]?9word' passwd-file-here

to restrict one of the characters to a smaller set.  You can also use
character ranges, etc.

To likely significantly improve your chances, you can use e.g.:

john --inc=alpha --min-len=12 --max-len=12 --mask='pass?wword' passwd-file-here

so that the 4 character (in this example) portion in the middle is
filled with character sequences sorted for decreasing estimated
probability based on character frequencies in other passwords.  Things
like this can make far greater difference than omitting a small fraction
of the keyspace would.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.