Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <87h84h7t4s.fsf@gmail.com>
Date: Wed, 09 Oct 2019 19:58:43 +0300
From: Aleksey Cherepanov <lyosha@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: approaches to use old password as baseword for new hash matching by username/login (as in CMIYC 2019)

Additional point: 'SingleSkipLogin = Y' may be used to put baseword
into GECOS while login is not empty and is not used.

Aleksey Cherepanov <lyosha@...nwall.com> writes:
>   - Any separator chars (roughly anything that is not in set A-Za-z0-9)
>     in username or in GECOS field gives additional candidates because
>     john extracts words.
>
>     - "a,b" in login field produces "a,b", "a,ba", "aa", "a,bb", "ab", "a",
>       "aa,b", "b", "ba,b", "ba".

I just found a dirty hack to get only "a,b". Additional border should
added. For instance, '\x02' may used for CMIYC because the cracks are
printable ascii, so "\x02a,b\x02" should be used as baseword. Then
--single=':=0\x02 =m\x02 Dm D0' may be used to check the border and cut
them. The border will be at the first and at the last position only for
full baseword used as is. Any additional candidates would satisfy.

There is a drawback: empty password cannot be passed this way, because
the rules engine rejects candidates if intermediate value is empty at
any point during evaluation of rules (e.g. no-op rule ':' would reject
empty password from a wordlist).

Chars with codes 1..33 are considered to be separators. So '\x02' would
not be extracted as part of word and could not happen at the beginning
and at the end in generated pairs then.

Additional rules may be used after the filter:
--single=':=0\x02 =m\x02 Dm D0 ...your rules...'

Also --rules-stack= option may be used to apply named rules section with
convenience.

Let's put everything together. Dirty hack:
----------------------------------------------------------------------
$ printf 'user1234\x01$0$H\x01\x01\x01\x02asdf:qwer\x02\n' > t.pw

$ cat t.conf
.include <john.conf>
[Local:Options]
SingleSkipLogin = Y
SingleRetestGuessed = N
PristineGecos = Y
SingleWordsPairMax = 0

$ ./JohnTheRipper/run/john t.pw --verbosity=6 --config=t.conf \
    --field-separator-char='\x01'   \
    --single=':=0\x02 =m\x02 Dm D0'
[...]
set_key(asdf:qwer, 0)
[...]
----------------------------------------------------------------------

(As a slight optimization of rules, I would replace Dm with \x27m.)

Thanks!

--
Regards,
Aleksey Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.