Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20191210185753.GA21093@openwall.com>
Date: Tue, 10 Dec 2019 19:57:53 +0100
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Finding Password to Spareseimage

On Tue, Dec 10, 2019 at 08:22:03PM +0200, Greg Burne wrote:
> The exact special characters used are known, and the exact uppercase and lowercase letters used are known including their position in the password, it is just the length that would really vary, and based on the length would determine the number of special characters used, but the actual password potion I would be able to hit bang on.

Well, based on this description you can try something like this:

./john --mask='knownUl[.!?]' --max-length=16 file.txt

which would try these candidates:

knownUl.
knownUl!
knownUl?
knownUl..
knownUl!.
knownUl?.
knownUl.!
knownUl!!
knownUl?!
knownUl.?

and so on.  You can use the square braces in multiple places in the
mask, but only the last portion of the mask may be have its length
stretched automatically.  You can also use placeholders, like this:

./john -2='SOMEUPPERS' -3='somelowers' -4='.!??' --mask='known?4?2?2?3?3?4' --max-length=16 file.txt

which produces:

known.SSss.
known!SSss.
known?SSss.
known.OSss.
known!OSss.
known?OSss.
known.MSss.
known!MSss.
known?MSss.
known.ESss.

... and will take ages before moving to the next length.

> From a specifics point of view, should I share the details of the password and structure? I would have stop using them then. 
> First prize would be if I could keep the passwords secret.

You can try to work from the examples above.

If this doesn't help, then yes you could share the details and if your
other passwords are too similar then stop using this pattern.

You can also use Openwall's password recovery service (recently added to
the Services web page on our website) if your budget permits.  Then
you'd only need to share the details privately, and we'd work from your
dmg2john output file on our hardware (a Linux box with multiple GPUs).

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.