Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAGSLPCapWcC+Zq6+gFX_C2P4gT3UDeSuqu632Y4S7=VFM5ZE-A@mail.gmail.com>
Date: Thu, 27 Mar 2025 14:53:08 +0530
From: Pentester LAB <pentesterlab3@...il.com>
To: john-users@...ts.openwall.com
Subject: Re: Issue Applying Rules to Tokenized in John the Ripper

Thank you for your detailed response and for clarifying the correct
approach to applying rules to a tokenized wordlist in JtR. Your explanation
helped me understand how the tokenizer is intended to be used and why my
previous attempt was incorrect.

I appreciate the step-by-step breakdown and the examples you provided. I'll
go through them carefully and experiment with the tokenizer along with the
suggested approaches.

If I have any clarifications in the future or further doubts, I will reach
out and ask.

Thanks again for your guidance and for taking the time to explain this in
detail!


On Thu, Mar 27, 2025 at 8:38 AM Solar Designer <solar@...nwall.com> wrote:

> A correction inline, and addition below:
>
> On Thu, Mar 27, 2025 at 03:30:48AM +0100, Solar Designer wrote:
> > Trying to repair your weird attempts above using unmodified tokenize.pl:
> >
> > $ cat test.txt
> > abc
> > @
> > 123
> > $ perl tokenize.pl test.txt > john-local.conf
> > $ sed '/[^ -~]/d; s/123/\x1/g; s/abc/\x2/g; s/ab/\x3/g; s/23/\x4/g;
> s/bc/\x5/g; s/12/\x6/g' test.txt > test-tokenized.txt
> > $ ./john --wordlist=test-tokenized.txt --external=Untokenize --stdout
> > Using default input encoding: UTF-8
> > abc
> > @
> > 123
> > 3p 0:00:00:00 100.00% (2025-03-27 03:01) 60.00p/s 123
> > $ ./john --wordlist=test-tokenized.txt --rules=Best64
> --external=Untokenize --stdout | head
> > Using default input encoding: UTF-8
> > Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for
> status
> > Enabling duplicate candidate password suppressor using 256 MiB
> > 124p 0:00:00:00 100.00% (2025-03-27 03:01) 1033p/s 123123123123123123
> > abc
> > @
> > 123
> > abc0
> > @0
> > 1230
> > abc1
> > @1
> > 1231
> > abc2
> > $ wc test.txt test-tokenized.txt
> >  3  3 10 test.txt
> >  3  1  6 test-tokenized.txt
> >
> > Where I took the "sed" command from the generated john-local.conf, but
> > removed the final part where it had "; s/^/:/" as that part was there
> > for producing fake pot files (for incremental mode training) rather than
> > wordlists.
> >
> > As you can see, --external=Untokenize was able to correctly restore the
> > wordlist from its tokenized or compressed form (original test.txt was 10
> > bytes, but tokenized test-tokenized.txt only 6 bytes).  And the rules
> > are applied if you request them.
> >
> > Moreover, you can see that they're applied differently and their effect
> > is different than if you used the same rules on the original wordlist:
> >
> > $ ./john --wordlist=test.txt --rules=Best64 --external=Untokenize
> --stdout | head
> > Using default input encoding: UTF-8
> > Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for
> status
> > Enabling duplicate candidate password suppressor using 256 MiB
> > 152p 0:00:00:00 100.00% (2025-03-27 03:07) 1013p/s 123121
> > abc
> > @
> > 123
> > cba
> > 321
> > ABC
> > Abc
> > abc0
> > @0
> > 1230
>
> Oops, I forgot to remove --external=Untokenize from the above command
> line.  Luckily, it didn't affect anything this time because test.txt has
> no token codes in it.  But the correct command here would be simply:
>
> $ ./john --wordlist=test.txt --rules=Best64 --stdout | head
> Using default input encoding: UTF-8
> Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
> Enabling duplicate candidate password suppressor using 256 MiB
> 152p 0:00:00:00 100.00% (2025-03-27 03:46) 1688p/s 123121
> abc
> @
> 123
> cba
> 321
> ABC
> Abc
> abc0
> @0
> 1230
>
> > The generated password candidates are different and their number is also
> > different (152 original vs. 124 when rules are applied to tokenized
> > wordlist prior to --external=Untokenize).  That's the point of my idea
> > number 13, so thank you for making me try it out.
>
> To more fully test my idea, we need to see whether and how many
> different candidate passwords the rules+Untokenize run adds on top of a
> simple rules run.
>
> In the above tests, the simple run produces 152 unique candidates.
> They're unique due to our dupe suppressor, as otherwise Best64 would
> tend to produce lots of dupes.  The rules+Untokenize run produces 124,
> but the output from this run has 125 lines out of which 123 are unique.
> There are 3 instances of the empty line.  I'm actually puzzled by that
> (we could want to investigate it in case it's a bug).
>
> Anyway, combining those 152 and 123, I get 165 unique.  So, yes, this
> weird trick does add 13 unique candidate passwords.  They are:
>
> TAB
> 123123123
> 123123123123
> 123123123123123
> 123123123123123123
> 123123123123123123123123
> 23
> abcabcabc
> abcabcabcabc
> abcabcabcabcabc
> abcabcabcabcabcabc
> abcabcabcabcabcabcabcabc
> bc
>
> where TAB is the control character (which puzzles me a bit).
>
> Alexander
>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.