Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20250422030915.GA6919@openwall.com>
Date: Tue, 22 Apr 2025 05:09:15 +0200
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: stacking 3 rules with john ?

On Mon, Apr 21, 2025 at 03:06:25PM -0700, jeff wrote:
> On 4/21/2025 8:34 AM, Solar Designer wrote:
> >We have no built-in support for stacking more than 2 rulesets.  You
> >could achieve this by running two instances of "john" and having one of
> >them feed the other via a pipe, but in this case I do not recommend it.
> >
> >I think you'll have better results by staying with at most 2 stacked
> >rulesets, but also trying different/larger ones with smaller wordlists.

> I am using the standard rulesets. If there are enhanced or bigger 
> rulesets, I would appreciate a pointer to them.

There are many different rulesets included in bleeding-jumbo.  You can
run "john --list=rules" to obtain a list of the predefined rulesets.
Most of those are included as part of some others, so you shouldn't run
each ruleset separately - instead, take a look inside john.conf to see
what's included in what, and choose the desired higher-level rulesets.

For use without stacking, there's "--rules=All", which includes most of
what we have (not literally all as some rulesets are too specialized and
assume different kinds of input).

For use with stacking, what you're running now is almost the best you
can do, but now that you've mostly exhausted it, you can try something
else.  For example:

--rules=OneRuleToRuleThemStill --rules-stack=best-by-score

and vice versa:

--rules=by-rate --rules-stack=OneRuleToRuleThemStill

and also:

--rules=oi --rules-stack=best-by-score

and:

--rules=by-rate --rules-stack=oi

These will show ridiculous ETA (or none), which is fine - you shouldn't
plan to run them to completion, except maybe on small wordlists.

So it's especially important to choose the outer ruleset such that it's
ordered from more to less effective rules.

BTW, when using both "--rules" and "--rules-stack" at once, I recommend
that you don't completely disable the dupe suppressor even for fast
hashes, because it's applied between the main and the stacked rules,
where the rate of let's call them "intermediate candidates" isn't that
high, so performance impact of the dupe suppressor is negligible.  So I
wouldn't use "--dupe=0" in such runs.  Give it at least "--dupe=1" or
more (or omit the option).  However, when you use only one ruleset and
you run on fast hashes like NTLM, then you do need "--dupe=0" for speed
(or omit the option, in which case the dupe suppressor gets enabled
temporarily, realizes that it hurts the speed, and auto-disables itself,
but this consumes memory at first).

Regarding stacking 3 rulesets, you can do this with a smaller wordlist
such as our default password.lst, like this:

./john -w=password.lst --rules=best-by-rate --stdout --dupe=100000 > preruled.lst

or better (complete rather than opportunistic dupe suppression):

./john -w=password.lst --rules=best-by-rate --stdout | ./unique -buf=100 preruled.lst

where "--dupe=100000" or "-buf=100" will use 100 GB RAM (adjust to a
lower value if you have less free RAM than that, but then it may take
much longer).  This will produce a file of around 50 GB in size.  Then
you can use it as a wordlist along with two more rulesets.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.