Penetration Testing mailing list archives
John the ripper rules!
From: Sherif El-Deeb <archeldeeb () gmail com>
Date: Mon, 1 Nov 2010 14:41:56 +0300
I need help with the john.conf file to specify my own rule for password cracking. I have a list with sha1 hashes belonging to the same set of machines, the Admin is using a very predictable syntax for all his passwords "all of them are macs, few of them have LM hashes along with the sha1, those were where I got this prediction": the password standard is as follows: ahm 999 abc ## Example#1: ahm 458 cba &* Example#2: ahm 836 xyzt $$& Example#3: ahm 7456 cgr !# Example#4: ahm 4458 cba &* ahm : these are the initials of the admin's name "they are constant and are always the first three letters" 999 : then three or more digits abc : then three or more letters ## : then two or more special charachters. spaces are added for clarification only and are not part of the password itself The question: I went through john's documentation and realized there's support for what I want, I just want the "correct" way to do it ./john --wordlist=ahm.lst --rules=TEST ~/HASHFILE @john.conf ... [List.Rules:TEST] $[0-9]$[0-9]$[0-9]$[a-zA-Z] $[0-9]$[0-9]$[0-9]$[a-zA-Z]$[a-zA-Z] $[0-9]$[0-9]$[0-9]$[a-zA-Z]$[a-zA-Z]$[a-zA-Z] $[0-9]$[0-9]$[0-9]$[a-zA-Z]$[a-zA-Z]$[a-zA-Z]$[`~!@#$%^&*()\-_=+] ... The "$" will APPEND [0-9] and [a-z]...etc. to the passwords in the ahm.lst wordlist file, which in this case contains only one line 'ahm'. I know that's not smart and that's not the proper way to do it, it works to something like 5 characters only, after that the john.log becomes more than 2 GB and stops spitting out "write: File too large". Please help me with the proper rule format, or how to stop john from writing the approved rules to john.log. Note: I wrote a simple C program that does this and writes out the wordlist to stdout, but I would really appreciate pointing me to the way on how to do it in john, I've read the docs and got lost. Thanks in advance Sherif Eldeeb. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- John the ripper rules! Sherif El-Deeb (Nov 01)
- Re: John the ripper rules! Anders Thulin (Nov 04)
- Re: John the ripper rules! Sherif El-Deeb (Nov 04)
- Re: John the ripper rules! Anders Thulin (Nov 04)