Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

John the ripper rules!

From: Sherif El-Deeb <archeldeeb () gmail com>
Date: Mon, 1 Nov 2010 14:41:56 +0300
I need help with the john.conf file to specify my own rule for
password cracking.

I have a list with sha1 hashes belonging to the same set of machines,
the Admin is using a very predictable syntax for all his passwords
"all of them are macs, few of them have LM hashes along with the sha1,
those were where I got this prediction":

the password standard is as follows:  ahm 999 abc ##

Example#1: ahm 458 cba &*
Example#2: ahm 836 xyzt $$&
Example#3: ahm 7456 cgr !#
Example#4: ahm 4458 cba &*

ahm : these are the initials of the admin's name "they are constant
and are always the first three letters"
999 : then three or more digits
abc : then three or more letters
## : then two or more special charachters.

spaces are added for clarification only and are not part of the password itself

The question:
I went through john's documentation and realized there's support for
what I want, I just want the "correct" way to do it

./john  --wordlist=ahm.lst --rules=TEST  ~/HASHFILE

@john.conf
...
[List.Rules:TEST]
$[0-9]$[0-9]$[0-9]$[a-zA-Z]
$[0-9]$[0-9]$[0-9]$[a-zA-Z]$[a-zA-Z]
$[0-9]$[0-9]$[0-9]$[a-zA-Z]$[a-zA-Z]$[a-zA-Z]
$[0-9]$[0-9]$[0-9]$[a-zA-Z]$[a-zA-Z]$[a-zA-Z]$[`~!@#$%^&*()\-_=+]
...

The "$" will APPEND [0-9] and [a-z]...etc. to the passwords in the
ahm.lst wordlist file, which in this case contains only one line
'ahm'.

I know that's not smart and that's not the proper way to do it, it
works to something like 5 characters only, after that the john.log
becomes more than 2 GB and stops spitting out "write: File too large".


Please help me with the proper rule format, or how to stop john from
writing the approved rules to john.log.

Note: I wrote a simple C program that does this and writes out the
wordlist to stdout, but I would really appreciate pointing me to the
way on how to do it in john, I've read the docs and got lost.

Thanks in advance
Sherif Eldeeb.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: