Nmap Development mailing list archives

Re: Replacing passwords.lst

From: Ron <ron () skullsecurity net>
Date: Fri, 5 Mar 2010 14:52:20 -0600

On Fri, 5 Mar 2010 11:46:07 -0700 David Fifield <david () bamsoftware com>
wrote:

And what does the Cracked_phpbb column look like with the top 10, 100,
and 200 passwords from current passwords.lst?


So, this morning I was using Excel and doing a lot of old tricks I learned in the before times. It looks like the 
results weren't 100% accurate -- I'm using some Linux tools now and I'm getting different (better!) results. I'll post 
the command that generated all these after:

+++against phpbb+++
Top PWs         Nmap    Rockyou    John  Cain&Able
  10               8          9      10         3
 100              90         99      98        58
 200             155        197     197        66
 500                        479     487        69
1000                        935     934        81
2000                       1763    1711       102

+++against myspace+++
Top PWs         Nmap    Rockyou    John  Cain&Able
  10               8          7       8          0
 100              98         67      53         20
 200             197        116      95         20
 500                        220     182         20
1000                        378     286         24
2000                        643     420         24

+++against leaked Hotmail passwords+++
Top PWs         Nmap    Rockyou    John  Cain&Able
  10               2          8       6          1
 100               8         49      29         21
 200              10         87      45         21
 500              10        187      86         21
1000              10        283     135         23
2000              10        412     194         24

That's actually really surprising -- Nmap's list kicked ass against Myspace, followed by Rockyou, John, and Cain&Able. 
phpbb was a much closer run -- pretty much a tie between Rockyou and John, followed by Nmap then Cain&Able. On the 
Hotmail passwords, which are more difficult because Hotmail actually has password policies, the Rockyou.com passwords 
were the clear winners. 

Here is the command I was using:
-
for j in 10 100 200 500 1000 2000; do echo -ne "$j: "; for i in `cat $LIST | head -n$j` ; do grep -Fx "$i" $TESTFILE; 
done | wc -l; done
-


-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Replacing passwords.lst Ron (Mar 04)
- Re: Replacing passwords.lst Brandon Enright (Mar 04)
  - Re: Replacing passwords.lst Ron (Mar 05)
    - Re: Replacing passwords.lst David Fifield (Mar 05)
    - Re: Replacing passwords.lst Brandon Enright (Mar 05)
    - Re: Replacing passwords.lst Brandon Enright (Mar 05)
    - Re: Replacing passwords.lst Ron (Mar 05)
    - Re: Replacing passwords.lst Kris Katterjohn (Mar 05)
    - Re: Replacing passwords.lst Ron (Mar 05)
    - Re: Replacing passwords.lst Brandon Enright (Mar 05)
    - Re: Replacing passwords.lst Fyodor (Mar 06)
    - Re: Replacing passwords.lst Ron (Mar 06)
    - Re: Replacing passwords.lst David Fifield (Mar 06)
    - Re: Replacing passwords.lst Martin Holst Swende (Mar 06)
    - Re: Replacing passwords.lst David Fifield (Mar 12)
    - Re: Replacing passwords.lst Fyodor (Mar 12)
    - Re: Replacing passwords.lst David Fifield (Mar 16)

(Thread continues...)