Nmap Development mailing list archives
Re: Replacing passwords.lst
From: David Fifield <david () bamsoftware com>
Date: Fri, 12 Mar 2010 21:13:09 -0700
On Sat, Mar 06, 2010 at 12:15:02AM -0800, Fyodor wrote:
On Sat, Mar 06, 2010 at 12:09:14AM +0000, Brandon Enright wrote:Attached are the results an an image, also available here: http://noh.ucsd.edu/~bmenrigh/list_quality.pngNice! I really do think having good username and password files is super important and I'm glad to see so many good ideas!I'm pretty sure we can make a hybrid dictionary that weights the lists. That is, weight RockYou at say 70%, and John and PHPBB at 15% and then take the top 70% (of 200) passwords from RockYou and then the top 15% (of 200) from PHPBB and John that aren't already in the top 70% RockYou.I agree, though I tend to think we shouldn't weigh the results by anothing other than raw password frequency. I think we should just combine the RockYou, PHPBB, Myspace, and all other reasonable password DBs we can find into one master frequency sorted list. Then we can truncate that to the appropriate size for Nmap NSE and Ncrack. Admittedly we have some lists such as John which don't have frequency data associated with them, but I think we should just exclude those for now. SD told me he would try to get me a version with frequency counts--I should ping him on that again. With good data, I think going well above 200 passwords is reasonable. Some scripts/libraries might not want to go through that many by default, but they can always set their own limits (in terms of number of guesses or total brute force time spent), and having larger files allows users to specify larger limits when desired. So my suggestion is to create a new directory /nmap-private-dev/data/passwords. Maybe have a subdir of that for the original lists. But in the directory itself you can store the frequency sorted version of each password list. Then we can combine all of them into one frequency counted and sorted /nmap-private-dev/passwords.lst.master like we have now. I think the one we have now may only have myspace passwords in it (according to the comments up top). Then that passwords.lst.master file can be used to create /nmap/nselib/data/passwords.lst and ~/ncrack/lists/default.pwd. The default.pwd will probably be much larger than passwords.lst. Setting it up this way will allow us to add new password files from time to time as we find them.
I made this directory and copied the old MySpace passwords into it. I didn't realize that Ron's databases were so huge--RockYou is like 100 MB. I copied the first 10,000 lines of phpBB and RockYou into the directory as well. Are there any others that are recommended as general-purpose lists? David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Replacing passwords.lst, (continued)
- Re: Replacing passwords.lst Brandon Enright (Mar 05)
- Re: Replacing passwords.lst Brandon Enright (Mar 05)
- Re: Replacing passwords.lst Ron (Mar 05)
- Re: Replacing passwords.lst Kris Katterjohn (Mar 05)
- Re: Replacing passwords.lst Ron (Mar 05)
- Re: Replacing passwords.lst Brandon Enright (Mar 05)
- Re: Replacing passwords.lst Fyodor (Mar 06)
- Re: Replacing passwords.lst Ron (Mar 06)
- Re: Replacing passwords.lst David Fifield (Mar 06)
- Re: Replacing passwords.lst Martin Holst Swende (Mar 06)
- Re: Replacing passwords.lst David Fifield (Mar 12)
- Re: Replacing passwords.lst Fyodor (Mar 12)
- Re: Replacing passwords.lst David Fifield (Mar 16)
- Re: Replacing passwords.lst Brandon Enright (Mar 16)
- Re: Replacing passwords.lst David Fifield (Mar 16)
- Re: Replacing passwords.lst Brandon Enright (Mar 16)
- Re: Replacing passwords.lst Fyodor (Mar 16)
- Re: Replacing passwords.lst Ron (Mar 17)
- RE: [BULK] Re: Replacing passwords.lst Norris Carden (Mar 17)
- Re: [BULK] Re: Replacing passwords.lst Ron (Mar 17)
- Re: Replacing passwords.lst Ron (Mar 16)