Re: Replacing passwords.lst

[David Fifield <david () bamsoftware com>]

On Sat, Mar 06, 2010 at 12:15:02AM -0800, Fyodor wrote:
> On Sat, Mar 06, 2010 at 12:09:14AM +0000, Brandon Enright wrote:
> > Attached are the results an an image, also available here:
> > http://noh.ucsd.edu/~bmenrigh/list_quality.png
>
> Nice!  I really do think having good username and password files is
> super important and I'm glad to see so many good ideas!
>
> > I'm pretty sure we can make a hybrid dictionary that weights the
> > lists.  That is, weight RockYou at say 70%, and John and PHPBB at 15%
> > and then take the top 70% (of 200) passwords from RockYou and then the
> > top 15% (of 200) from PHPBB and John that aren't already in the top 70%
> > RockYou.
>
> I agree, though I tend to think we shouldn't weigh the results by
> anothing other than raw password frequency.  I think we should just
> combine the RockYou, PHPBB, Myspace, and all other reasonable password
> DBs we can find into one master frequency sorted list.  Then we can
> truncate that to the appropriate size for Nmap NSE and Ncrack.
> Admittedly we have some lists such as John which don't have frequency
> data associated with them, but I think we should just exclude those
> for now.  SD told me he would try to get me a version with frequency
> counts--I should ping him on that again.  With good data, I think
> going well above 200 passwords is reasonable.  Some scripts/libraries
> might not want to go through that many by default, but they can always
> set their own limits (in terms of number of guesses or total brute
> force time spent), and having larger files allows users to specify
> larger limits when desired.
>
> So my suggestion is to create a new directory
> /nmap-private-dev/data/passwords.  Maybe have a subdir of that for the
> original lists.  But in the directory itself you can store the
> frequency sorted version of each password list.  Then we can combine
> all of them into one frequency counted and sorted
> /nmap-private-dev/passwords.lst.master like we have now.  I think the
> one we have now may only have myspace passwords in it (according to
> the comments up top).  Then that passwords.lst.master file can be used
> to create /nmap/nselib/data/passwords.lst and
> ~/ncrack/lists/default.pwd.  The default.pwd will probably be much
> larger than passwords.lst.  Setting it up this way will allow us to
> add new password files from time to time as we find them.

I made this directory and copied the old MySpace passwords into it. I
didn't realize that Ron's databases were so huge--RockYou is like 100
MB. I copied the first 10,000 lines of phpBB and RockYou into the
directory as well. Are there any others that are recommended as
general-purpose lists?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/