Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: John the ripper rules!

From: Anders Thulin <anders.thulin () sentor se>
Date: Wed, 03 Nov 2010 10:02:00 +0100
On 2010-11-01 12:41, Sherif El-Deeb wrote:


I went through john's documentation and realized there's support for
what I want, I just want the "correct" way to do it


  Don't know about the log file problem -- but I don't think the best
way of doing what you want to do is by using john rules.

  The rules are for relatively minor modifications to a long list of
password. You use the rules to generate entirely new passwords, and
on a scale that causes johns log files to overflow.  That in itself
should be an indication that you're not doing things the right way.


  I think that the correct way to do what you are after is to
generate the passwords separately, and then feed the generated file as
wordlist to john (or pipe them in directly, if you want to avoid large files)

  When I attack this kind of situation  I create small C programs that
read one password from stdin, and then outputs all variations to stdout.
I would probably use:

  a) a program that reads a password from stdin, appends three digits and outputs the result to stdout

  b) a program that appends the three letters

  c) a program that appends the special characters

Then "% echo 'ahm' | add999 | addAAA | add# > wordlist1", and feed that list to john as usual.
You can also pipe it directly into john if you like, using --stdin instead of --wordlist=file. This
avoids large passwords files.

Then, I'd probably create versions that added four digits, characters and two special characters
and combine these in all reasonable ways.  And so on for longer combinations.

  I think there may be generating programs where you just feed a pattern to them, and they
produce the full list -- I have no experience with those, though, so I don't have anything
to recommend, but perhaps others can.


  If you have a few dozen passwords cracked already, you could also try creating
a new character file (.chr) from those passwords, and let that drive an incremental crack
attack, of course limiting passwords lengths to whatever seemed reasonable, adding something
like this to the conf file:

[Incremental:ahm]
File = $JOHN/ahm.chr
MinLen = 7
MaxLen = 10 (or 11 or 12 ...)
CharCount = 95 (or whatever seems reasonable...)

That avoids creating huge files, but is still easy to stop and restart.

It is often useful to run multiple processes with different settings of MinLen and maxLen.



-- 
Anders Thulin      anders.thulin () sentor se      070-757 36 10 / Intl. +46 70 757 36 10

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: