headers
SL | 6 May 2009 17:28
Picon

generating john.conf rules from password lists

Hello List,

first of all I wish to thank you all for your contributions, I have  
been a leech for the past two years or so and now finally decided to  
participate myself.

I will start with a question that I have been pondering about for  
quite a while now with no practical result:
Are there any serious approaches to generate john.conf wordlist rules  
based on existing password lists (or a fairly large john.pot, for  
example)?

Say, if I do a simple quick analysis on my john.pot (with currently  
13,434 entries):

sed "s/^[^:]*://;s/[A-Z]/U/g;s/[a-z]/l/g;s/[0-9]/0/g;s/[[:punct:]]/./ 
g;s/Ul\{5,\}/Word/g;s/ll\{5,\}/word/g" john.pot | sort -n | uniq

I'll get 1,282 "patterns" to consider for adopted mangling rules.

I use following replacement scheme: U for uppercase letters, l for  
lowercase letters, 0 for digits, . for punctuation and "word" resp.  
"Word" for 6-or-more-letter-sequences that potentially form a  
dictionary word.

Is my approach well understood? (And reasonable at all?)

Now -- how can I transform this into reasonably crafted mangling  
rules? Minga? Anyone?
(Continue reading)

Permalink | Reply | 1 comment |
headers
Minga Minga | 6 May 2009 18:05
Picon

Re: generating john.conf rules from password lists

On Wed, May 6, 2009 at 10:28 AM, SL <auditor@...> wrote:
> Are there any serious approaches to generate john.conf wordlist rules based
> on existing password lists (or a fairly large john.pot, for example)?

Using a single pwdump output file, I made a shell script to automatically
make rules based on previously cracked passwords. Its not pretty
but it works.

This script for example - does a --show on a pwdump file, then finds
the 100 most popular FIRST three characters - then creates a john.conf
rule to prepend all the wordlists with those three characters. This
isn't the prettiest solution but it worked for me. I don't know that I would
do this for a whole john.pot file though because different places
use different patterns.

# more convert-3char-list-to-johnconf.sh
john -show -format:nt $1 | cut -d: -f 2 | perl -pe 's/^(...).*/\1/' |
sort | uniq -c | sort -rn | awk '{print $2}' |head -n 100  > a.txt
echo "[List.Rules:KoreLogicRulesPrependList]"
cat a.txt | sed -e 's/^./i[0][&]/' | sed -e 's/..$/i[1][&]/' | sed -e
's/.\]$/\]i\[2\]\[&/'

-----------------
Here is a shell script that finds all 9 character passwords from a
pwdump output file - then makes a list of the 100 most popular
3-character ending strings.

# more convert-3char-list-to-johnconf-most-popular-ending-strings.sh
john -show --format:nt $1| cut -d: -f 2 | egrep ^.........$ | cut -b
7-10 | sort | uniq -c | sort -nr| awk '{print $2}' |head -n 300| tail
(Continue reading)

Permalink | Reply | 0 comments |
headers
Solar Designer | 12 May 2009 03:21
Favicon

Re: Problem with [List.Rules:NT]

On Thu, Apr 23, 2009 at 11:45:52AM -0500, Minga Minga wrote:
> I have this in my john.conf file. ( I didn't write it - and I don't
> even understand it).
> 
> [List.Rules:NT]
> l
> lMT[*0]T[*1]T[*2]T[*3]T[*4]T[*5]T[*6]T[*7]T[*8]T[*9]T[*A]T[*B]T[*C]T[*D]Q

I wrote it.  As the comment above it says, the intent was to quickly
crack NTLM hashes given already cracked LM ones.  There was no intent to
eliminate duplicates, because all 16384 combinations (at most) are
checked in a few milliseconds.  Well, perhaps with thousands of cracked
LM hashes, this can turn into a few seconds to crack the corresponding
NTLM hashes.

> So - 28675 possible combinations. The problem is this:
> 
> /john -w:a.dic --rules:nt -stdout | sort -u | wc
>      24      24     112
> 
> There are only 24 REAL combinations. So the --rules:nt wastes a lot of effort.
> Its not THAT big of a deal - but does waste a lot of CPU time on some large
> wordlists.

This was never meant to be used with arbitrary wordlists, let alone with
large ones.

> Is there a better way/rule to get all the possible capitalization combinations
> for a word list?
(Continue reading)

Permalink | Reply | 0 comments |
headers
jmk | 12 May 2009 17:25
Favicon

Re: Cracking Metasploit SMB stuff...

On Fri, 2009-04-24 at 15:44 -0300, nahuel.grisolia@... wrote:
> Hey list, i'm trying to crack this:
> 
> Captured 192.168.2.138:1597 DOMAIN\user
> LMHASH:8885a28be8a72ca650bd65069ca4a3f4a5de1c918778d28f
> NTHASH:3a948718e031f88063d9925152ab2b5e010100000000000005f1c89ff1c4c901a5de1c918778d28f00000000020000000000000000000000
> OS:Windows 2002 Service Pack 3 2600 LM:Windows 2002
> 5.1
> 
> i dont know which format should i use this time... i've already read all the
> _fmt.c but with no luck... any ideas? i know the cleartext password, if it
> can help tell me... thanx a lot.

Nahuel,

I'm a bit rusty on this, but here goes... 

What you have there should be a LMv2 and a NTLMv2 challenge/response.
The John "NETLMv2" format can perform a brute-force crack against the
LMv2 set. The first 16 bytes of your "LMHASH" value should be the client
response and the next 8 are its challenge. You will also need the server
challenge issued by Metasploit, which I'm assuming was 1122334455667788.
The format of the file should then be as follows:

USERNAME::DOMAIN:SERVER CHALLENGE:LMv2 RESPONSE:CLIENT CHALLENGE

Using your data, you have:

user::DOMAIN:1122334455667788:8885a28be8a72ca650bd65069ca4a3f4:a5de1c918778d28f
(Continue reading)

Permalink | Reply | 1 comment |
headers
nahuel.grisolia | 12 May 2009 17:52
Picon

Re: Cracking Metasploit SMB stuff...

2009/5/12 jmk <jmk@...>

> What you have there should be a LMv2 and a NTLMv2 challenge/response.
> The John "NETLMv2" format can perform a brute-force crack against the
> LMv2 set. The first 16 bytes of your "LMHASH" value should be the client
> response and the next 8 are its challenge. You will also need the server
> challenge issued by Metasploit, which I'm assuming was 1122334455667788.
> The format of the file should then be as follows:
>
> USERNAME::DOMAIN:SERVER CHALLENGE:LMv2 RESPONSE:CLIENT CHALLENGE
>
> Using your data, you have:
>
>
> user::DOMAIN:1122334455667788:8885a28be8a72ca650bd65069ca4a3f4:a5de1c918778d28f

Thanx a lot Joe! It works really good! ...
Permalink | Reply | 0 comments |
headers
Bucsay Balázs | 21 May 2009 23:21
Picon
Favicon

GI John

Hello!

Finally I can publish my distributed patch for john. Its seems to
working, i hope it will be stable in the future, when more people will
use it.
You can download it from here:
http://www.gijohn.info

Every info what you need, is readable from the faq section, but if you
have some problem, you can reach me, by my e-mail address.

The patch only works with the original john and the gijohn.info website.

I hope you will like it.

Balázs Bucsay

--

-- 
To unsubscribe, e-mail
john-users-unsubscribe@... and reply
to the automated confirmation request that will be sent to you.
Permalink | Reply | 4 comments |
headers
Minga Minga | 22 May 2009 00:44
Picon

Re: GI John

> Finally I can publish my distributed patch for john. Its seems to
> working, i hope it will be stable in the future, when more people will
> use it.
> You can download it from here:
> http://www.gijohn.info

Interesting project. Ill give it a try. I hope lots of people use it.
Then again, I would not use something like this for client's
passwords. Its too dangerous to share your hashes with
strangers on the Internet.

Notes:

1) The error message

<error>No such user. Please register, or change the account.</error>

... implies that the username is invalid, if I pick a valid username will I
get a different error message? If so, this is user-enumeration
vulnerability. And I can use it to brute force user names. And maybe
eventually passwords.

2)  The traffic to the server is over port 80.  Will it be sending
password hashes and plain-text non-encrypted over the Internet?
That's really dangerous - I would wrap it with 'stunnel' if
gijohn.info was running an SSL web-server. Which is doesn't

POST /newsession.php?user=testing&pass=testpassword HTTP/1.0
Host: gijohn.info
(Continue reading)

Permalink | Reply | 3 comments |
headers
Bucsay Balázs | 22 May 2009 01:45
Picon
Favicon

Re: GI John

First of all, please try it before you write anything.

Minga Minga wrote:
>> Finally I can publish my distributed patch for john. Its seems to
>> working, i hope it will be stable in the future, when more people will
>> use it.
>> You can download it from here:
>> http://www.gijohn.info
>>     
>
> Interesting project. Ill give it a try. I hope lots of people use it.
> Then again, I would not use something like this for client's
> passwords. Its too dangerous to share your hashes with
> strangers on the Internet.
>   
I heard this opinion before, and I dont agree with it, and I wont.
If you upload some hashes, the system only stores the hash without the
username. The username is a unnecessary thing for the GI John, because
we only want the plainttext form of the hashes. If I download the
hashlist, I cant get the username, host, service etc. If you can get
those, you can write a mail for me in private :)

> Notes:
>
> 1) The error message
>
> <error>No such user. Please register, or change the account.</error>
>
> ... implies that the username is invalid, if I pick a valid username will I
> get a different error message? If so, this is user-enumeration
(Continue reading)

Permalink | Reply | 2 comments |
headers
Pedro Algarvio | 27 May 2009 00:02
Gravatar

SSH PrivateKey with password length bigger than 8 alphanum chars


Hello!

I'm trying to use JtR to crack one of my own ssh private keys.

I know that it's length is bigger than 9 chars(ascii letters and numbers
both up and lower case), most likely 10 chars, but it can be bigger, not
longer that, 16 chars.

I've tried changing the source as suggested on some posts on the mailing
list, yet, with no luck. It either segfaults or complains that it's
statistical data is not enough.

I also suspect the range of chars/numbers used in the password, yet, I'm
not sure.

How can I complile JtR sucessfully for such a task?

Thanks!
--
Pedro Algarvio
   __ ___  ___ _______        ___ __
|   Y   .'  _|   _   .-----.'  _|  |_   .-----.----.-----.
|.  |   |   _|   1___|  _  |   _|   _|__|  _  |   _|  _  |
|.  |   |__| |____   |_____|__| |____|__|_____|__| |___  |
|:  1   |    |:  1   |                             |_____|
|::.. . |    |::.. . |  ufs [AT] ufsoft [DOT] org
`-------'    `-------'    ufs [AT] sapo [DOT] pt
Permalink | Reply | 0 comments |
headers
kalgecin-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org | 29 May 2009 05:59
Picon

john on ipod

hi guys,
just interested if you can compile john for ipod use. i know of the
ipodlinux project but wanted to know if there was other way

-- 
Sent from Gmail for mobile | mobile.google.com

Kalgecin
http://kalgecin.110mb.com
http://kalgecin.blogspot.com

--

-- 
To unsubscribe, e-mail
john-users-unsubscribe@... and reply
to the automated confirmation request that will be sent to you.
Permalink | Reply | 7 comments |

Gmane