Picon

Rule AN"STR"

Hi

 :[lc] A[0-9],[ a-z! <at> €#$%^&*\-=_+.?|)(:'"], works fine, (insert a 
letters/digits/symbols between letters 0 to letters 9)

 but not 

 :[lc] A[0-12],[ a-z! <at> €#$%^&*\-=_+.?|)(:'"], will generate (for example 
with words "evoluzione")

 99evoluzione, e99voluzione, ev99oluzione (then stop)    and not 
99evoluzione ..... to evoluzio99ne, evoluzion99e, evoluzione99

 How to do with words with more than 9 letters ?

Help needed,

 Thanks,

 W.A.

Charles Weir | 1 Jan 20:42 2010
Picon

Re: Rule AN"STR"

Hey W.A.,
   I don't have an elegant solution, but I have a good idea what's
happening, and have a kludge. Referring to your original command:

:[lc] A[0-12],[ a-z! <at> €#$%^&*\-=_+.?|)(:'"],

The problem is the A[0-12]. The rule preprocessor essentially treats
this as A[0-1] + A[2], since the '-' only works with one character
values. So that's the problem you are having. Normally you could use
A-Z to specify the numbers 10-35, but playing around with it, when I
tried to use A[0-C], I received the error: "Invalid position code". I
tried to assign a numerical variable, using the vVNM command but still
received the same error when I ran the command using A[0-a].

On a side note, I realize that you were probably using your examples
to demonstrate the idea of what you were trying to do, vs your actual
output, but I have to admit that it caused me a bit of confusion. Aka,
your rule will never create the actual guess "evoluzio99ne". Just to
help anyone else reading this reply, here is a rule breakdown, (and
please note this only works for version 1.7.4 and not earlier versions
of JtR).

:  //No-op, necessary since we are starting the rule with a
pre-processor variable

[lc]  //preprocessor, to create two rules, first lowercase the guess,
and then create another guess capitalized, aka password, and Password

A[0-9],[ a-z! <at> €#$%^&*\-=_+.?|)(:'"],  //this whole command can be
broken down into several parts following the rule:
(Continue reading)

Solar Designer | 2 Jan 05:17 2010

Re: Rule AN"STR"

On Fri, Jan 01, 2010 at 02:42:53PM -0500, Charles Weir wrote:
> :[lc] A[0-12],[ a-z! <at> ?#$%^&*\-=_+.?|)(:'"],
> 
> The problem is the A[0-12]. The rule preprocessor essentially treats
> this as A[0-1] + A[2], since the '-' only works with one character
> values. So that's the problem you are having. Normally you could use
> A-Z to specify the numbers 10-35, but playing around with it, when I
> tried to use A[0-C], I received the error: "Invalid position code".

That's because the preprocessor works with ASCII codes.  It does not
know anything about character position codes (and it is not specific to
those).  For a range specified as [0-C], it will generate many rules
with characters with ASCII codes from that of '0' to that of 'C' in that
character position.  Some of those characters won't be valid position
codes (and not what you want anyway), resulting in the error message.

> I tried to assign a numerical variable, using the vVNM command but still
> received the same error when I ran the command using A[0-a].

That's because the preprocessor is just that.  It is invoked per config
file line prior to any other parsing, and its output is a set of rules.
The numeric variables, on the other hand, exist during actual processing
of the rules with specific input words.  The "v" command assigns value
to such a numeric variable separately for each rule and for each input
word.  There's no way such a variable could affect the number of rules
the preprocessor would generate for a given config file line.  In fact,
there's currently no way to have a non-constant number of rules, except
that some rules could be rejected or effectively turned into no-ops (or
worse - into duplicates - but you should avoid that when you can) under
some conditions.
(Continue reading)

Picon

append severals simple digits in a complex rule

Hi

 I try to append severals digits after a word

 test0000
 test1111
 test2222
 test3333
 etc...
 test9999

 I try 

 /a sa[eiouy]$[0123456789]$[0123456789]$[0123456789]$[0123456789]

but this rule do test0000 -> test0001 -> test0002 ... test9999

 It's not what I want.

 As you can see I change swap letters also in this rule.

 what is the right syntax ? 

 I read the john'rules without success.

 thanks,

 W.A.

(Continue reading)

Solar Designer | 3 Jan 20:12 2010

Re: append severals simple digits in a complex rule

On Sun, Jan 03, 2010 at 06:36:12PM +0100, websiteaccess@... wrote:
>  I try to append severals digits after a word
> 
>  test0000
>  test1111
>  test2222
>  test3333
>  etc...
>  test9999
> 
>  I try 
> 
>  /a sa[eiouy]$[0123456789]$[0123456789]$[0123456789]$[0123456789]
> 
> but this rule do test0000 -> test0001 -> test0002 ... test9999

Not exactly: this line rejects words not containing an "a", so it
outputs nothing for "test".  It does generate candidate passwords like
those you mentioned above for words containing the letter "a".

>  It's not what I want.
> 
>  As you can see I change swap letters also in this rule.
> 
>  what is the right syntax ? 

With 1.7.4+, you can use:

/a sa[eiouy] Az"[0-9]\0\0\0"

(Continue reading)

Solar Designer | 3 Jan 21:36 2010

Re: JtR 1.7.4 and jumbo patch update

Regarding Matt's benchmark (of 1.7.3.4's rules engine vs. 1.7.4's),
which revealed a bug in 1.7.4:

On Sun, Dec 27, 2009 at 08:01:42PM -0500, Charles Weir wrote:
> A copy of the config file can be obtained from the following link:
> 
> http://sites.google.com/site/reusablesec/Home/john-the-ripper-files/john-the-ripper-sample-configs-1
> 
> For the input dictionary I used one of the lowercase English
> dictionaries available on the openwall ftp site, (I think it was the
> large one). The dictionary contained 444,678 words.

/pub/wordlists/languages/English/4-extra/lower.gz contains 444,678 lines
(a few of which are comments rather than words), so I think it was this
one.  The -extra wordlists don't encompass the smaller and higher
quality ones, so they contain relatively obscure and questionable
"words" only.  It is not a good idea to use one of them on its own
(other than after having run through one or more of the higher quality
wordlists, such as those found under -large).  I thought this was
obvious from the naming ("extra" is just that), the comments in the
files, and the actual content, but perhaps this needs to be documented
explicitly.

Anyhow, the -extra wordlist is OK for a test run when there's no goal to
actually crack passwords.

> Running JtR version 1.7.3.4
> Ryoki:run cweir$ ./john
> -wordlist=../../../custom/dictionaries/english-lower -rules -stdout > /dev/null
[...]
(Continue reading)

Solar Designer | 5 Jan 03:06 2010

Re: tutorials on the wiki

Matt, all -

This is a late reply, yet I think it is currently relevant.  We're
speaking about Matt's tutorial at:

http://sites.google.com/site/reusablesec/Home/john-the-ripper-files/tutorials

which is linked from:

http://openwall.info/wiki/john/tutorials

On Fri, Nov 20, 2009 at 07:12:40PM -0500, Charles Weir wrote:
> I just updated my copy of the installation guide for John the Ripper version
> 1.7.3.4 on a Mac OSX Snow Leopard. The main imporvements are:
> 
> 1) Added information on how to download a pre-built exectutable from the ftp
> site, (I didn't even know there were pre-built exectutables before Solar let
> me know)

Thanks.  I think that your FTP download instructions are overly
complicated, though.  I imagine that most Mac OS X users will access the
FTP server with their web browser, not with a command-line FTP client.
(The command-line works better when there's a more convenient and more
powerful FTP client installed, such as lftp.)  Although it is OK to
explicitly login as "anonymous" as you wrote, it is also OK to login as
"ftp" with any password, and the web browser (or lftp) would not even
ask for a username/password.  There's no "strict idle timeout" on the
FTP server (there is a default timeout, which I would not call strict),
and there's no "banning" (except that if you keep lots of sessions open
at once, you'll hit the per-source-address limit).  The "timeouts" and
(Continue reading)

Paul Needham | 13 Jan 13:24 2010
Picon

UNSHADOW from Windows


Is it possible to copy the /etc/passwd and /etc/shadow files from solaris, and save them as files in windows
and run unshadow. Or does unshadow only work in unix/linux with root user? 

I've got the files but want to run john from windows, and I have saved the /etc/shadow as etcshadow and
/etc/passwd as etcpasswd in windows but when supplying the command unshadow etcpasswd etcshadow >
mypasswd I am informed 

fopen: etcshadow No such file or directory 

I suspect maybe unshadow does not work in windows but hopefully someone can provide a solution?
 		 	   		  
_________________________________________________________________
Send us your Hotmail stories and be featured in our newsletter
http://clk.atdmt.com/UKM/go/195013117/direct/01/
Solar Designer | 13 Jan 14:42 2010

Re: UNSHADOW from Windows

Paul,

On Wed, Jan 13, 2010 at 12:24:37PM +0000, Paul Needham wrote:
> Is it possible to copy the /etc/passwd and /etc/shadow files from solaris, and save them as files in
windows and run unshadow.

Yes, and that's why the unshadow program is available on Windows builds.

> I've got the files but want to run john from windows, and I have saved the /etc/shadow as etcshadow and
/etc/passwd as etcpasswd in windows but when supplying the command unshadow etcpasswd etcshadow >
mypasswd I am informed 
> 
> fopen: etcshadow No such file or directory 

The approach you've described above and the specific command look fine
to me.  This should have worked.  My guess is that you made a typo on
the command line.  Please try again.  If you continue to run into this
problem, please copy & paste an excerpt of your shell session into a
followup posting to this mailing list.  The excerpt should show the
specific filenames you have (e.g., run "dir" in a "DOS window", or
"ls -l" in bash if you have Cygwin installed), your "unshadow ..."
command, and its exact output (please do use copy & paste, don't just
re-type what you see into an e-mail message).

I hope this helps.

Alexander

Paul Needham | 13 Jan 15:13 2010
Picon

RE: UNSHADOW from Windows


Thanks for the reply Alexander - much appreciated.

Could have been a simple typo, mindyou I did relocate the solaris files to a new directory so perhaps that
affected it. 

Anyway, now I have a file that is in the following format:

username: hash

For the record, could I not have just pasted the username hash and created my own file, as the unshadow
command only seems to have taken the username and hash and put it in the correct format?

Regards,

Paul

 
> Date: Wed, 13 Jan 2010 16:42:44 +0300
> From: solar@...
> To: john-users@...
> Subject: Re: [john-users] UNSHADOW from Windows
> 
> Paul,
> 
> On Wed, Jan 13, 2010 at 12:24:37PM +0000, Paul Needham wrote:
> > Is it possible to copy the /etc/passwd and /etc/shadow files from solaris, and save them as files in
windows and run unshadow.
> 
> Yes, and that's why the unshadow program is available on Windows builds.
(Continue reading)


Gmane