Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20060119190907.GA17223@openwall.com>
Date: Thu, 19 Jan 2006 22:09:07 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Custom .chr files w/o .pot

On Wed, Jan 18, 2006 at 02:36:54PM -0600, Mark Shaw wrote:
> Is it possible to create a custom .chr file without first having any
> cracked passwords?

As others have explained, yes, you can generate a fake john.pot file
from a wordlist by prefixing each word with a colon.

> For a rather involved reason, I'm trying to crack my own password.
> I know the length, and some characters that are defnitely present,
> and some that are definitely not.  I'd like to exploit this knowledge
> to run an incremental crack using a reduced character set.

Invoke these commands:

	echo :your_possible_password > john.pot
	john --make-charset=custom.chr

Then in john.conf define:

	[Incremental:Custom]
	File = custom.chr
	MinLen = 1
	MaxLen = 8
	Extra = any_other_characters_to_try

That is, use "Extra" if there are any other characters which you think
might be present, but which are not already a part of the string which
you had entered into john.pot.  Alternatively, for even better results,
you can enter multiple guesses to your password into the fake john.pot.

> Alternately, can I just use all.chr and somehow tell john not to
> use certain characters?

You can define an external filter() and use that along with all.chr,
filtering out candidate passwords which you know won't match yours.
Unfortunately, this is not very efficient since all of those candidate
passwords would be generated anyway, then filtered out.  You only save
on the actual hashing, replacing it with some filtering.

> Would this have any real effect on run time?

When running against just one salt, you might not save a lot of
processing time with the filtering I've explained above.  In fact, the
reported c/s rate will be lower because only those candidate passwords
which are actually hashed are accounted for when calculating the rate.

You're going to have better luck with a custom .chr file.

The wordlist rules abuse trick that Radim has suggested would work, too,
but you need to be careful to not create too many rules with
preprocessor commands.  With too many (e.g., millions) of wordlist rules
(after preprocessor expansion), John startup might be too slow as the
expanded rules are checked for valid syntax.

Another alternative is to specify a new external mode which would only
generate the desired candidate passwords.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.