Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20061223201858.GA28753@openwall.com>
Date: Sat, 23 Dec 2006 23:18:58 +0300
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: Need Help with JTR's rules

On Sat, Dec 23, 2006 at 07:20:27PM +0100, websiteaccess wrote:
> wolf -> wwoollff
> 
>  x01d = extract letter '"w"olf' then w duplicated (duplicated with "d") 
> = ww

Correct.  However, at this point you only have "ww"; everything else is
lost, and you can't operate on it.

>  x11d = extract letter 'w"o"lf' then o duplicated (duplicated with "d") 
> = oo

This would work if it were the first thing you did, but it does not work
after the above commands.

>  finally ww+oo+ll+ff = "wwoollff", but it wasn't the right thing to do.

Even if all of the above commands would have worked the way you wanted
them to, this would require that JtR memorizes 3 or 4 separate parts of
the resulting candidate password.  Apparently, this is what you wanted
to use the "M" (memorize) command for, but it does not do that.  There's
only one "memory location" (besides the current word being operated on)
and its only use is for comparison with the "Q" (query) command:

	http://www.openwall.com/lists/john-users/2006/06/28/2

> Could you show us how works your example, with clear explaination like 
> I do ?

You can obtain similar "explanations" by specifying multiple simpler
rules instead of a complex one, adding one or a few commands at a time:

	[List.Rules:Wordlist]
	>3<5
	>3<5f
	>3<5f}
	>3<5f}f
	>3<5f}ff
	>3<5f}ffD3D3D3D3D3
	>3<5f}ffD3D3D3D3D3D5D5
	>3<5f}ffD3D3D3D3D3D5D5D6D6D6D6D6D6D6
	>3<5f}ffD3D3D3D3D3D5D5D6D6D6D6D6D6D6'8

Then run it on a file with only "wolf" in it:

	john -w=wolf --rules --stdout

The output is:

	wolf
	wolfflow
	wwolfflo
	wwolffloolffloww
	wwolffloolfflowwwwolffloolffloww
	wwoolfflowwwwolffloolffloww
	wwoollowwwwolffloolffloww
	wwoollffloolffloww
	wwoollff

As you can see, ">3<5" does not change the word at all; its purpose is
to reject words that are not four characters long because the rest of
the commands in our complicated rule will assume that we operate on a
4 character long word.

Then "f" reflects the word, as specified in doc/RULES.  For "wolf", we
get "wolfflow".  Note that at this point we already have the sequence
"ff" which we will need, and also we can easily obtain "ww":

When we add "}" - rotate right - we get the last "w" of "wolfflow" in
the first character position.  So we have "ww" and "ff" somewhere in our
current "word".  But we do not yet have "oo" or "ll"; also, while we do
have two o's and two l's in our entire "word", we only have one of each
of these letters before the "ff".  So we can't yet obtain "oo" or "ll"
before the "ff" by merely deleting some characters.  If that's the
approach we want to use (although there might be others), then we need
to duplicate more characters, so we:

Do another "f" (reflect), resulting in "wwolffloolffloww".  Now we have
"oo", but no "ll" yet.  Also, if we would start deleting characters
until we obtain "wwooll" then we would not have any f's left after the
"ll".  We resolve that in the same way:

Do yet another "f" (reflect), resulting in "wwolffloolfflowwwwolffloolffloww"
which finally has a sufficient number of f's after the o's and l's.  Now
we can proceed to delete everything that we don't need:

With "D3D3D3D3D3", we delete 5 characters after "wwo".  Specifically, we
delete the substring "lfflo".  So we get "wwoolfflowwwwolffloolffloww".

With "D5D5", we delete the "ff" after "wwool".  So we get
"wwoollowwwwolffloolffloww".

With "D6D6D6D6D6D6D6", we delete the "owwwwol" after "wwooll".  So we
get "wwoollffloolffloww".

Finally, we truncate this "word" at 8 characters, achieving the desired
result - "wwoollff".

Didn't I say it was a hack? :-)  Actually, here's a simpler one:

	>3<5dddD1D1D1D3D3D3D5D5D5D7D7D7'8

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

-- 
To unsubscribe, e-mail john-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.