Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20100405231648.GA2483@openwall.com>
Date: Tue, 6 Apr 2010 03:16:48 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: GECOS-based single-mode (or possibly wordlist) rule help needed

On Mon, Apr 05, 2010 at 12:39:56PM -0400, ddd@...eup.net wrote:
> What is the syntax for a rule that would extract a user's initials from their GECOS field and append a string to it?

The rules don't "extract" anything from anywhere other than the input
"word" (or in some rare cases two input "words") that they're invoked
to operate on.

When running in "single crack" mode, JtR itself takes the login name,
the home directory name, extracts "words" from the GECOS field, and it
uses all of these as input to "single crack" mode rules.  It also tests
any two of these "words" concatenated (in either order), as well as
picking the first character (possibly an initial) of one word and
appending the other word to that (also in either order).  This logic is
hard-coded in single.c.

For example, with this being the only password file line:

john:rEK1ecacw.7.c:0:0:John Smith:/home/john:/bin/sh

and this being the only rule (a no-op):

[List.Rules:Single]
:

JtR will test the following candidate passwords in "single crack" mode:

john
johnJohn
jJohn
johnSmit
jSmith
John
Johnjohn
Jjohn
JohnSmit
JSmith
Smith
Smithjoh
Sjohn
SmithJoh
SJohn

(the truncation to 8 characters is due to this specific hash type).

I obtained the list above by inserting puts(key); into cracker.c:
crk_process_salt() right after the strnzcpy(key, ...) line.

Now let's try the following rule instead:

[List.Rules:Single]
'2 Az"foo"

This produces:

jofoo
jJfoo
jSfoo
Jofoo
Jjfoo
JSfoo
Smfoo
Sjfoo
SJfoo

which looks like what you wanted and more.

To avoid some of the extra (undesired?) candidate passwords where "foo"
was appended to other than two initials, we can use a "word pair" rule:

[List.Rules:Single]
1 <2 + '2 Az"foo"

This insists that the first of two "words" be of less than two
characters long (effectively meaning exactly one character long).
The output from this rule is shorter:

jJfoo
jSfoo
Jjfoo
JSfoo
Sjfoo
SJfoo

BTW, the lowercase "j" comes from the login name (or the home directory
name).  To avoid trying mixed-case initials, we can use:

1 <2 + '2 [lu] Az"foo"

This produces:

jjfoo
jsfoo
sjfoo
JJfoo
JSfoo
SJfoo

To try the initials in lowercase only, we can use:

1 <2 + '2 l Az"foo"

which produces:

jjfoo
jsfoo
sjfoo

There are no duplicates here due to duplicate-checking code in single.c.
However, that code tries to strike a balance between its overhead
(extra memory consumed and CPU time spent) and effectiveness (the ratio
of duplicate candidate passwords detected and avoided vs. those that are
left undetected and passed into cracker.c).  So, while it worked well in
this example, it might not work so well in other cases.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.