Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <op.x3v7frjzzz6j51@1pqhgq1.dtn.com>
Date: Mon, 24 Aug 2015 17:00:53 -0500
From: JimF <jfoug@....net>
To: "john-users@...ts.openwall.com" <john-users@...ts.openwall.com>
Subject: Additional block of rules for -single mode have been added.

In the recent A-M leak, a lot of people have been using single, I have  
also.
I have also used some targeted words and found these work very good. I did
notice that names usually are not as likely as they were for a leak like we
saw with RockYou (for obvious reasons).  However, I am glad I left names
running a bit, because it turned up some very good new rules to add to
-single mode.  These rules have been added pretty early on in the -single
rules block (in jumbo)

Here is the new block added (to bleeding jumbo in git).

# this is a good rule on larger sites where a user ID may already be used,
# so a user simply appends numbers to create his loginID, but then uses the
# login name he wanted as basis for password. Just strip off digits and  
treat
# the base-word to some manipulation. These rules found from the 2015 A-M
# leak.  Only adds about 30 tests and only to user names that have digits
# contained within them, and cracks quite a few.  This small block of  
single
# rules is only in john-jumbo at the current time (13 rules).
/?d @?d >4
/?d @?d M @?A Q >4
/?d @?d >4 M [lc] Q
/?d @?d M @?A Q >4 M [lc] Q
@?D Q >4
/?d @?d >3 <* $[0-9] Q
/?d @?d M >3 <* [lc] Q $[0-9] Q
/?d @?d >3 <- Az"12" Q
/?d @?d M >3 <- [lc] Q Az"12"
/?d @?d >3 Az"123" Q <+
/?d @?d M >3 [lc] Q Az"123" <+
/?d @?d >2 d Q <+
/?d @?d >2 M [lc] Q d<+
(?a )?d /?d 'p Xpz0
)?a (?d /?a 'p Xpz0


What was seen is this:  A user wants the user id 'jimmy'  But that is  
taken.
So instead they use 'jimmy555444333' or something by appending some number.
But they use their 'normal' password of jimmy (or Jimmy, jimmy123, etc).
So the above rules find these type user names, strip off the numbers and
then do some mangling.  There are also a couple of other rules in there.

name=jimmy5432189

candidates:
jimmy
Jimmy
5432189
jimmy1  (to jimmy9)
Jimmy1  (to Jimmy9)
jimmy12
Jimmy12 (and also appending 123)
jimmyjimmy
JimmyJimmy
5432189jimmy

This set of rules is finding almost as many cracks in the AM leak as the
prior -single rules were finding. Actually, this is probably the best
-single rules set for this data (since it is SO many, and SOOO slow)

# good quick single rules for Ashley Madison
[List.Rules:Single_AM]
: >4
/?d @?d >4
@?D Q >4


Then running john with -single=single_AM  will use just those 3 rules,
seems to find 90-95% of the cracks that would be found in the entire
-single ruleset, but in MUCH less time.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.