John the Ripper/Rules: Difference between revisions
From charlesreid1
| Line 283: | Line 283: | ||
root@morpheus:~/box/besside# | root@morpheus:~/box/besside# | ||
</pre> | </pre> | ||
If we were checking a password file like <code>phpbb.txt</code>, which has 184,300 passwords, that would cost us 1,240 new passwords per password in the file (to check each password with a 4-digit number appended to it). That's 228,532,000 passwords total. At a rate of about 1,240 passwords per second, that would be 51, hours or 2.1 days. On a higher-end machine, you might get 1800 passwords per second, which cuts the time to 35 hours, or 1.4 days. Still a loooong time. | |||
=Flags= | =Flags= | ||
Revision as of 11:18, 29 March 2016
Using Rules with John
Download an excellent set of John the Ripper rules from KoreLogic security here: http://openwall.info/wiki/_media/john/korelogic-rules-20100801.txt
Based on the 2010 Defcon Crack Me If You Can contest.
Install the Rules
To install the rules, download that text file. Now run this command to add those rules to John's configure file:
$ cat korelogic-rules-20100801.txt >> /etc/john/john.conf
Using Rules
Now you can use any of the rules that are listed here (http://contest-2010.korelogic.com/rules.html) or that you see in the form of [List.Rules:KoreLogicRulesPrependSeason] in the rules file (just get rid of the List.Rules: part.)
$ john --wordlist=rockyou-10.txt --format=wpapsk --rules=KoreLogicRulesPrependYears crackme
List All the Rules
Here's a one-liner to list all the commands in the configuragion file, by grepping and cutting. Remember that each one of these options could have thousands of password variations that result!
$ for ruleset in `grep KoreLogicRules /etc/john/john.conf | cut -d: -f 2 | cut -d\] -f 1`; do echo ${ruleset}; done
KoreLogicRulesPrependSeason
KoreLogicRulesAppendSeason
KoreLogicRulesPrependHello
KoreLogicRulesPrependYears
KoreLogicRulesAppendYears
KoreLogicRulesAppendCurrentYearSpecial
KoreLogicRulesAppend4Num
KoreLogicRulesAppend5Num
KoreLogicRulesAppend6Num
KoreLogicRulesAppendSpecial3num
KoreLogicRulesAppendSpecial4num
KoreLogicRulesPrependCAPCAPAppendSpecial
KoreLogicRulesPrependNumNumAppendSpecial
KoreLogicRulesPrependNumNum
KoreLogicRulesPrependNumNumNum
KoreLogicRulesPrependNumNumNumNum
KoreLogicRulesPrependNumNumSpecial
KoreLogicRulesPrepend2NumbersAppend2Numbers
KoreLogicRulesPrependSpecialSpecial
KoreLogicRulesAppendSpecialNumberNumber
KoreLogicRulesAppendSpecialNumberNumberNumber
KoreLogicRulesPrependSpecialSpecialAppendNumber
KoreLogicRulesPrependSpecialSpecialAppendNumbersNumber
KoreLogicRulesPrependSpecialSpecialAppendNumbersNumberNumber
KoreLogicRulesAppend2Letters
KoreLogicRulesPrepend4NumAppendSpecial
KoreLogicRulesAppend4NumSpecial
KoreLogicRulesAppend3NumSpecial
KoreLogicRulesAppend2NumSpecial
KoreLogicRulesAddJustNumbersLimit8
KoreLogicRulesDevProdTestUAT
KoreLogicRulesPrependAndAppendSpecial
KoreLogicRulesAppendJustNumbers
KoreLogicRulesAppendNumbers_and_Specials_Simple
KoreLogicRulesAppendJustSpecials
KoreLogicRulesMonthsFullPreface
KoreLogicRulesAddShortMonthsEverywhere
KoreLogicRulesPrepend4LetterMonths
KoreLogicRulesAdd2010Everywhere
KoreLogicRulesPrependDaysWeek
KoreLogicRulesAdd1234_Everywhere
KoreLogicRulesAppendMonthDay
KoreLogicRulesAppendMonthCurrentYear
KoreLogicRulesReplaceNumbers2Special
KoreLogicRulesReplaceNumbers
KoreLogicRulesReplaceLettersCaps
KoreLogicRulesAddDotCom
KoreLogicRulesAppendCap-Num_or_Special-Twice
KoreLogicRulesAppendSpecialLowerLower
KoreLogicRulesAppendJustSpecials3Times
KoreLogicRulesPrependJustSpecials
KoreLogicRulesAppend1_AddSpecialEverywhere
KoreLogicRulesPrependNumNum_AppendNumSpecial
KoreLogicRulesAppendNum_AddSpecialEverywhere
KoreLogicRulesAppendNumNum_AddSpecialEverywhere
KoreLogicRulesAppendNumNumNum_AddSpecialEverywhere
KoreLogicRulesAppendYears_AddSpecialEverywhere
KoreLogicRulesL33t
KoreLogicRulesReplaceSpecial2Special
KoreLogicRulesReplaceLetters
Use All the Rules
This is overkill, but it extracts every rule from the KoreLogic rule list and runs john with every one of those rules. From the full list here http://contest-2010.korelogic.com/rules.html you can see that'll take a loooooooong time. But this would be handy to use with grep to filter out some of the rule names.
$ for ruleset in `grep KoreLogicRules /etc/john/john.conf | cut -d: -f 2 | cut -d\] -f 1`; do john --wordlist=rockyou-10.txt --format=wpapsk --rules=${ruleset} crackme; done
A nice subset:
$ grep KoreLogicRules /etc/john/john.conf | cut -d: -f 2 | cut -d\] -f 1 | grep Year | grep -v Special KoreLogicRulesPrependYears KoreLogicRulesAppendYears KoreLogicRulesAppendMonthCurrentYear
Put into use:
$ for ruleset in `grep KoreLogicRules /etc/john/john.conf | cut -d: -f 2 | cut -d\] -f 1 | grep Year | grep -v Special`; do john --wordlist=rockyou-10.txt --format=wpapsk --rules=${ruleset} crackme; done
Pin Numbers
Analysis of pin numbers: http://www.datagenetics.com/blog/september32012/
I wanna turn this into some John the Ripper rules.
Defining Rules
First, start by defining some rule names:
[List.Rules:Pins]
Some 4-digit numbers that are low-hanging fruit and hard to program with patterns:
# low hanging fruit -[c:] \p[c:] Az"1004" <+ -[c:] \p[c:] Az"4321" <+ -[c:] \p[c:] Az"6969" <+ -[c:] \p[c:] Az"1122" <+ -[c:] \p[c:] Az"1313" <+ -[c:] \p[c:] Az"0007" <+ -[c:] \p[c:] Az"0070" <+ -[c:] \p[c:] Az"1984" <+ -[c:] \p[c:] Az"2580" <+ -[c:] \p[c:] Az"2468" <+ -[c:] \p[c:] Az"1357" <+ -[c:] \p[c:] Az"0123" <+ -[c:] \p[c:] Az"1234" <+ -[c:] \p[c:] Az"2345" <+ -[c:] \p[c:] Az"3456" <+ -[c:] \p[c:] Az"4567" <+ -[c:] \p[c:] Az"5678" <+ -[c:] \p[c:] Az"6789" <+ -[c:] \p[c:] Az"7890" <+
Create a pattern for numbers like 0000, 1111, etc.
# xxxx -[c:] \p[c:] Az"0000" <+ -[c:] \p[c:] Az"0000"s01 <+ -[c:] \p[c:] Az"0000"s02 <+ -[c:] \p[c:] Az"0000"s03 <+ -[c:] \p[c:] Az"0000"s04 <+ -[c:] \p[c:] Az"0000"s05 <+ -[c:] \p[c:] Az"0000"s06 <+ -[c:] \p[c:] Az"0000"s07 <+ -[c:] \p[c:] Az"0000"s08 <+ -[c:] \p[c:] Az"0000"s09 <+
Create a pattern for numbers like 000X. The suffix s12 means search for "1"s and replace them with "2"s.
# 000x -[c:] \p[c:] Az"0001" <+ -[c:] \p[c:] Az"0001"s12 <+ -[c:] \p[c:] Az"0001"s13 <+ -[c:] \p[c:] Az"0001"s14 <+ -[c:] \p[c:] Az"0001"s15 <+ -[c:] \p[c:] Az"0001"s16 <+ -[c:] \p[c:] Az"0001"s17 <+ -[c:] \p[c:] Az"0001"s18 <+ -[c:] \p[c:] Az"0001"s19 <+
The conjugate of that is, numbers like X000:
# x000 -[c:] \p[c:] Az"1000" <+ -[c:] \p[c:] Az"1000"s12 <+ -[c:] \p[c:] Az"1000"s13 <+ -[c:] \p[c:] Az"1000"s14 <+ -[c:] \p[c:] Az"1000"s15 <+ -[c:] \p[c:] Az"1000"s16 <+ -[c:] \p[c:] Az"1000"s17 <+ -[c:] \p[c:] Az"1000"s18 <+ -[c:] \p[c:] Az"1000"s19 <+
Create a pattern for numbers like X001. 2001 is a popular PIN, but some of the others are easy to remember, too:
# x001 -[c:] \p[c:] Az"1001" <+ -[c:] \p[c:] Az"2001" <+ -[c:] \p[c:] Az"2001"s23 <+ -[c:] \p[c:] Az"2001"s24 <+ -[c:] \p[c:] Az"2001"s25 <+ -[c:] \p[c:] Az"2001"s26 <+ -[c:] \p[c:] Az"2001"s27 <+ -[c:] \p[c:] Az"2001"s28 <+ -[c:] \p[c:] Az"2001"s29 <+
Look for patterns like XYXY, but where the numbers are close to each other: 1212, or 2323, or 3434, etc.
# xyxy where x and y are within 1 of each other -[c:] \p[c:] Az"XYXY"sX1sY2 <+ -[c:] \p[c:] Az"XYXY"sX2sY3 <+ -[c:] \p[c:] Az"XYXY"sX3sY4 <+ -[c:] \p[c:] Az"XYXY"sX4sY5 <+ -[c:] \p[c:] Az"XYXY"sX5sY6 <+ -[c:] \p[c:] Az"XYXY"sX6sY7 <+ -[c:] \p[c:] Az"XYXY"sX7sY8 <+ -[c:] \p[c:] Az"XYXY"sX8sY9 <+
And the same thing in reverse:
# yxyx -[c:] \p[c:] Az"XYXY"sY1sX2 <+ -[c:] \p[c:] Az"XYXY"sY2sX3 <+ -[c:] \p[c:] Az"XYXY"sY3sX4 <+ -[c:] \p[c:] Az"XYXY"sY4sX5 <+ -[c:] \p[c:] Az"XYXY"sY5sX6 <+ -[c:] \p[c:] Az"XYXY"sY6sX7 <+ -[c:] \p[c:] Az"XYXY"sY7sX8 <+ -[c:] \p[c:] Az"XYXY"sY8sX9 <+
Cover combinations of months and dates, since these are also popular:
# MMDD -[c:] \p[c:] Az"0[1-9][0-2][1-9]" <+ -[c:] \p[c:] Az"0[1-9]3[0-1]" <+ -[c:] \p[c:] Az"1[0-2][0-2][1-9]" <+ -[c:] \p[c:] Az"1[0-2]3[0-1]" <+
Plug up the pipeline with all the years, 1900-2000.
# 19xx -[c:] \p[c:] Az"19[0-9][0-9]" <+ # 20xx -[c:] \p[c:] Az"20[0-1][0-9]" <+ -[c:] \p[c:] Az"20[2-9][0-9]" <+
Blow It Up
Check it:
1 password will become 1,240 passwords. Better than 10,000!
root@morpheus:~/box/besside# john --wordlist=one.txt --stdout | wc -l 1 root@morpheus:~/box/besside# john --wordlist=one.txt --rules=Pins --stdout | wc -l 1240 root@morpheus:~/box/besside#
92 passwords blows up to 114,080 passwords.
root@morpheus:~/box/besside# john --wordlist=/root/codes/SecLists/Passwords/rockyou-10.txt --stdout | wc -l 92 root@morpheus:~/box/besside# john --wordlist=/root/codes/SecLists/Passwords/rockyou-10.txt --rules=Pins --stdout | wc -l 114080 root@morpheus:~/box/besside#
If we were checking a password file like phpbb.txt, which has 184,300 passwords, that would cost us 1,240 new passwords per password in the file (to check each password with a 4-digit number appended to it). That's 228,532,000 passwords total. At a rate of about 1,240 passwords per second, that would be 51, hours or 2.1 days. On a higher-end machine, you might get 1800 passwords per second, which cuts the time to 35 hours, or 1.4 days. Still a loooong time.
Flags
Also on the wiki:
More information about how to do password generation using wordlists and the KoreLogic rules, as well as writing your own rules: John the Ripper/Password Generation
 |
john the ripper password generator and all-around cracking tool.
Testing John: John the Ripper/Benchmarking Using John on Password generation using rules and modes: John the Ripper/Password Generation Installing some useful password rules: John the Ripper/Rules Using John to feed password guesses to Aircrack: Aircrack and John the Ripper John the Ripper on AWS: Ubuntu/Barebones to JtR Getting Passwords from John: John the Ripper/Password Recovery
|