The sPlicster
sPlico is offline
Join Date: Jan 2005
Location: Croatia
Posts: 9,487
Threads: 408
|
My reply
It's a pretty good tutorial, but, im not sure when it was made since there are some falacies in there. I'll try to fix it in my post.
Single mode, as found in jtr documentation
"This is the mode you should start cracking with. It will try using the
login/GECOS information as passwords. Since the information is only used
on the account it was taken from (and on passwords with the same salt,
which takes almost no extra time), "single crack" mode is much faster than
the wordlist mode, which allows using a lot of rules (they are always
enabled for this mode) in a reasonable time. Guessed passwords are also
tried on the entire password list, just in case more users have the same
password. Of course, this will only get those passwords that are based on
the information used."
So, what this does is use "usernames" from the pfile as a wordlist (with rules found in[List.Rules:Single]) and tries that usernames on it's designated pass and all other encrypted passes with the same salt AND ONLY ON SAME SALT (because it takes almost not extra time at all). This means, it's not thorough as a -wordlist mode (which runs one word against ALL encrypted passes, no matter how many salts). Also, when it guesses a pass, it tries that same one on ALL passes because there is reasonable belief someone else might use that one aswell (and this also doesn't take much time because it's 1 pass on many salts).
That's why we musn't confuse -w mode and -si mode. That's what causes the real slowdown from -si mode to -w mode.
This chapter C needs whole rewriting. "-rules" just uses the wordlist supplied and applies the rules to it. And 1 at a time. Meaning, if you have 10 rules, it will first apply the 1st rule to the whole wordlist and run it against pfile, then 2nd rule to the whole wlist and go against whole pfile etc etc. (The actuall steps are 1st rule -> 1st word in wordlist -> whole pfile, 1st rule -> 2nd word in wordlist -> whole pfile, 1st rule -> 3rd word in wordlist -> whole pfile etc etc).
QUOTE
This method does the same as B but it also goes a bit further. Besides the whole singles in the wordlist it also tries parts of the the singles in the wordlist as samples. So if your wordlist contains the single "asshole" it will also try "ass" and "hole" as samples.
Im not sure where he got this but it doesn't do this. It can only do this if you supply the right rule (for this example, to try "ass" and "hole" from asshole you'd need 2 rules (/]/]/]/] and /[/[/[, it can be other ways but lets take this for example). BUT. These are done GLOBALLY, so, it would work only for the supplied word, but if you have something like "trustno1" in wordlist it would try "stno1" and "trus" and these don't really make much sense. JTR doesn't have any way of recognising words (as ass or hole). It does what you tell him to do, and that's that.
QUOTE
Personally I beleive that -rules does the same as the incremental method but based on the fact that a single can be seen as an character/number sequence which are all tried. And thus also the samples "as", "shole", "less" etc. are tried as samples.....
Also doesn't go. JTR can't recognise words/parts of words. It's rather easy to test this, and it doesn't do it.
QUOTE
The inclusion of the -salts:X indicates basically the priority that JTR should use to figure things out. I think that the higher X the more JTR focuses on a simmilar encryption (possibly meaning the same pass). As some words are more common than others as passess it's likely that JTR will thus find certain passess faster as it than has more material to figure things out."
-salts is used to "speed" a process a bit, but it also misses any passwords who's salt doesn't have the total of number we specified. Using -salts:2 for example will make John try salts with two or more passwords and skip those with 1 salt. By that, using -salts:1000 will make John try salts with 1000 or more passwords and skip those salts that have 999 or less encryptions.
For those that don't know, "salts" are the first 2 letters in DES encrpytion.
Examples:
notmenow:OxGqomf32Jid.
novaless:NZVa1AqAxgmOA
nubbycat:qoPggbFi1e3zI
salamou2:203CWm7aBA8xg
nutz1414:Ca3yrdjzo.EDg
salhomon:TEGoFFiV8scak
00241145:Gl0NyIvNCVznM
nookjay3:35QFwwgaEJtgU
norapiss:49IMzFpu9fAhQ
Are all different salts. Load that in jtr and you'll see "Loaded 9 passwords with 9 different salts (Traditional DES [64/64 BS MMX])"
But, on
notmenow:OxGqomf32Jid.
novaless:OxVa1AqAxgmOA
nubbycat:OxPggbFi1e3zI
salamou2:Ox3CWm7aBA8xg
nutz1414:Ox3yrdjzo.EDg
salhomon:TEGoFFiV8scak
00241145:TE0NyIvNCVznM
nookjay3:TEQFwwgaEJtgU
norapiss:TEIMzFpu9fAhQ
you will see "Loaded 9 passwords with 2 different salts (Traditional DES [64/64 BS MMX])"
QUOTE
D. john -w:wordlist.txt -rules -stdout:8 | unique huge.lst
john -w:huge.lst passfile.txt
I saw this in jtr documenatation aswell, but don't see any special usage in it except some slight "speed" gains and alot of diskspace occupied.
For "-makechars" i'd add something also from jtr documentation:
If you got a password file and already have a lot of passwords cracked
or sniffed, and the passwords are unusual, then you might want to generate
a new charset file, based on characters from that password file only:
john -makechars:custom.chr passwd.1
This will create a specific charset only for that passfile.
Chapter G. is also full of falacies. As figured by Sentinel, AD's fake protection is the same as "afterfingerprinting" in his tool. Im sure you know this Splendid, but i'll write for those that don't. Basically what this does is. Checks a combo against a site. If it gets a 200 OK response, it then sends some "fake" combo to the site (like "lf23kljdsf:dfsj23") and looks at the reply. If the reply for that one was also 200 OK it marks it as FAKE, if the reply was something else, it marks it as good (the actuall DETAILS noone actually knows because AD is not open source), but it is the basic principle. It doesn't try to "guess" encryption or something.
That's all i have for today. My conclusion for everyone would be like this.
1.st Don't dismiss the single mode so fast. Because of it's mode and speed it is VERY usefull for VERY complex rules that in -w mode would take ages. It's the single most powerfull mode in john there is if you ask me.
2.nd If you know some kind of rule is VERY VERY COMMON (like adding numbers behind a username $[0-9]) it is better to use -w mode.
3.rd Running -i:digits isn't as long as it might seem. Running that on 1 salt pfile will finish in about 10 minutes.
4.th when you fail in everything, switch to -i mode.
That's all for now. JTR is so extensive theme that we could talk for ages about it. I believe this will be enough for now for a little addition the the tutor up there.
part2
I myself always combine my pfiles together in 3 categories. All, tested against wordlist, newest. I almost never run 1 single pfile if that's what you meant.
Also, adding "69" after a word was my 1st rule i ever made LOL.
Btw, prepending "the" (<6^e^h^[tT]), appending "cat" (<6$c$a$t) and some things like that also give some more hits (dog, dr., cunt, etc etc, whatever you can think off).
|