John the Ripper/Rules
From charlesreid1
Contents
Using Rules with John
Download an excellent set of John the Ripper rules from KoreLogic security here: http://openwall.info/wiki/_media/john/korelogic-rules-20100801.txt
Based on the 2010 Defcon Crack Me If You Can contest.
Install the Rules
To install the rules, download that text file. Now run this command to add those rules to John's configure file:
$ cat korelogic-rules-20100801.txt >> /etc/john/john.conf
Using Rules
Now you can use any of the rules that are listed here (http://contest-2010.korelogic.com/rules.html) or that you see in the form of [List.Rules:KoreLogicRulesPrependSeason] in the rules file (just get rid of the List.Rules: part.)
$ john --wordlist=rockyou-10.txt --format=wpapsk --rules=KoreLogicRulesPrependYears crackme
List All the Rules
Here's a one-liner to list all the commands in the configuragion file, by grepping and cutting. Remember that each one of these options could have thousands of password variations that result!
$ for ruleset in `grep KoreLogicRules /etc/john/john.conf | cut -d: -f 2 | cut -d\] -f 1`; do echo ${ruleset}; done
KoreLogicRulesPrependSeason
KoreLogicRulesAppendSeason
KoreLogicRulesPrependHello
KoreLogicRulesPrependYears
KoreLogicRulesAppendYears
KoreLogicRulesAppendCurrentYearSpecial
KoreLogicRulesAppend4Num
KoreLogicRulesAppend5Num
KoreLogicRulesAppend6Num
KoreLogicRulesAppendSpecial3num
KoreLogicRulesAppendSpecial4num
KoreLogicRulesPrependCAPCAPAppendSpecial
KoreLogicRulesPrependNumNumAppendSpecial
KoreLogicRulesPrependNumNum
KoreLogicRulesPrependNumNumNum
KoreLogicRulesPrependNumNumNumNum
KoreLogicRulesPrependNumNumSpecial
KoreLogicRulesPrepend2NumbersAppend2Numbers
KoreLogicRulesPrependSpecialSpecial
KoreLogicRulesAppendSpecialNumberNumber
KoreLogicRulesAppendSpecialNumberNumberNumber
KoreLogicRulesPrependSpecialSpecialAppendNumber
KoreLogicRulesPrependSpecialSpecialAppendNumbersNumber
KoreLogicRulesPrependSpecialSpecialAppendNumbersNumberNumber
KoreLogicRulesAppend2Letters
KoreLogicRulesPrepend4NumAppendSpecial
KoreLogicRulesAppend4NumSpecial
KoreLogicRulesAppend3NumSpecial
KoreLogicRulesAppend2NumSpecial
KoreLogicRulesAddJustNumbersLimit8
KoreLogicRulesDevProdTestUAT
KoreLogicRulesPrependAndAppendSpecial
KoreLogicRulesAppendJustNumbers
KoreLogicRulesAppendNumbers_and_Specials_Simple
KoreLogicRulesAppendJustSpecials
KoreLogicRulesMonthsFullPreface
KoreLogicRulesAddShortMonthsEverywhere
KoreLogicRulesPrepend4LetterMonths
KoreLogicRulesAdd2010Everywhere
KoreLogicRulesPrependDaysWeek
KoreLogicRulesAdd1234_Everywhere
KoreLogicRulesAppendMonthDay
KoreLogicRulesAppendMonthCurrentYear
KoreLogicRulesReplaceNumbers2Special
KoreLogicRulesReplaceNumbers
KoreLogicRulesReplaceLettersCaps
KoreLogicRulesAddDotCom
KoreLogicRulesAppendCap-Num_or_Special-Twice
KoreLogicRulesAppendSpecialLowerLower
KoreLogicRulesAppendJustSpecials3Times
KoreLogicRulesPrependJustSpecials
KoreLogicRulesAppend1_AddSpecialEverywhere
KoreLogicRulesPrependNumNum_AppendNumSpecial
KoreLogicRulesAppendNum_AddSpecialEverywhere
KoreLogicRulesAppendNumNum_AddSpecialEverywhere
KoreLogicRulesAppendNumNumNum_AddSpecialEverywhere
KoreLogicRulesAppendYears_AddSpecialEverywhere
KoreLogicRulesL33t
KoreLogicRulesReplaceSpecial2Special
KoreLogicRulesReplaceLetters
Use All the Rules
This is overkill, but it extracts every rule from the KoreLogic rule list and runs john with every one of those rules. From the full list here http://contest-2010.korelogic.com/rules.html you can see that'll take a loooooooong time. But this would be handy to use with grep to filter out some of the rule names.
$ for ruleset in `grep KoreLogicRules /etc/john/john.conf | cut -d: -f 2 | cut -d\] -f 1`; do john --wordlist=rockyou-10.txt --format=wpapsk --rules=${ruleset} crackme; done
A nice subset:
$ grep KoreLogicRules /etc/john/john.conf | cut -d: -f 2 | cut -d\] -f 1 | grep Year | grep -v Special KoreLogicRulesPrependYears KoreLogicRulesAppendYears KoreLogicRulesAppendMonthCurrentYear
Put into use:
$ for ruleset in `grep KoreLogicRules /etc/john/john.conf | cut -d: -f 2 | cut -d\] -f 1 | grep Year | grep -v Special`; do john --wordlist=rockyou-10.txt --format=wpapsk --rules=${ruleset} crackme; done
Pin Numbers
Analysis of pin numbers: http://www.datagenetics.com/blog/september32012/
I wanna turn this into some John the Ripper rules.
Defining Rules
First, start by defining some rule names.
Some 4-digit numbers that are low-hanging fruit and hard to program with patterns:
[List.Rules:CommonPins] # low hanging fruit -[c:] \p[c:] Az"0123" <+ -[c:] \p[c:] Az"1234" <+ -[c:] \p[c:] Az"2345" <+ -[c:] \p[c:] Az"3456" <+ -[c:] \p[c:] Az"4567" <+ -[c:] \p[c:] Az"5678" <+ -[c:] \p[c:] Az"6789" <+ -[c:] \p[c:] Az"7890" <+ -[c:] \p[c:] Az"1004" <+ -[c:] \p[c:] Az"4321" <+ -[c:] \p[c:] Az"6969" <+ -[c:] \p[c:] Az"1122" <+ -[c:] \p[c:] Az"1313" <+ -[c:] \p[c:] Az"0007" <+ -[c:] \p[c:] Az"0070" <+ -[c:] \p[c:] Az"1984" <+ -[c:] \p[c:] Az"2580" <+ -[c:] \p[c:] Az"2468" <+ -[c:] \p[c:] Az"1357" <+ # xxxx -[c:] \p[c:] Az"0000" <+ -[c:] \p[c:] Az"0000"s01 <+ -[c:] \p[c:] Az"0000"s02 <+ -[c:] \p[c:] Az"0000"s03 <+ -[c:] \p[c:] Az"0000"s04 <+ -[c:] \p[c:] Az"0000"s05 <+ -[c:] \p[c:] Az"0000"s06 <+ -[c:] \p[c:] Az"0000"s07 <+ -[c:] \p[c:] Az"0000"s08 <+ -[c:] \p[c:] Az"0000"s09 <+
Create some patterns for one-number PINs:
[List.Rules:OneNumberPins] # 000x -[c:] \p[c:] Az"0001" <+ -[c:] \p[c:] Az"0001"s12 <+ -[c:] \p[c:] Az"0001"s13 <+ -[c:] \p[c:] Az"0001"s14 <+ -[c:] \p[c:] Az"0001"s15 <+ -[c:] \p[c:] Az"0001"s16 <+ -[c:] \p[c:] Az"0001"s17 <+ -[c:] \p[c:] Az"0001"s18 <+ -[c:] \p[c:] Az"0001"s19 <+ # x000 -[c:] \p[c:] Az"1000" <+ -[c:] \p[c:] Az"1000"s12 <+ -[c:] \p[c:] Az"1000"s13 <+ -[c:] \p[c:] Az"1000"s14 <+ -[c:] \p[c:] Az"1000"s15 <+ -[c:] \p[c:] Az"1000"s16 <+ -[c:] \p[c:] Az"1000"s17 <+ -[c:] \p[c:] Az"1000"s18 <+ -[c:] \p[c:] Az"1000"s19 <+
Next comes two-number PIN patterns.
[List.Rules:TwoNumberPins] # x001 -[c:] \p[c:] Az"1001" <+ -[c:] \p[c:] Az"2001" <+ -[c:] \p[c:] Az"2001"s23 <+ -[c:] \p[c:] Az"2001"s24 <+ -[c:] \p[c:] Az"2001"s25 <+ -[c:] \p[c:] Az"2001"s26 <+ -[c:] \p[c:] Az"2001"s27 <+ -[c:] \p[c:] Az"2001"s28 <+ -[c:] \p[c:] Az"2001"s29 <+ # xyxy where x and y are within 1 of each other -[c:] \p[c:] Az"XYXY"sX1sY2 <+ -[c:] \p[c:] Az"XYXY"sX2sY3 <+ -[c:] \p[c:] Az"XYXY"sX3sY4 <+ -[c:] \p[c:] Az"XYXY"sX4sY5 <+ -[c:] \p[c:] Az"XYXY"sX5sY6 <+ -[c:] \p[c:] Az"XYXY"sX6sY7 <+ -[c:] \p[c:] Az"XYXY"sX7sY8 <+ -[c:] \p[c:] Az"XYXY"sX8sY9 <+ # yxyx -[c:] \p[c:] Az"XYXY"sY1sX2 <+ -[c:] \p[c:] Az"XYXY"sY2sX3 <+ -[c:] \p[c:] Az"XYXY"sY3sX4 <+ -[c:] \p[c:] Az"XYXY"sY4sX5 <+ -[c:] \p[c:] Az"XYXY"sY5sX6 <+ -[c:] \p[c:] Az"XYXY"sY6sX7 <+ -[c:] \p[c:] Az"XYXY"sY7sX8 <+ -[c:] \p[c:] Az"XYXY"sY8sX9 <+
The next set of PINs are for dates of the form MMYY:
[List.Rules:DatePins] # MMDD -[c:] \p[c:] Az"0[1-9][0-2][0-9]" <+ -[c:] \p[c:] Az"0[1-9]3[0-1]" <+ -[c:] \p[c:] Az"1[0-2][0-2][0-9]" <+ -[c:] \p[c:] Az"1[0-2]3[0-1]" <+ [List.Rules:YearPins] # 19xx -[c:] \p[c:] Az"19[0-9][0-9]" <+ # 20xx -[c:] \p[c:] Az"20[0-1][0-9]" <+ -[c:] \p[c:] Az"20[2-9][0-9]" <+
Top it all off by defining a master rule:
# all pins [List.Rules:AllPins] .include [List.Rules:CommonPins] .include [List.Rules:OneNumberPins] .include [List.Rules:TwoNumberPins] .include [List.Rules:DatePins] .include [List.Rules:YearPins]
Blow It Up
Check it:
1 password will become 1,240 passwords. Better than 10,000!
root@morpheus:~/box/besside# john --wordlist=one.txt --stdout | wc -l 1 root@morpheus:~/box/besside# john --wordlist=one.txt --rules=Pins --stdout | wc -l 1240 root@morpheus:~/box/besside#
92 passwords blows up to 114,080 passwords.
root@morpheus:~/box/besside# john --wordlist=/root/codes/SecLists/Passwords/rockyou-10.txt --stdout | wc -l 92 root@morpheus:~/box/besside# john --wordlist=/root/codes/SecLists/Passwords/rockyou-10.txt --rules=Pins --stdout | wc -l 114080 root@morpheus:~/box/besside#
If we were checking a password file like phpbb.txt, which has 184,300 passwords, that would cost us 1,240 new passwords per password in the file (to check each password with a 4-digit number appended to it). That's 228,532,000 passwords total. At a rate of about 1,240 passwords per second, that would be 51, hours or 2.1 days. On a higher-end machine, you might get 1800 passwords per second, which cuts the time to 35 hours, or 1.4 days. Still a loooong time.
Breakdown
Note that each of these are tested with a single password as an input, but the number out is TWICE the number it should be, because John the Ripper is trying both uppercase and lowercase passwords.
root@morpheus:~/box/besside# john --wordlist=one.txt --rules=CommonPins --stdout | wc -l Press 'q' or Ctrl-C to abort, almost any other key for status 58p 0:00:00:00 100.00% (2016-03-29 04:25) 414.2p/s one9999 58 root@morpheus:~/box/besside# john --wordlist=one.txt --rules=OneNumberPins --stdout | wc -l Press 'q' or Ctrl-C to abort, almost any other key for status 36p 0:00:00:00 100.00% (2016-03-29 04:25) 257.1p/s one9000 36 root@morpheus:~/box/besside# john --wordlist=one.txt --rules=TwoNumberPins --stdout | wc -l Press 'q' or Ctrl-C to abort, almost any other key for status 50p 0:00:00:00 100.00% (2016-03-29 04:25) 384.6p/s one9898 50 root@morpheus:~/box/besside# john --wordlist=one.txt --rules=DatePins --stdout | wc -l Press 'q' or Ctrl-C to abort, almost any other key for status 696p 0:00:00:00 100.00% (2016-03-29 04:26) 4640p/s one1231 696 root@morpheus:~/box/besside# john --wordlist=one.txt --rules=YearPins --stdout | wc -l Press 'q' or Ctrl-C to abort, almost any other key for status 400p 0:00:00:00 100.00% (2016-03-29 04:26) 2666p/s one2099 400
Flags
Also on the wiki:
More information about how to do password generation using wordlists and the KoreLogic rules, as well as writing your own rules: John the Ripper/Password Generation
 |
john the ripper password generator and all-around cracking tool.
Testing John: John the Ripper/Benchmarking Using John on Password generation using rules and modes: John the Ripper/Password Generation Installing some useful password rules: John the Ripper/Rules Using John to feed password guesses to Aircrack: Aircrack and John the Ripper John the Ripper on AWS: Ubuntu/Barebones to JtR Getting Passwords from John: John the Ripper/Password Recovery
|