October 01, 2004 (technical)

Running jtr-1.6.37-mpiwlcmf2 on LM passwords with a large wordlist

Instead of using the default password.lst file (as before) i used wordlist files from www.openwall.com

The two main password files were all.lst and mangled.lst

/passwd_cd/all.lst - 3,917,193 lines
This file has the following wordlists inside:

  • passwords/password.lst
  • passwords/languages/*

/passwd_cd/mangled.lst - 40,532,676 lines
This file has the following wordlists put through word-mangling rules:

  • passwords/password.lst
  • passwords/lower.lst
  • languages/English/1-tiny/lower.lst
  • languages/English/1-tiny/cap.lst
  • languages/English/2-small/lower.lst
  • languages/English/2-small/cap.lst
  • languages/English/2-small/alnum.lst
  • languages/English/2-small/mixed.lst
  • languages/German/1-small/lower.lst
  • languages/German/1-small/cap.lst
  • languages/French/lower.lst
  • languages/Danish/1-small/lower.lst
  • languages/Dutch/1-clean/lower.lst
  • languages/Italian/1-small/lower.lst
  • languages/English/3-large/lower.lst
  • languages/English/3-large/cap.lst
  • languages/English/3-large/alnum.lst
  • languages/English/3-large/acronym.lst
  • then at the bottom all unique words from all.lst are included as well.

First test - using the all.lst file with rules turned off.
This test completed in 1 second, cracking the following username/plaintext:
test45:2 PENDENC
test50:1 NOITAMR
test15:1 TNEMERC

Each of these passwords was actually cracked twice! - As the 2 processors where both finding the first 7 characters of words which were in fact larger reoccuring, example:
pendencies and pendency
so node 0 would get PENDEC from pendencies and node 1 would get PENDEC from pendency

This does highlight that it might be useful for LM hashes to truncate these wordlists down to 7 characters long, and remove any duplicates

Second test - using the all.lst file with rules turned on.
This test completed in 37 seconds, cracking the following username/plaintext:
test45:2 PENDENC*
test50:1 NOITAMR*
test15:1 TNEMERC*
test40:1 SNOISSE*
test40:2 RPXEBUS
test35:1 SLAUGH7
test50:2 OFSNART

Passwords marked with a * were cracked twice - similar to what happened in the first test.

Third test - using the mangled.lst file with rules turned off.
This test completed in 13 seconds, cracking the following username/plaintext:
test50:1 NOITAMR*
test15:1 TNEMERC*
test45:2 PENDENC*
test40:1 SNOISSE*
test50:2 OFSNART*

Passwords marked with a * were cracked twice - similar to what happened above.

Posted by xntrik at October 1, 2004 03:26 PM | TrackBack