Discussion:
[john-users] got DaveGrohl and JtR working, need to focus the attack
Eric Oyen
2018-04-29 01:57:57 UTC
Permalink
Hello everyone,
well, I finally managed to find out why DaveGrohl was not outputting a proper hash for JTR to do it's thing. I ended up having to acquire the patch for that program from the old version index on github. after applying that, compiling and running, I finally got full JTR support in that program. I now have JTR working on the 2 hashes I need (one at a time, of course). btw, is there any way I can tell JTR to use a specific length password and some probable characters?

believe me, I tried creating a fairly complete wordlist, but I don't have the minimum 10 TB of space required to house it.

so, any suggestions, comments or help would certainly be appreciated. :)

thanks,

-eric

PGP fingerprint: 6DFB D6B0 3771 90F1 373E 570C 7EA2 1FF3 6B68 0386
Solar Designer
2018-04-30 12:03:29 UTC
Permalink
Hi Eric,
Post by Eric Oyen
well, I finally managed to find out why DaveGrohl was not outputting a proper hash for JTR to do it's thing. I ended up having to acquire the patch for that program from the old version index on github. after applying that, compiling and running, I finally got full JTR support in that program.
Great. Maybe you could post more detail on this for others reading or
finding this thread later - what specific patch you needed.
Post by Eric Oyen
I now have JTR working on the 2 hashes I need
BTW, you never mentioned why you need those cracked.
Post by Eric Oyen
(one at a time, of course).
Why, you could as well run JtR on both hashes at once (one hash per
line or per file) unless you're focusing the attacks on these two hashes
differently.
Post by Eric Oyen
btw, is there any way I can tell JTR to use a specific length password and some probable characters?
Yes. There are many different ways to do that, and which is best
depends on your specifics. You could use the --min-length and
--max-length options, or/and you could use --mask (doc/MASK explains the
syntax of masks and gives some examples).
Post by Eric Oyen
believe me, I tried creating a fairly complete wordlist, but I don't have the minimum 10 TB of space required to house it.
You don't need to do that.

Alexander
Eric Oyen
2018-05-01 04:49:02 UTC
Permalink
ok,
well, the reason I need those cracked, I haven't used them on my macbook in a long time and I need access to their keychains in order to recover other account info. btw, one of them cracked in 20 seconds (once I used the proper character set - alpha plus numbers).

As for the patch, I got hold of the developer and he sent me a note on how to change the old source (A line for JTR support was commented out). He has since made the change on the source, so now it should work right out of the box.

btw, the command format to output a proper hash in OS X is: ./dave -j <short username here> and it will spit it out on StDout. then all you need to do is copy and paste into a text file and set jar to working on it with the usual variables (such as password length, wordlist file, etc.)

The n7zzt account on my machine is proving far more difficult to crack. I have ruled out 5 character passwords, working on 6 now (due to be done in 7 days and will try on 7 for the length (which, if I have to use any of the special characters might well require several years brute forcing). In fact, if my calculations are correct, that operation will take no less than 590 days, 22 hours and a handful of minutes.

btw, I do know that the n7zzt password is likely 8 or 13 characters long, contains several numbers as well as 1 symbol "!" and the letters (possibly) such as H, m, r,d,n,L,z,t (and any of their capitalized variants).

I may have to use another program called crunch to create a specialized wordlist for those lengths that include specifically those letters, numbers and the 1 special symbol. I can already guess that the word list size for the 13 character passwords is going to be slightly larger than 10 TB. Basically, that will be stupidly large and I don't have that amount of space available.

anyway, that's the news so far. btw, the technomage account was stupidly easy (it had 5 numbers and 4 letters (lower case) and no symbols and was only 10 characters in length. that cut 95 characters down to a possible 36 and it turned out that one of the combinations was already in a custom list I generated with crunch (file size about 1 GB).

anyway, that's it for now.

-eric

PGP fingerprint: 6DFB D6B0 3771 90F1 373E 570C 7EA2 1FF3 6B68 0386
Post by Solar Designer
Hi Eric,
Post by Eric Oyen
well, I finally managed to find out why DaveGrohl was not outputting a proper hash for JTR to do it's thing. I ended up having to acquire the patch for that program from the old version index on github. after applying that, compiling and running, I finally got full JTR support in that program.
Great. Maybe you could post more detail on this for others reading or
finding this thread later - what specific patch you needed.
Post by Eric Oyen
I now have JTR working on the 2 hashes I need
BTW, you never mentioned why you need those cracked.
Post by Eric Oyen
(one at a time, of course).
Why, you could as well run JtR on both hashes at once (one hash per
line or per file) unless you're focusing the attacks on these two hashes
differently.
Post by Eric Oyen
btw, is there any way I can tell JTR to use a specific length password and some probable characters?
Yes. There are many different ways to do that, and which is best
depends on your specifics. You could use the --min-length and
--max-length options, or/and you could use --mask (doc/MASK explains the
syntax of masks and gives some examples).
Post by Eric Oyen
believe me, I tried creating a fairly complete wordlist, but I don't have the minimum 10 TB of space required to house it.
You don't need to do that.
Alexander
Eric Oyen
2018-05-01 05:41:07 UTC
Permalink
ok, a followup.
the developer suggested that I run the version 2 precompiled binary. It has the required libraries compiled in and will work on most *nix systems. It also directly supports output to a properly formatted string for JTR. I was trying to get version 1 working here, but (as you have seen), it had some issues. Also, it appears that version 2 also supports running in both server and client modes, so you can setup a small number of servers on your various machines (I have 4 here). there are switches to allow running as server (the -s and -p switches)and in client mode, run all available servers (it will connect to the others).

other than that, the functionality for producing viable hashes is quite good and appears to support both the older model hashes used by older OS X versions and also the newer hashes supported since OS X Sierra.

btw, can I use the macports version of JTR on high sierra to work on this? they have the jumbo version available there as well. (yes, I finally got my new mac mini up and working).

thanks,

Eric


***

ok,
well, the reason I need those cracked, I haven't used them on my macbook in a long time and I need access to their keychains in order to recover other account info. btw, one of them cracked in 20 seconds (once I used the proper character set - alpha plus numbers).

As for the patch, I got hold of the developer and he sent me a note on how to change the old source (A line for JTR support was commented out). He has since made the change on the source, so now it should work right out of the box.

btw, the command format to output a proper hash in OS X is: ./dave -j <short username here> and it will spit it out on StDout. then all you need to do is copy and paste into a text file and set jar to working on it with the usual variables (such as password length, wordlist file, etc.)

The n7zzt account on my machine is proving far more difficult to crack. I have ruled out 5 character passwords, working on 6 now (due to be done in 7 days and will try on 7 for the length (which, if I have to use any of the special characters might well require several years brute forcing). In fact, if my calculations are correct, that operation will take no less than 590 days, 22 hours and a handful of minutes.

btw, I do know that the n7zzt password is likely 8 or 13 characters long, contains several numbers as well as 1 symbol "!" and the letters (possibly) such as H, m, r,d,n,L,z,t (and any of their capitalized variants).

I may have to use another program called crunch to create a specialized wordlist for those lengths that include specifically those letters, numbers and the 1 special symbol. I can already guess that the word list size for the 13 character passwords is going to be slightly larger than 10 TB. Basically, that will be stupidly large and I don't have that amount of space available.

anyway, that's the news so far. btw, the technomage account was stupidly easy (it had 5 numbers and 4 letters (lower case) and no symbols and was only 10 characters in length. that cut 95 characters down to a possible 36 and it turned out that one of the combinations was already in a custom list I generated with crunch (file size about 1 GB).

anyway, that's it for now.

-eric

PGP fingerprint: 6DFB D6B0 3771 90F1 373E 570C 7EA2 1FF3 6B68 0386
Post by Solar Designer
Hi Eric,
Post by Eric Oyen
well, I finally managed to find out why DaveGrohl was not outputting a proper hash for JTR to do it's thing. I ended up having to acquire the patch for that program from the old version index on github. after applying that, compiling and running, I finally got full JTR support in that program.
Great. Maybe you could post more detail on this for others reading or
finding this thread later - what specific patch you needed.
Post by Eric Oyen
I now have JTR working on the 2 hashes I need
BTW, you never mentioned why you need those cracked.
Post by Eric Oyen
(one at a time, of course).
Why, you could as well run JtR on both hashes at once (one hash per
line or per file) unless you're focusing the attacks on these two hashes
differently.
Post by Eric Oyen
btw, is there any way I can tell JTR to use a specific length password and some probable characters?
Yes. There are many different ways to do that, and which is best
depends on your specifics. You could use the --min-length and
--max-length options, or/and you could use --mask (doc/MASK explains the
syntax of masks and gives some examples).
Post by Eric Oyen
believe me, I tried creating a fairly complete wordlist, but I don't have the minimum 10 TB of space required to house it.
You don't need to do that.
Alexander
Solar Designer
2018-05-01 12:53:10 UTC
Permalink
Post by Eric Oyen
btw, can I use the macports version of JTR on high sierra to work on this? they have the jumbo version available there as well. (yes, I finally got my new mac mini up and working).
Probably yes, but you could prefer one of our community's recent builds:

http://download.openwall.net/pub/projects/john/contrib/macosx/

I don't know what version macports has nor how it's been built.
Post by Eric Oyen
The n7zzt account on my machine is proving far more difficult to crack. I have ruled out 5 character passwords, working on 6 now (due to be done in 7 days and will try on 7 for the length (which, if I have to use any of the special characters might well require several years brute forcing). In fact, if my calculations are correct, that operation will take no less than 590 days, 22 hours and a handful of minutes.
You'll need to focus these attacks or/and use incremental mode (which
orders the candidate passwords from most to least likely). You can
probably also speed things up - e.g., are you currently using --fork
(requires JtR 1.8+)?
Post by Eric Oyen
btw, I do know that the n7zzt password is likely 8 or 13 characters long, contains several numbers as well as 1 symbol "!" and the letters (possibly) such as H, m, r,d,n,L,z,t (and any of their capitalized variants).
You can use options like this:

-9='hmrdnlztHMRDNLZT?d!' --mask='?9?9?9?9?9?9?9?9'

You can optimize it further if you know what characters are possible in
what position, e.g. if the exclamation mark is definitely at the end:

-9='hmrdnlztHMRDNLZT?d' --mask='?9?9?9?9?9?9?9!'

if only the first letter is uppercase:

-9='hmrdnlzt?d' --mask='[HMRDNLZT]?9?9?9?9?9?9!'

and so on.
Post by Eric Oyen
I may have to use another program called crunch
No, you don't need Crunch. JtR has all of the functionality built-in.

Alexander

Loading...