Nmap Development mailing list archives
Re: wordlists for Ncrack
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Tue, 28 Jul 2009 22:55:38 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 28 Jul 2009 21:14:10 +0200 Sebastien Raveau <sebastien.raveau () epita fr> wrote:
On Tue, 28 Jul, 2009 at 16:30:10 +0400, Solar Designer <solar_at_openwall.com> wrote:Obviously, most of these wordlists are too large to be used with Ncrack.If your wordlists are too large, what does it make my 58,427,177 words list? :-P http://blog.sebastien.raveau.name/2009/03/cracking-passwords-with-wikipedia.html
Comparing the size of one's cracking dictionary is a digital pissing contest. A more important measure of a dictionary is not its size but its relative cracking efficiency. Increasing the size runs into diminishing returns. If you are doing offline, unsalted list cracking then bigger is better. If have limited cracking resources you need to use your time efficiently. John's wordlist is an exercise in efficiency rather than completeness.
Agreed it is a bit too "raw" at the moment (I'll work on that) but it has already proven its usefulness already: http://reusablesec.blogspot.com/2009/04/ok-some-actual-results.html so I thought I should mention it here as it might interest some of you in general, if not for using it with Ncrack :-)
Indeed, I've had a lot of success compiling similar word lists. I too used Wikipedia (EN only) as starting point. One of the better sources I've compiled from are the 14,000 wikis hosted by Wikia: http://wikistats.wikia.com/dbdumps/dbdumps.html This includes wikis like Star Wars, Star Trek, World of Warcraft, etc.
Also, speaking of Matt Weir's blog (which is great overall on the topic of password cracking) he just released a passphrase dictionary: http://reusablesec.blogspot.com/2009/07/pass-phrase-input-dictionary.html
Matt has done some good work. He is giving a talk at DEFCON on his phbbb cracking efforts that I'm looking forward to. Back to password lists for Nmap, Nmap/Ncrack can't ship a 10GB password list, not even a 100MB list. We need to ship an efficient list. With that in mind, I too have been working on cracking the phpbb passwords. Of the 189766 unsalted MD5 hashes, I've cracked 176620. That's 93% ;-) http://noh.ucsd.edu/~bmenrigh/phpbb/ I've posted the cracked passwords as well as a count of the hashes sorted by frequency. A little real-word data is a good thing. I'd suggest that we cherry pick the top 100-500 passwords from this list to augment the list that we end up shipping. I've been ridiculously busy lately but at some point this summer I hope to publish detailed analysis of my cracking efforts and some metrics on the passwords cracked so far. I put a lot of engineering time into this cracking. Don't steal my thunder by doing analysis using my cracked list. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) iEYEARECAAYFAkpvgfAACgkQqaGPzAsl94LDOgCfULfJ0Jnbf3TO4Me/VSfIKMwJ PzQAnRitOdL2x4ZedTfr2z1AYd2PhVMz =u9xu -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: wordlists for Ncrack Sebastien Raveau (Jul 28)
- Re: wordlists for Ncrack Brandon Enright (Jul 28)
- Re: wordlists for Ncrack ithilgore (Jul 28)
- Re: wordlists for Ncrack Brandon Enright (Jul 28)
- Re: wordlists for Ncrack ithilgore (Jul 28)
- Re: wordlists for Ncrack David Fifield (Jul 28)
- Re: wordlists for Ncrack Brandon Enright (Jul 28)
- Re: wordlists for Ncrack ithilgore (Jul 28)
- Re: wordlists for Ncrack Brandon Enright (Jul 28)
- Re: wordlists for Ncrack Sebastien Raveau (Jul 29)