Re: Replacing passwords.lst

[Ron <ron () skullsecurity net>]

On Sat, 6 Mar 2010 00:15:02 -0800 Fyodor <fyodor () insecure org> wrote:
> I agree, though I tend to think we shouldn't weigh the results by
> anothing other than raw password frequency.  I think we should just
> combine the RockYou, PHPBB, Myspace, and all other reasonable password
> DBs we can find into one master frequency sorted list.  Then we can
> truncate that to the appropriate size for Nmap NSE and Ncrack.
> Admittedly we have some lists such as John which don't have frequency
> data associated with them, but I think we should just exclude those
> for now.  SD told me he would try to get me a version with frequency
> counts--I should ping him on that again.  With good data, I think
> going well above 200 passwords is reasonable.  Some scripts/libraries
> might not want to go through that many by default, but they can always
> set their own limits (in terms of number of guesses or total brute
> force time spent), and having larger files allows users to specify
> larger limits when desired.
>
> So my suggestion is to create a new directory
> /nmap-private-dev/data/passwords.  Maybe have a subdir of that for the
> original lists.  But in the directory itself you can store the
> frequency sorted version of each password list.  Then we can combine
> all of them into one frequency counted and sorted
> /nmap-private-dev/passwords.lst.master like we have now.  I think the
> one we have now may only have myspace passwords in it (according to
> the comments up top).  Then that passwords.lst.master file can be used
> to create /nmap/nselib/data/passwords.lst and
> ~/ncrack/lists/default.pwd.  The default.pwd will probably be much
> larger than passwords.lst.  Setting it up this way will allow us to
> add new password files from time to time as we find them.
>
> Cheers,
> Fyodor
On a related topic, this might be a good time to do some updates to unpwdb while we have our hands in the password 
list. I'm thinking:
- john the ripper-like complexity rules -- though much simpler like adding a '1' to the end of the passwords. We have 
to keep in mind that bruteforcing != cracking, so we can't go crazy like john does
- limits -- either in password count or time. We can have a 100,000-word list, ordered by popularity, but default to 
the first 1000 (or maybe 5/10/60 seconds) unless a script-arg says otherwise. I vote we use time, since some services 
will rate limit

Brandon, you seem to have some ideas for the math, and math's more your thing than mine, so can you take the reins on 
generating the list? We talked yesterday about getting some other password lists (hotmail, etc), so we can include 
those in the statistics as well. 

All my lists will be at http://www.skullsecurity.org/wiki/index.php/Passwords when I'm done. 

-- 
Ron Bowes
http://www.skullsecurity.org
http://www.twitter.com/iagox86
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/