Nmap Development mailing list archives
Re: Replacing passwords.lst
From: Ron <ron () skullsecurity net>
Date: Sat, 6 Mar 2010 09:15:00 -0600
On Sat, 6 Mar 2010 00:15:02 -0800 Fyodor <fyodor () insecure org> wrote:
I agree, though I tend to think we shouldn't weigh the results by anothing other than raw password frequency. I think we should just combine the RockYou, PHPBB, Myspace, and all other reasonable password DBs we can find into one master frequency sorted list. Then we can truncate that to the appropriate size for Nmap NSE and Ncrack. Admittedly we have some lists such as John which don't have frequency data associated with them, but I think we should just exclude those for now. SD told me he would try to get me a version with frequency counts--I should ping him on that again. With good data, I think going well above 200 passwords is reasonable. Some scripts/libraries might not want to go through that many by default, but they can always set their own limits (in terms of number of guesses or total brute force time spent), and having larger files allows users to specify larger limits when desired. So my suggestion is to create a new directory /nmap-private-dev/data/passwords. Maybe have a subdir of that for the original lists. But in the directory itself you can store the frequency sorted version of each password list. Then we can combine all of them into one frequency counted and sorted /nmap-private-dev/passwords.lst.master like we have now. I think the one we have now may only have myspace passwords in it (according to the comments up top). Then that passwords.lst.master file can be used to create /nmap/nselib/data/passwords.lst and ~/ncrack/lists/default.pwd. The default.pwd will probably be much larger than passwords.lst. Setting it up this way will allow us to add new password files from time to time as we find them. Cheers, Fyodor
On a related topic, this might be a good time to do some updates to unpwdb while we have our hands in the password list. I'm thinking: - john the ripper-like complexity rules -- though much simpler like adding a '1' to the end of the passwords. We have to keep in mind that bruteforcing != cracking, so we can't go crazy like john does - limits -- either in password count or time. We can have a 100,000-word list, ordered by popularity, but default to the first 1000 (or maybe 5/10/60 seconds) unless a script-arg says otherwise. I vote we use time, since some services will rate limit Brandon, you seem to have some ideas for the math, and math's more your thing than mine, so can you take the reins on generating the list? We talked yesterday about getting some other password lists (hotmail, etc), so we can include those in the statistics as well. All my lists will be at http://www.skullsecurity.org/wiki/index.php/Passwords when I'm done. -- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Replacing passwords.lst, (continued)
- Re: Replacing passwords.lst Brandon Enright (Mar 04)
- Re: Replacing passwords.lst Ron (Mar 05)
- Re: Replacing passwords.lst David Fifield (Mar 05)
- Re: Replacing passwords.lst Brandon Enright (Mar 05)
- Re: Replacing passwords.lst Brandon Enright (Mar 05)
- Re: Replacing passwords.lst Ron (Mar 05)
- Re: Replacing passwords.lst Kris Katterjohn (Mar 05)
- Re: Replacing passwords.lst Ron (Mar 05)
- Re: Replacing passwords.lst Ron (Mar 05)
- Re: Replacing passwords.lst Brandon Enright (Mar 05)
- Re: Replacing passwords.lst Fyodor (Mar 06)
- Re: Replacing passwords.lst Ron (Mar 06)
- Re: Replacing passwords.lst David Fifield (Mar 06)
- Re: Replacing passwords.lst Martin Holst Swende (Mar 06)
- Re: Replacing passwords.lst Brandon Enright (Mar 04)
- Re: Replacing passwords.lst David Fifield (Mar 12)
- Re: Replacing passwords.lst Fyodor (Mar 12)
- Re: Replacing passwords.lst David Fifield (Mar 16)
- Re: Replacing passwords.lst Brandon Enright (Mar 16)
- Re: Replacing passwords.lst David Fifield (Mar 16)
- Re: Replacing passwords.lst Brandon Enright (Mar 16)
- Re: Replacing passwords.lst Fyodor (Mar 16)
- Re: Replacing passwords.lst Ron (Mar 17)