Wordlists Package Description. This package contains the rockyou wordlist and contains symlinks to a number of other password files present in the Kali Linux distribution. This package has an installation size of 134 MB. Wordlists Homepage Kali Wordlists Repo. Passwords from SecLists. The Passwords directory will hold a number of password lists that can be used by multiple tools when attempting to guess credentials for a given targetted service. This will include a number of very popular lists in cooperation with their maintainers, including the RockYou lists maintained by Rob Bowes.
|
Each wordlist rule consists of optional rule reject flags followed byone or more simple commands, listed all on one line and optionallyseparated with spaces. There's also a preprocessor, which generatesmultiple rules for a single source line. Below you will finddescriptions of the rule reject flags, the rule commands (many of themare compatible with those of Crack 5.0a), and the preprocessor syntax.
Numeric constants may be specified and variables referred to with thefollowing characters:
Here max_length is the maximum plaintext length supported for thecurrent hash type.
These may be used to specify character positions, substring lengths, andother numeric parameters to rule commands as appropriate for a givencommand. Character positions are numbered starting with 0. Thus, forexample, the initial value of 'm' (last character position) is one lessthan that of 'l' (length).
The complement of a class can be specified by uppercasing its name. Forexample, '?D' matches everything but digits.
To append a string, specify 'z' for the position. To prefix the wordwith a string, specify '0' for the position.
Although the use of the double-quote character is good for readability,you may use any other character not found in STR instead. This isparticularly useful when STR contains the double-quote character.There's no way to escape your quotation character of choice within astring (preventing it from ending the string and the command), but youmay achieve the same effect by specifying multiple commands one afteranother. For example, if you choose to use the forward slash as yourquotation character, yet it happens to be found in a string and youdon't want to reconsider your choice, you may write 'Az/yes/$/Az/no/',which will append the string 'yes/no'. Of course, it is simpler andmore efficient to use, say, 'Az,yes/no,' for the same effect.
Also see the 'X' command (extract and insert substring) under 'Memoryaccess commands' below.
Note that square brackets ('[' and ']') are special characters to thepreprocessor: you should escape them with a backslash (') if usingthese commands.
If 'Q' or 'X' are used without a preceding 'M', they read from theinitial 'word'. In other words, you may assume an implied 'M' at thestart of each rule, and there's no need to ever start a rule with 'M'(that 'M' would be a no-op). The only reasonable use for 'M' is in themiddle of a rule, after some commands have possibly modified the word.
The intended use for the 'Q' command is to help avoid duplicatecandidate passwords that could result from multiple similar rules. Forexample, if you have the rule 'l' (lowercase) somewhere in your rulesetand you want to add the rule 'lr' (lowercase and reverse), you couldinstead write the latter as 'lMrQ' in order to avoid producing duplicatecandidate passwords for palindromes.
The 'X' command extracts a substring from memory (or from the initialword if 'M' was never used) starting at position N (in the memorized orinitial word) and going for up to M characters. It inserts thesubstring into the current word at position I. The target position maybe 'z' for appending the substring, '0' for prefixing the word with it,or it may be any other valid numeric constant or variable. Some exampleuses, assuming that we're at the start of a rule or after an 'M', wouldbe 'X011' (duplicate the first character), 'Xm1z' (duplicate the lastcharacter), 'dX0zz' (triplicate the word), '<4X011X113X215' (duplicateevery character in a short word), '>9x5zX05z' (rotate long words left by5 characters, same as '>9{{{{{'), '>9vam4Xa50'l' (rotate right by 5characters, same as '>9}}}}}').
'l' is set to the current word's length, and its new value is usable bythis same command (if N or/and M is also 'l').
V must be one of 'a' through 'k'. N and M may be any valid numericconstants or initialized variables. It is OK to refer to the samevariable in the same command more than once, even three times. Forexample, 'va00' and 'vaaa' will both set the variable 'a' to zero (butthe latter will require 'a' to have been previously initialized),whereas 'vil2' will set the variable 'i' to the current word's lengthminus 2. If 'i' is then used as a character position before the word ismodified further, it will refer to the second character from the end.It is OK for intermediate variable values to become negative, but suchvalues should not be directly used as positions or lengths. Forexample, if we follow our 'vil2' somewhere later in the same rule with'vj02vjij', we'll set 'j' to 'i' plus 2, or to the word's length as ofthe time of processing of the 'vil2' command earlier in the rule.
When defining 'single crack' mode rules, extra commands are availablefor word pairs support, to control if other commands are applied to thefirst, the second, or to both words:
If you use some of the above commands in a rule, it will only processword pairs (e.g., full names from the GECOS field) and reject singlewords. A '+' is assumed at the end of any rule that uses some of thesecommands, unless you specify it manually. For example, '1l2u' willconvert the first word to lowercase, the second one to uppercase, anduse the concatenation of both. The use for a '+' might be to apply somemore commands: '1l2u+r' will reverse the concatenation of both words,after applying some commands to them separately.
The preprocessor is used to combine similar rules into one source line.For example, if you need to make John try lowercased words with digitsappended, you could write a rule for each digit, 10 rules total. Nowimagine appending two-digit numbers - the configuration file would getlarge and ugly.
With the preprocessor you can do these things easier. Simply write onesource line containing the common part of these rules followed by thelist of characters you would have put into separate rules, in squarebrackets (the way you would do in a regexp). The preprocessor will thengenerate the rules for you (at John startup for syntax checking, andonce again while cracking, but never keeping all of the expanded rulesin memory). For the examples above, the source lines will be 'l$[0-9]'(lowercase and append a digit) and 'l$[0-9]$[0-9]' (lowercase and appendtwo digits). These source lines will be expanded to 10 and 100 rules,respectively. By the way, preprocessor commands are processedright-to-left while character lists are processed left-to-right, whichresults in natural ordering of numbers in the above examples and inother typical cases. Note that arbitrary combinations of characterranges and character lists are valid. For example, '[aeiou]' will usevowels, whereas '[aeiou0-9]' will use vowels and digits. If you need tohave John try vowels followed by all other letters, you can use'[aeioua-z]' - the preprocessor is smart enough not to produce duplicaterules in such cases (although this behavior may be disabled with the'r' magic escape sequence described below).
There are some special characters in rules ('[' starts a preprocessorcharacter list, '-' marks a range inside the list, etc.) You shouldprefix them with a backslash (') if you want to put them inside a rulewithout using their special meaning. Of course, the same applies to 'itself. Also, if you need to start a preprocessor character list at thevery beginning of a line, you'll have to prefix it with a ':' (the no-oprule command), or it would be treated as a new section start.
Finally, the preprocessor supports some magic escape sequences. Thesestart with a backslash and use characters that you would not normallyneed to escape. In the following paragraph describing the escapes, theword 'range' refers to a single instance of a mix of character listsand/or ranges placed in square brackets as illustrated above.
Currently supported are '1' through '9' for back-references to priorranges (these will be substituted by the same character that iscurrently substituted for the referenced range, with ranges numberedfrom 1, left-to-right), '0' for back-reference to the immediatelypreceding range, 'p' before a range to have that range processed 'inparallel' with all preceding ranges, 'p1' through 'p9' to have therange processed 'in parallel' with the specific referenced range, 'p0'to have the range processed 'in parallel' with the immediately precedingrange, and 'r' to allow the range to produce repeated characters. The'r' escape is only useful if the range is 'parallel' to another one orif there's at least one other range 'parallel' to this one, because youshould not want to actually produce duplicate rules.
Please refer to the default configuration file for John the Ripper formany example uses of the features described in here.
$Owl: Owl/packages/john/john/doc/RULES,v 1.14 2017/05/14 12:16:07 solar Exp $