Friday, July 17, 2009

Keyboard Dictionaries

By far the most popular download from my dictionary based rainbow tables has been the input dictionary I created based on keyboard combos. It's been downloaded close to 2000 times which means about 1995 more people have downloaded it than read this blog ;) So of course I'm looking to improve on it. The original dictionary was created thanks to an abundance of free time and my own personal lack of carpal tunnel syndrom as I typed each entry into it. The problem of course was that I've since found out that there were many keyboard combos that I missed.

So that's why God, (or at least Solar Designer), created external moduals for John the Ripper. One of them simulates a keyboard layout so if you type

./john -stdout -external=keyboard

It will start to output different strings based on how close the keys are on your actual keyboard. Me being the lazy person I am of course decided to pipe the output of that into a file to create a new and improved "keyboard dictionary". The problem is I left it running and after a while started to wonder why it hadn't stopped. Checking on it, I found that the file it had been creating filled up over 18 gigs of disk space. That's not acceptable.

I really don't have anything else to offer right now, but I just wanted to give you a status update and let you know it's a problem I'm working on ;)

4 comments:

CG said...

maybe you just get the 5 readers to post their favorites that arent on your list? :-)

Matt Weir said...

Heh, that's a good idea ;) What's inspired this is I've been coming arcross more and more keyboard options, such as skipping letters - "qetuo", nonliner typing - "`12345t6", etc. I think the main problem is how john's external mode handles creating them.

With the keyboard rainbow tables I previously made, the actual input dictionary was very small, (~650 words), but I combined the words together since that's how I've found most people create their passwords, (if they are using a keyboard layout). Aka "1qaz&UJMqwerty". This way even though the input dictionary was small, the number of guesses was fairly substantial

Combination of three keyboard combos:274 million guesses

Combination of four keyboard combos:178 billion guesses

Thus it pays to have a smaller input dictionary for those types of attacks. What I'm trying to do though is build a much bigger input dictionary for cracking passwords where people append/prepend a keyboard combo to a regular word, such as "1qaz@WSXpassword". Also it seems like people who use uncommon keyboard combos tend not to chain them as much, aka they tend to use only one or two of them, not four or five.

Minga said...

John's keyboard mode is by no means perfect. Its a good start, but there are TONS of patterns it misses.

1) only takes into account lowercase lettering. Fix: output results into a .dic file - then use with --rules:nt (use the new rules:nt post on john-users mailing list). It misses even easy stuff like qweQWE.

2) It misses very obvious patterns: Like qweqaz (look at your keyboard) or qweewq

3) no special characters. Passwords like 123!@# are super-obvious: Fix: Make a rule that converts all numbers to special character equivalents (1 = ! 2=@ etc). Ive posted a rule that does this on john-users (I think I did..).


Pretty much I dont use --external:keyboard anymore because I've made my own dictionary files - that (when combined with different --rules) are much more powerful.

-Minga

Elliot Hallmark said...

Just close together isn't adequate (ie, wouldn't get my passwords that use meaningless keyboard patterns). also, some key patterns are more random than others.

Google a pdf called "Visualizing Keyboard Pattern Passwords":
http://cs.wheatoncollege.edu/~mgousie/comp401/amos.pdf

This must be implemented somewhere but I have not found it.