Monday, March 30, 2009


I ended up writing my own password cracker, since John the Ripper does not do well with auditing large password lists. Looking through JtR's code was interesting because it's fairly shocking to find out that A) The guesses per second it displays in its status updates are only loosely related to reality to put it nicely, B) It doesn't use binary search to check to see if it cracked a password or not.

I'll admit my password cracker currently is a quick and dirty implementation, (aka I put it together this weekend), and there is a lot of room for improvement. Still I'm finally able to make guesses fairly quickly which has been a godsend. Seeing the newly cracked passwords flash across my screen is proof enough. In a couple of days I should have enough passwords cracked where I can post a detailed analysis of them.

*Edit: I want to specify that this custom password cracker is different from the one I mentioned previously. That one only generates password guesses but it generates those guesses in probability order. More on that later ;)

1 comment:

Anonymous said...

I am following your blog a bit as I have an assignment for utilizing JtR. I found that John doesn't crack passwords that have numbers IN PLACE of letters as your application attempts to fix.

I look forward to other posts that you may generate on forensics and password cracking.

I am a EE working on my BS and am heavy into embedded encryption, so this is a new topical area for me.