Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: wordlists for Ncrack
From: ithilgore <ithilgore.ryu.l () gmail com>
Date: Wed, 29 Jul 2009 02:34:26 +0300

Brandon Enright wrote:
On Tue, 28 Jul 2009 21:14:10 +0200
Sebastien Raveau <sebastien.raveau () epita fr> wrote:

On Tue, 28 Jul, 2009 at 16:30:10 +0400, Solar Designer
<solar_at_openwall.com> wrote:
Obviously, most of these wordlists are too large to be used with
If your wordlists are too large, what does it make my 58,427,177
words list? :-P

Comparing the size of one's cracking dictionary is a digital pissing

A more important measure of a dictionary is not its size but its
relative cracking efficiency.  Increasing the size runs into
diminishing returns.

If you are doing offline, unsalted list cracking then bigger is
better.  If have limited cracking resources you need to use your time
efficiently.  John's wordlist is an exercise in efficiency rather than

Exactly. Ncrack lists need to be efficient rather than just lengthy. We are
talking about network cracking here.

Agreed it is a bit too "raw" at the moment (I'll work on that) but it
has already proven its usefulness already:
http://reusablesec.blogspot.com/2009/04/ok-some-actual-results.html so
I thought I should mention it here as it might interest some of you in
general, if not for using it with Ncrack :-)

Indeed, I've had a lot of success compiling similar word lists.  I too
used Wikipedia (EN only) as starting point.

One of the better sources I've compiled from are the 14,000 wikis
hosted by Wikia:


This includes wikis like Star Wars, Star Trek, World of Warcraft, etc.

Also, speaking of Matt Weir's blog (which is great overall on the
topic of password cracking) he just released a passphrase dictionary:

Matt has done some good work.  He is giving a talk at DEFCON on his
phbbb cracking efforts that I'm looking forward to.

That would definitely be interesting. I hope DEFCON is going to upload the
streaming videos of the talks soon enough, for those who won't be able to attend.

Back to password lists for Nmap, Nmap/Ncrack can't ship a 10GB password
list, not even a 100MB list.  We need to ship an efficient list.  With
that in mind, I too have been working on cracking the phpbb passwords.
Of the 189766 unsalted MD5 hashes, I've cracked 176620.  That's 93% ;-)


I've posted the cracked passwords as well as a count of the
hashes sorted by frequency.  A little real-word data is a good thing.
I'd suggest that we cherry pick the top 100-500 passwords from this
list to augment the list that we end up shipping.

That's probably a nice source to use some passwords. The question is: how
would you choose the top 100-500 passwords? By doing a quick parsing at
your list, the only passwords with a frequency of more than 1, were "frag"
"life" and who-would-guess "phpbb" but that's only 3. We can see however that a
lot of them start with the string "php" and the combinations from that are a
lot. We could use that part of the list as the specialized http-specific
password list for Ncrack. As I said earlier, Ncrack is going to ship with a
default list with a golden-ratio between size and being as generic as possible,
and some service-specific lists for more specialized cracking sessions. Of
course, more than 1 lists could exist for one service. For example, we could
have a phpbb-related list that would apply more to forums and another one that
would apply to web server basic/digest-auth protected areas. Both of them would
be related to the http-service.

I've been ridiculously busy lately but at some point this summer I hope
to publish detailed analysis of my cracking efforts and some metrics on
the passwords cracked so far.  I put a lot of engineering time into this
cracking.  Don't steal my thunder by doing analysis
using my cracked list.

I am looking forward to your analysis.


-- ithilgore

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]