[SWLUG] John the Ripper (and the benefits of clear documentation)

[Foeh Mannay]

Hi, All.

This may strike as an odd query, but I'll try anyway :o)

I'm using john to try to recover a password from an MD5 hash. I know
roughly what the password is, it just got typoed when it was entered and
for long and boring reasons it would be *much* better for me to recover
it from the hash than to recover it by other means.

I've used john a few times before with generally good success, however
in this case it's proving a pain. I know the password isn't going to
come from any dictionary attacks, or any of the clever stuff john does
with its rules. What I want to do is tell John that I know the first
character is going to be this, the second character should be this, but
could be any of these (in order of likelyhood). This *should* give me a
small enough keyspace to bruteforce in a reasonable time, even if it's a
couple of days.

The problem I'm having is that despite what the documentation I've found
on the web claims about being able to tell john in the config file which
characters to use, it refuses to start unless I specify a charset file.
When I do that, it ignores my trimmed down search criteria.

Has anyone had any success with similar endeavours? Perhaps with a
different tool? I suppose I could use perl to generate a word file
according to my rules then feed it to john, but out of principle I'd
like to get john working!

Thanks,

Foeh