Password Cracking ... Rules

An Introduction to Password Cracking with John (The Ripper)

A brief guide to optimising John for people who don't spend all day cracking passwords

10 - 20 minutes making some changes and you will see a world of success.

Assumptions:

  • You have basic understanding of command lines and text editors
  • You have John The Ripper or the ability to install it
  • You have a text editor

JTR (John The Ripper)

Scenario: you have a extraction or a dump of password hashes and you want to crack as many as you can with John The Ripper

This is a good approach to testing for weak passwords in the enterprise by way of having a weak password list you can see where they exist on your domain and have an actionable list of resets to issue / tweak those AD policies

You'll need something to crack.

If you are performing a weak password audit on your domain I would recommend this technique for acquiring hashes, as it's low impact on everything - alternative there is a metasploit module

It's best you provide any external security consultant with a company provided laptop when allowing them access to this kind of information, If you don't, those passwords may just end up in their john.pot file and you never know if the password will also be an information leak to the business - This may cost the business a day in consulting but it's the safest option.

Download JTR

You probably wont be compiling John this time round unless you want to get really geeky, but precompiled binaries (files that just work) are available for all operating systems, we will use windows in this tutorial

I'm using a Mac and I have brew installed so I can install it with brew install john, for Linux you will want to issue apt-get install john or your equivalent of apt-get based on your linux flavour and for Microsoft platforms you will need to run the installer from Openwall's website

Once we have installed John (JTR) we are ready to get cracking.

Journey

This is the journey we should take when new to John, the reason being it will introduce you to what you get 'out of the box' and what you get with some 'quick win' configurations

  • Default attack with no configuration (john password.hashes)
  • Results
  • Attack with rockyou.txt custom wordlist
  • Results
  • Attack with rockyou.txt & rule
  • Results

John Rules

The Readme

John has some rules we can apply that work in conjunction with the password lists, it will for example appending a date, if the password was Password1 it will try Password12015 ... you can write your own rules but I use KoreLogic's rules and bastardise my own together. usually KoreLogic rules are enough to get high success rates in short time frames (hours not months).

John Rules by KoreLogic

KoreLogic used a variety of custom rules to generate the passwords. These same rules can be used to crack passwords in corporate environments. These rules were originally created because the default ruleset for John the Ripper fails to crack passwords with more complex patterns used in corporate environments.

To get the most from this guide you are going to need to copy the contents of this file into your john.ini file that is found in the folder where you have installed John (the Ripper) into.

Get Cracking!

Here are some common commands issues and explanations

We will work our way from simple to complex (or as complex as this post will allow)

Simple Attack with wordlist

john --wordlist=/path/to/wordlists/password.lst /path/to/Password/file.hashes This will use that wordlist against that password file john will automagic as much as it can but if you know the password hash format it's always worth adding --format=FormatType

Attack with custom wordlist using Korlogic rules

Because we have included the KoreLogic rules into our john.ini file we can invoke them as any existing john rule, I've had huge success with korelogic's rule set, they range from adding months, seasons,special characters etc... this example will use the rockyou wordlist against the hashfile but it will execute the rule we included that is to append numbers and special characters to every entry in the rockyou list

./john --wordlist=/path/to/wordlists/rockyou.txt --format=nt --rules:KoreLogicRulesAppendNumbers_and_Specials_Simple /path/to/Password/file.hashes

you will notice using rules is more time consuming depending on the length of the list and the complexity of the rules ... but mostly the size of the list.

I highly recommend hitting this page for a full list of the rules and explanations (you will also find them in your john.ini but the content might fry your mind at first

Hopefully at this point you will have gotten familiar with john using the basic list, then being more impressed using it with the rockyou wordlist then EVEN MORE blown away by the power of rules for more information

If you want to see the cracked passwords you will find them in a john.pot file in your John folder (where it has been installed) - additionally you can take a look with john --show /path/to/password.hashes

Use John with KoreLogic Rules and a few decent wordlists = good times.


Resources

Wordlists used in this post:

Not in the post, but worth having if you want more coverage

CrackStations 'Real Unique list' - 15GB

A GUI !

Johnny

Pro Versions

John The Ripper Pro - Mac John The Ripper Pro - Linux HashSuite - Windows

The Community version is most flexible, the pro version has more stability - give and take


Thoughts

This is an excellent post on password statistics gained from breaches (I also have to credit the animated graphic at the top of the post to these guys)
This is why we constantly want to be testing for weak passwords in enterprise environments and 2FA'ing as much as possible

I will be writing more posts around other password & authentication cracking and bypass methods soon