An Introduction to Password Cracking with John (The Ripper)
A brief guide to optimising John for people who don't spend all day cracking passwords
10 - 20 minutes making some changes and you will see a world of success.
- You have basic understanding of command lines and text editors
- You have John The Ripper or the ability to install it
- You have a text editor
JTR (John The Ripper)
Scenario: you have a extraction or a dump of password hashes and you want to crack as many as you can with John The Ripper
This is a good approach to testing for weak passwords in the enterprise by way of having a weak password list you can see where they exist on your domain and have an actionable list of resets to issue / tweak those AD policies
You'll need something to crack.
It's best you provide any external security consultant with a company provided laptop when allowing them access to this kind of information, If you don't, those passwords may just end up in their
john.potfile and you never know if the password will also be an information leak to the business - This may cost the business a day in consulting but it's the safest option.
You probably wont be compiling John this time round unless you want to get really geeky, but precompiled binaries (files that just work) are available for all operating systems, we will use windows in this tutorial
I'm using a Mac and I have brew installed so I can install it with
brew install john, for Linux you will want to issue
apt-get install john or your equivalent of
apt-get based on your linux flavour and for Microsoft platforms you will need to run the installer from Openwall's website
Once we have installed John (JTR) we are ready to get cracking.
This is the journey we should take when new to John, the reason being it will introduce you to what you get 'out of the box' and what you get with some 'quick win' configurations
- Default attack with no configuration (
- Attack with rockyou.txt custom wordlist
- Attack with rockyou.txt & rule
John has some rules we can apply that work in conjunction with the password lists, it will for example appending a date, if the password was Password1 it will try Password12015 ... you can write your own rules but I use KoreLogic's rules and bastardise my own together. usually KoreLogic rules are enough to get high success rates in short time frames (hours not months).
John Rules by KoreLogic
KoreLogic used a variety of custom rules to generate the passwords. These same rules can be used to crack passwords in corporate environments. These rules were originally created because the default ruleset for John the Ripper fails to crack passwords with more complex patterns used in corporate environments.
To get the most from this guide you are going to need to copy the contents of this file into your
john.ini file that is found in the folder where you have installed John (the Ripper) into.
Here are some common commands issues and explanations
We will work our way from simple to complex (or as complex as this post will allow)
Simple Attack with wordlist
john --wordlist=/path/to/wordlists/password.lst /path/to/Password/file.hashes
This will use that wordlist against that password file john will automagic as much as it can but if you know the password hash format it's always worth adding
Attack with custom wordlist using Korlogic rules
Because we have included the KoreLogic rules into our
john.ini file we can invoke them as any existing john rule, I've had huge success with korelogic's rule set, they range from adding months, seasons,special characters etc... this example will use the rockyou wordlist against the hashfile but it will execute the rule we included that is to append numbers and special characters to every entry in the rockyou list
./john --wordlist=/path/to/wordlists/rockyou.txt --format=nt --rules:KoreLogicRulesAppendNumbers_and_Specials_Simple /path/to/Password/file.hashes
you will notice using rules is more time consuming depending on the length of the list and the complexity of the rules ... but mostly the size of the list.
I highly recommend hitting this page for a full list of the rules and explanations (you will also find them in your
john.ini but the content might fry your mind at first
Hopefully at this point you will have gotten familiar with john using the basic list, then being more impressed using it with the rockyou wordlist then EVEN MORE blown away by the power of rules for more information
If you want to see the cracked passwords you will find them in a
john.pot file in your John folder (where it has been installed) - additionally you can take a look with
john --show /path/to/password.hashes
Use John with KoreLogic Rules and a few decent wordlists = good times.
Wordlists used in this post:
Not in the post, but worth having if you want more coverage
A GUI !
The Community version is most flexible, the pro version has more stability - give and take
This is an excellent post on password statistics gained from breaches (I also have to credit the animated graphic at the top of the post to these guys)
This is why we constantly want to be testing for weak passwords in enterprise environments and 2FA'ing as much as possible
I will be writing more posts around other password & authentication cracking and bypass methods soon