John the Ripper/Password Generation
From charlesreid1
Contents
The Basics of Password Generation with John
This page will walk through some basic password cracking with John the Ripper. We'll go from wanting to test certain passwords to being able to generate a stream of them with John the Ripper. This is important to be able to do, so that we don't need to devote gigabytes of disk space to word files. Intelligent use of patterns can save us a whole lot of headaches.
John and Stdout
Note that if you're using Kali 2.0, you'll need to install John jumbo 1.8 from source, instead of using the Kali 2.0 repository version of John, if you want to use John the Ripper to guess passwords but not actually crack them. This is useful for sending John's password guesses to a file to see how John works, or for piping John password guesses to another cracking program like Aircrack.
Rules vs Modes
Rules and modes are ways of telling John how to guess passwords. John can be simplistic, only testing passwords that are in the wordfile, or sophisticated, doing letter/number substitutions, etc.
This page is going to cover some basic rules and modes for guessing passwords in John. We'll figure out how to start with low-hanging fruit, in terms of password guesses, and implementing those in John the Ripper.
First: No Rules
First, let's look at how we run John and generate passwords from a wordfile, with no rules at all specified. This is a kind of "Hello World" for John the Ripper. We'll specify a 92-word list.
$ ./john -wordlist:/root/codes/john/rockyou10.lst -stdout | head -n10 words: 92 time: 0:00:00:00 DONE (Tue Aug 18 23:36:33 2015) w/s: 1314 current: junior 123456 12345 123456789 password iloveyou princess 1234567 12345678 abc123 nicole
So far so good. Now let's look at how the rules will modify each entry in the wordfile.
Rules
The John_the_Ripper/Rules page has a guide for installing the KoreLogic password generation rules from the Defcon 2010 Crack Me If You Can.
What is a rule?
A rule is a way for John to create variations (rule-based generation of variations) on a wordlist, turning a short wordlist into a much more powerful cracking tool.
Here's an example of a rule that appends years to passwords:
[List.Rules:KoreLogicRulesAppendYears] cAz"19[0-9][0-9]" Az"19[0-9][0-9]" cAz"20[01][0-9]" Az"20[01][0-9]"
The rule is named KoreLogicRulesAppendYears.
Let's apply the rule to the rockyou password list. First, a quick look at that list:
$ cat rockyou-10.txt | head -n20 123456 12345 123456789 password iloveyou princess 1234567 12345678 abc123 nicole daniel babygirl monkey lovely jessica 654321 michael ashley qwerty 111111
Now we can call rules on this wordlist to create variations for password guesses.
KoreLogic Rules
Now, we want to be able to use some password cracking rules, so that our wordlists don't have to be terabytes to be effective. We can do that by telling John how to create password variations from the wordlist. This is where the rules come in.
KoreLogic provided a pretty amazingly comprehensive set of John the Ripper rules form the Defcon 2010 crack me if you can contest, with the set of rules being released as part of the terms of victory: http://openwall.info/wiki/_media/john/korelogic-rules-20100801.txt
A guide to installing those rules is here: John_the_Ripper/Rules
Using Rules
To use the rule, for exmaple the KoreLogicRulesAppendYears rule, we can call john with the --rules=KoreLogicRulesAppendYears argument, or with the -rules:KoreLogicRulesAppendYears argument (etiher works, but be consistent):
$ john -wordlist:/path/to/rockyou-10.txt -format:wpapsk -rules:KoreLogicRulesAppendYears john_password_file
where we specify the wordlist, the encryption format of the john_password_file, the location of the john_password_file, and the rules to use. We'll cover how to get password files in a format John likes from programs like Airodump-ng and Aircrack below. But let's finish talking about the rules.
If we call John with the stdout flag, instead of a password file, we can see what John is doing:
$ ./john -wordlist:/root/codes/john/rockyou10.lst -rules:KoreLogicRulesAppendYears -stdout | head -n10 1234561900 123451900 1234567891900 Password1900 Iloveyou1900 Princess1900 12345671900 123456781900 Abc1231900 Nicole1900
Defining Our Own Password Cracking Rules
Initial Rule
Now we can add sections to the john.conf file we're using. Let's start with a simple one, that will append the numbers 1980-1989 to words in our wordfile. The syntax for this rule looks like this:
[List.Rules:CMRNumbers] Az"198[0-9]"
and we can call it thusly:
$ ./john -wordlist:/root/codes/john/rockyou10.lst -rules:CMRNumbers -stdout | less
We can see from the output the way this syntax works.
Az"198[0-9]"
The Az portion means, any word in the wordfile A, all the way to the end of the word z, then append our expression "198[0-9]", which appends the years 1980-1989 to each word in the wordfile.
here's the output:
1234561980 123451980 1234567891980 password1980 iloveyou1980 princess1980 12345671980 123456781980 abc1231980 nicole1980 daniel1980 babygirl1980 monkey1980 lovely1980 jessica1980 6543211980 michael1980 ashley1980 qwerty1980 1111111980 iloveu1980 0000001980 [..] dragon1989 vanessa1989 cookie1989 naruto1989 summer1989 sweety1989 spongebob1989
Refining the Rule
If we want to capitalize the word in the wordfile (note that your wordfiles should all be lowercase to more efficiently use rules), you can capitalize the first letter like this:
[List.Rules:CMRNumbers] Az"198[0-9]" cAz"198[0-9]"
Now we'll get the same output as before, but in addition, we'll get the capitalized word attempts:
[see above] [...] 1234561980 123451980 1234567891980 Password1980 Iloveyou1980 Princess1980 12345671980 123456781980 Abc1231980 Nicole1980 Daniel1980 Babygirl1980 Monkey1980 [...] Dragon1989 Vanessa1989 Cookie1989 Naruto1989 Summer1989 Sweety1989 Spongebob1989 Joseph1989 Junior1989
Invert Case
We can also invert the case, so instead of the first letter uppercase and the rest lowercase, we do the first lowercase and the rest uppercase by replacing c with C:
[List.Rules:CMRNumbers] Az"198[0-9]" cAz"198[0-9]" CAz"198[0-9]"
Resulting in these passwords:
[...] mATTHEW1989 rOBERT1989 dANIELLE1989 fOREVER1989 fAMILY1989 jONATHAN1989 9876543211989 cOMPUTER1989 wHATEVER1989 dRAGON1989 vANESSA1989 cOOKIE1989 nARUTO1989 sUMMER1989 sWEETY1989 sPONGEBOB1989 jOSEPH1989 jUNIOR1989
Moving the Number Around
We can move where we put the number, by changing z to something else (like 0):
[List.Rules:CMRNumbers] A0"198[0-9]" Az"198[0-9]"
and the results: at the beginning of the file, for rule A0"198[0-9]", the years 1980-1989 are prepended:
1980123456 198012345 1980123456789 1980password 1980iloveyou 1980princess 19801234567 198012345678 1980abc123 1980nicole
while at the end of the file, for rule Az"198[0-9]", the years are appended:
danielle1989 forever1989 family1989 jonathan1989 9876543211989 computer1989 whatever1989 dragon1989 vanessa1989 cookie1989 naruto1989 summer1989 sweety1989 spongebob1989 joseph1989 junior1989
Builtin Rules
There are looooots of built-in rules, as seen in the default john.conf file.
You can find the rule names from the john.conf file, and then you can call then with the -rules:RuleName flag:
$ ./john -wordlist:/root/codes/john/rockyou10.lst -rules:o1 -stdout > words
The o1 flag replaces each character in the wordlist, one at a time, with every single possible symbol/number/letter.
There's also the more exhaustive -o2, which will replace two characters at a time in each word in the wordlist, again using each possible symbol/number/letter.
A list of built-in rules:
| Rule Name | Rule Description | Rule Name | Command |
|---|---|---|---|
| None | No rules are applied, words are tested directly from the wordlist | -rules:None
|
./john -wordlist:/root/codes/john/oneword.lst -rules:None -stdout > words |
| Single | Exhaustive list of rules to try. This will create several thousand iterations from each password, and is exhasutive. Use for exhasutive password searches, or large password files. | -rules:Single
|
./john -wordlist:/root/codes/john/oneword.lst -rules:Single -stdout > words |
| Wordlist | Meant to be used with wordlists, this first tries every word in the list. It then tries upper and camel case, pluralization, duplicate words, digit appending, reversal, capitalization, and splitting passwords in half. Approx. 26 rules. | -rules:Wordlist
|
./john -wordlist:/root/codes/john/oneword.lst -rules:Wordlist -stdout > words |
| Hash Runner 2014 o1 | Tries every password, but substituting every single possible character/number/symbol into the password, one character at a time, in every position. | -rules:o1
|
./john -wordlist:/root/codes/john/oneword.lst -rules:o1 -stdout > words |
| Hash Runner 2014 o2 | Tries every password, but substituting every single possible character/number/symbol into the password, two characters at a time, in every position. | -rules:o2
|
./john -wordlist:/root/codes/john/oneword.lst -rules:o2 -stdout > words |
| Hash Runner 2014 o3 | Warning: this is the ad absurdum method. Do not attempt unless you have a GPU. This will do the following, for every word in the wordlist:
|
-rules:o3
|
john -wordlist:/root/codes/john/oneword.lst -rules:o3 -stdout > words # caveat emptor |
| Hash Runner 2014 i1 | This inserts a lettetr into the wordlist, instead of replacing a letter, as the o rules do. password becomes #password. One character is tested at every position, #password through passwordZ, etc.
|
-rules:i1
|
./john -wordlist:/root/codes/john/oneword.lst -rules:i1 -stdout > words |
| Hash Runner 2014 i2 | Similar to o2 above, except inserting instead of replacing. Insert two symbols everywhere. password becomes *#password, thru passwordZ~, etc.
|
-rules:i2
|
./john -wordlist:/root/codes/john/oneword.lst -rules:i2 -stdout > words |
| Hash Runner 2014 i3 | Warning: see warning above. This will probably require a GPU to use. This inserts 0-3 symbols/characters/numbers at every possible combination of positions of every word in the wordlist. | -rules:i2
|
./john -wordlist:/root/codes/john/oneword.lst -rules:i2 -stdout > words |
Scripting with John the Ripper
It's pretty straightforward to script with John the Ripper. I find that the easiest way, since John the Ripper jobs can get pretty enormous, is to use a modular approach: keeping track of what password wordlists and what variations have been tried for a given password file manually, rather than trying to maintain consistency by using one enormous John command.
This also helps you assess the results of password cracking part of the way through, and improve your strategy based on your learnings.
I use Python to iterate through combinations and parse pieces and commands together into scripts. I don't have complex or fancy Bash scripts with nice menus and quick prompts. Too bad. Maybe soon. (The problem, though, is that every good library has to be installed first. And I want a tool that deploys without hassle on a bare box. No "oops, forgot to install pandas, now I can't use any fo my scripts.")
 |
john the ripper password generator and all-around cracking tool.
Testing John: John the Ripper/Benchmarking Using John on Password generation using rules and modes: John the Ripper/Password Generation Installing some useful password rules: John the Ripper/Rules Using John to feed password guesses to Aircrack: Aircrack and John the Ripper John the Ripper on AWS: Ubuntu/Barebones to JtR Getting Passwords from John: John the Ripper/Password Recovery
|