From charlesreid1

How to go from a list of John the Ripper password files to a cracked password or two?

A Word on Simplicity

First, I was using Python. Not only was I using Python, I was using simple, operating system level Python. Why? Because in a real world situation, you won't have network access, or your numpy won't compile, or you'll be missing an x terminal, and your fancy analysis scripts will stay tucked away at home. Practical scripts require simplicity to be robust.

Can you run your tools immediately after you reinstall your operating system? Do you have packages that are absolutely essential archived somewhere? Somewhere close at hand?

The Script

Script Procedure

Depending on what kind of passwords you're trying to crack with John the Ripper, your procedure will look different. For example, on a wireless network you'll need to obtain handshake files and convert them to the right format for each username and password combination, but with Unix password files, you have one big list in a single file.

The complications of scripting WPA cracking with John the Ripper lies mainly in extracting the necessary information that leads up to the cracking. Listening to networks, finding clients, attacking access points, capturing handshakes, and converting them are all done prior to using John.

The input John expects is a John password file with WPA encryption. The process of going from an Aircrack capture file to a John password file is covered on the John_the_Ripper/WPA page.

Once we have the John password file, there isn't anything particularly unusual about the password file, except that WPA requires a minimum password length of 8.

Script Steps

What we want in the end is a chunk of script that will run John with various options, wordlists, rules, etc. We can use Python to iterate through the different combinations and create a bash script that we can use to run John.

This requires looping over each rule, over each password file, and over each wordlist, and using John to try each of those combinations. Our result will be a long script with lots of John commands that we can run in a screen, using the fire-n-forget method.

The input will be a list of John password files, which will contain the BSSID and ESSID information and the handshakes.

The Script

Here's what the Python script will look like:

import os

with open('johnpw_filelist','rb') as f:
    z = f.readlines()
    john_pw_files = list(z)

# for each john file, 
# we want to go through a regiment of stuff to try

# strategy:
# large word list
# small numbers of variations at a time

wordlists = ['/root/codes/seclists/Passwords/rockyou-50.txt', #100k
             '/root/codes/seclists/Passwords/english.txt', #300k
             '/root/codes/seclists/Passwords/rockyou.txt', #14M


scriptfile = ''

with open(scriptfile,'w') as sf:


    for rule in rules:
        for wd in wordlists:
            temp = map(str.strip, john_pw_files)
            john_pw_files = temp
            cmd = [JOHN_BIN, '-wordlist:'+WORDLIST, '-rules:'+RULES] + john_pw_files
            the_big_one = ' '.join(cmd)
            sf.write("# Wordlist: "+wd+"\n")
            sf.write("# Rule: "+rule+"\n")

The Result

The resulting script, which is not particularly interesting since I only have one router handshake, looks like this:


# Wordlist: /root/codes/seclists/Passwords/rockyou-50.txt
# Rule: CMR1
/path/to/john -wordlist:/path/to/rockyou-50.txt -rules:CMR1 /path/to/myrouterhandshake.johnpw