John The Ripper Mac Installation, Tutorial and Optimization
A while ago, I wrote this tutorial on how to install the simple version (pre-compiled) of John The Ripper on a Mac
A while ago, I wrote this tutorial on how to install the simple version (pre-compiled) of John The Ripper on a Mac
It's now time to optimize John. Why? it's working!
Yes, it's working, but can you make it work much better?
John The Ripper, AKA John/JTR is the extreme opposite of intuitive, and unless you are an UberGeek, you've probably missed out few subtleties.
Secondly, John The Ripper is a bit like a Muscle Car delivered from the factory with the "Eco" settings enabled by default. If you want the "Muscle", you'll have to open the hood. Once done, you'll get more muscle than you can probably chew on.
Secondly, John The Ripper is a bit like a Muscle Car delivered from the factory with the "Eco" settings enabled by default. If you want the "Muscle", you'll have to open the hood. Once done, you'll get more muscle than you can probably chew on.
Subtleties?
Well, for a start, the precompiled version on OSX does not use all cores, the "compiled on site" can ...
So if you have a quad-core, you'll make a 196% speed improvement, and that's only on raw benchmark.
The default password list is absolute crap, and the configuration could use a few improvements.
The default password list is absolute crap, and the configuration could use a few improvements.
When you'll start playing just with those 2, the result(s) could be as shown below.
Deemed worth reading?
Ok?
Ok?
Let's install it ...
1- You'll need Xcode, if not already installed, download it , it's free.
Open App Store, search XCode, download and install.
The install is going to take some time....
☞ If you wonder if you have Xcode installed, just open terminal and type gcc
The "no input file" is a good sign. Otherwise, install it.
1a- If you do not wish to install Xcode, you can always refer to here, but be kindly warned that you'll have a "less effective" version of JTR.
2- Grab a copy of the latest John The Ripper @ http://www.openwall.com/john/
look for the community enhanced version (more patches), as of today, it's the john 1.7.9 jumbo 6 2.
2a - While patiently looking at your download screen, grab a free copy of TextWrangler, not the truncated App Store Version, The full one from BareBones and install, you'll thank me later.
3- Xcode and TextWrangler have been installed, John has been downloaded, refreshments have been served.
4- Go to your "Download" directory and look for John 1.7.9.jumbo 6 tar.gz, or whatever you have downloaded, and double click on it, it will decompress it.
5- You have now a directory called John "something"
Please replace "something" in your head by the appropriate designation, i.e "John-1.7.9-jumbo 6 2"
6-Create a folder,and name it "John" anywhere on you Mac, but, recommended, that you either create it in "Macintosh HD" or your home folder, i.e ~/"myname".
Please, don't use the quotes for "John". Just John. ( Somebody is going to create a "Just john", that's guaranteed, and if you do, you will be flamed. Guaranteed too)
7- Copy all folders & files contained in "John-1.7.9-jumbo 6 2" into the newly created John folder. Only the contents, no need to copy the John-1.7.9-jumbo 6 2 folder too. If you do, you'll have to type a very long command line.
8- You have now a folder named John, with in it the 5 items as shown above.
Unfortunately, now is the time to make a choice...
Das Kompilation!
You'll have to make a choice, roughly between 32 bit, or 64 bit
64 bit seems the choice, no? Hold your horses!
One little thing: as of now, Aug 2012, when cracking pure raw-sha1(i.e Linkedin) the 32-bit is a bit faster. (no pun intended)
For generic use, select "64 bit", for Raw-Sha1 only, go for the 32 bit sse2.
The difference is not that extreme, and lastly, the 64bit version accepts Wordlists larger than 2GB.
For UberGeeks, well... install both. Your humble servant has 3 versions (for research purpose only, I am not geeking, 2 of them will be deleted soon)
- JTR is the Mac OSX pre-built
- JTR32 is the 32bit
- JTR64 is ... well, you've guessed by now.
So, make a choice (hint: 64 bit) and we'll start...
1) Open Terminal and go to the "src" folder of John, by typing
cd /john/src If you have placed john somewhere else, then go there...
1a) Second choice to make:
Please read carefully as it trapped me the first time:
JtR runs natively on one core.
You can safely run 2, or more instances on JtR at the same time, for instance one instance running a set of rules and the other instance running something else.
But you can also ask John to run on all cores. On Mac it's called "mpirun"
mpirun has to be enabled in the Makefile before compiling.
I highly suggest to do so, as it enable both parallel and multicore.
In order to do so:
1a) Open TextWrangler
Look for the file /John/src/makefile and open it
1b) Search for the following paragraph:
## Uncomment the TWO lines below for MPI (can be used together with OMP as well) ## If you experience problems with MPI_Barrier, remove -DJOHN_MPI_BARRIER ## If you experience problems with MPI_Abort, remove -DJOHN_MPI_ABORT ##CC = mpicc -DHAVE_MPI -DJOHN_MPI_BARRIER -DJOHN_MPI_ABORT ##MPIOBJ = john-mpi.o1c) Un-comment the 2 last line, (remove the ##)
1d) Save
2) Decide if you wish or will attempt to Bruteforce longer than 8ch long passwords. If you don't know, don't touch it now and come back later.
If you do not want to change the max bruteforce length, Skip to directly to part 3)
Before going bonkers, read the "Bruteforcing Speed" part below, take a look at the ETA, and you'll realize that attempting a 20ch Keyspace is not really feasible.
Done reading?
Ok, Here is how you can force JtR to Bruteforce longer than 8ch long.
2a) Open TextWrangler
Look for the file params.h in /John/src and open it
In that file, look for the section:
#define CHARSET_MIN ' '
#define CHARSET_MAX 0x7E
#define CHARSET_SIZE (CHARSET_MAX - CHARSET_MIN + 1)
#define CHARSET_LENGTH 8
2b) Change the 8 into what you want, i.e 15 or 30.
#define CHARSET_MIN ' '
#define CHARSET_MAX 0x7E
#define CHARSET_SIZE (CHARSET_MAX - CHARSET_MIN + 1)
#define CHARSET_LENGTH 15
☞ Warning: There are spaces and tabs, don't replace them by "spaces"
Use the Show Invisible in Text Wrangler.
2c) Save the file params.h and go to part 3) compilation.
Once the compilation is done, Go to "Charset making "for the final part. (did I mention that you'll have to go under the hood?)
We can now start the compilation. In /John/src
3) In /John/src, type exactly, or copy/paste
- for the 32 bit version: make clean macosx-x86-sse2
- for the 64 bit version: make clean macosx-x86-64
Hit "Return" and plenty of things will appear on terminal screen, don't panic.
While waiting, and for the curious, you can open the file "makefile" with textwrangler and look at all the options, just in case you want to install JTR on a PowerPC Mac
The compile options look like:
@echo "macosx-x86-64 Mac OS X 10.5+, Xcode 3.0+, x86-64 with SSE2 (best)"
@echo "macosx-x86-64-opencl Mac OS X 10.5+, Xcode 3.0+, x86-64 with SSE2, OpenCL support"
@echo "macosx-x86-sse2 Mac OS X, x86 with SSE2"
@echo "macosx-ppc64 Mac OS X 10.4+, PowerPC 64-bit"
@echo "macosx-universal Mac OS X, Universal Binary (x86 + x86-64 + PPC)"
You'll also find all Linux options, just in case ....
4) Now that the install is done, test it by typing
cd /john/run
./john
☞ Warning: the ./ are mandatory and you must be in the proper /run directory If you try "john" as is, you'll receive an error.
You should see the short help for John The Ripper
If you see something like that:
bash: ./john: No such file or directory
it means that, either: The compilation has failed, or, that you have not typed the proper path/command. In both case, retry or re-read the above. All of it: You've failed once and that's probably for a good reason: rtfm!
Das Optimization!
We're going to glide over few things rapidly, for a deeper look at what does what, there is a folder named "doc" , inside they have docs!. Yay!
1) John, by default, runs on one core only. If you have a single core, it's good news, otherwise not so much. So let's test it , and type
./john --test=10 --format=raw-sha1-linkedin
after 10 sec, you see something like:Benchmarking: Raw SHA-1 LinkedIn [128/128 SSE2 4x]... DONE
Raw: 9540K c/s real, 9559K c/s virtual
Now, let's try something else, type
mpirun -np 2 ./john --test=10 --format=raw-sha1-linkedin
And the results are:
Benchmarking: Raw SHA-1 LinkedIn [128/128 SSE2 4x]... (2xMPI) DONE
Raw: 17655K c/s real, 18923K c/s virtual
This time, we were twice as fast. Yup! 2 cores. So if you have a quad core, try the "mpirun -np 4". (yes, Mr Trae, that's why your quadcore is apparently slower than my dual)
john.conf
2) Open Textwrangler app, and look for a file named john.conf in /john/run
open that file and make right away a backup, that you will intelligently call "backup_john.conf".
In this john.conf, you'll find roughly 2 types of configuration: General config and Rules config.
For instance look at the line:
# Use idle cycles only
Idle = Y
it means that John will only use the CPU power left Vs. requesting full power, hence you could (should) switch it to "No"Idle = Y
# Use idle cycles only
Idle = N
Idle = N
Look at the other options and choose what you want on/off. As a rule of thumb, don't finagle too much if you don't understand it, i.e trying funky settings such as [Incremental:All] MaxLen = 99
Still, you have a backup now, don't you? :) , so you can play a little...
2a) As we are going to talk about Wordlist, think about that line:
# Wordlist file name, to be used in batch mode
Wordlist = $JOHN/password.lst
the default wordlist in John is password.lst , and is crap. Using this wordlist will not take you far at all.
2b) if you have changed the name of the main directory for John, i.e JTR, you should change the parameter to $JTR/password.lst
2c) ditto with the password.lst, if you use mydic.txt , then change it too.
the easiest way is simply to keep the name password.lst, or to use the --wordlist option
2d) Wordlist itself
As mentioned above, the default password.lst is crap. if your wish to run john for weeks on end, keep it. Otherwise, get this Wordlist
Here is why: on default mode , John will first try the wordlist "as is" , then mingle it with rules contained in John.conf under [List.Rules:SIngle] for "Single crack Mode"
Once done, it will switch to incremental mode, All alphanumerical characters. one by one.
Problem: You are now at day 3, and you are seeing 0.00% progress. Why?
Because you are trying all possible combinations of 1 to 8 ch long, over 95 possible characters. it's called the Keyspace and that number is 6,704,780,954,517,120
it simply means that you'll see progress at 0.00% for few weeks....See you in 3 months...
In John the default length is 8 max and that also mean that a 10 ch long password will not be (cannot be cracked for sure) by the "All" method alone unless you go under the hood as explained below.
Bruteforce is, generally, and should be considered as the last resort: it very slow to complete the whole keyspace.
To discourage you a bit more, look below for the speed table and the "Speed the Things Up"
So, the solution resides in: a) a very good Wordlist, b) better [Rules] AKA "iRules" and some "finesse"
For instance, most websites today requires at 6 to 8 characters, made of at least numbers and letters, and sometimes number(s), letters and signs.
Bad news: It's longer to crack
Good news: The brain size of the average human has NOT increased that much
Hence, before, the dummy would have used "password" as password. Now they use "p@ssw0rd" or "p@55w0rd" and, as usual, people use mostly "words", as proof of concept:
lov3b3ans | Syr4cu$e | C0mmitted | fuzzym0nkey |inth3loop | L1fel0ng , etc etc
So, you end up with 3 choices.
-1 Have a 50,000 terabytes wordlist, along with 25,000 external HDD
-2 Have the patience of a buddhist monk
-3 Have an excellent wordlist coupled with intelligent rule that permutes a for @, append numbers at the end of a word, i.e linkedin1980, etc ..
And your choice is? -3? Good answer!
☞ If you have thought about a new cracking method, It's probably already in JtR. (Matt Weir) (quoted liberally)
John will try "as is" (rule= : ) [(not ;) or ;-)] you dummy, the rule is ":"
then apply funny rules such as "<* >2 !?A l $1" which in good ol' English means: # Lowercase pure alphabetic words and append '1'
As aforementioned, the dummy is absolutely convinced that "password123", or "P@ssw0rd123" is unbreakable, or even unguessable, that is until, our brights readers think about "<* >2 !?A l $123"
Out of the first 330,000 -unique- passwords (meaning dupes removed) that (we)* have cracked from the Linkedin hash dump, 1344 instances of "123" were found, along with 100's of "love", etc etc
Do you catch my drift? The snowball effect: The more you crack, the faster you crack the rest. Up till you reach the crazy ones ... :)
4- Use the most probable rules first and the really funky last, i.e: # Really weird charset conversions, like "england" -> "rmh;smf" (shifting one key to the right)
5- Preferably use a statistically sorted Wordlist, most used first: it will greatly reduce your running time and read the "rules" in the doc folder, you'll be then able to mingle anything without using 50,000 terabytes.
6- Lastly, there is a limit (memory / preprocessor ) on the number/complexity of the rules that you apply. You can go wild, but avoid the "crazy".
The proof of concept is demonstrated in the video.
Optimized john.conf is available for download at the end, but please, read the "Read me" and the command lines first
John The Ripper Commands and examples
the main options are the following
--session=[name]
--wordlist=[path and name]
--format=[format name]
--show [path and name of the hash file]
--restore=[session name]
--rules
--config
--loopback
--markov
--mask
☞ All options have a shorthand, for sake of clarity we here use the longhand.
i.e -ru = --rules ; -w = --wordlist. See /John/doc/examples
☞ To Abort John , use ctrl-c (control c) and NOT CTRL-Z. Also, press ctrl-c one time, not twice.
☞ We've mentioned to place John in a top directory, and to rename "john-1.7.9-jumbo-6 2" into "John". Indeed, you'll have to type command lines, and if you have placed john in a funny far-far away directory , the command line will most likely drive you crazy: Keep it simple!
☞ You can always drag and drop a file into terminal, it will automagically write the path for you. Without errors.
☞ If you do not know the hash type, john will find it for you, but it's always a bit better to force load one type of hash Vs. having John trying multiple hash, sometimes, one hash can be recognized under other names.
So, let's try John with the Linkedin dump (I suppose one could find it on the Internet with minimal Google-Fu competences)
Go to the appropriate directory AKA: /John/run and type
./john [path and name of the Linkedin hash file]
You'll see that John has found multiple possible hash and gives you (few) warnings
Warning: detected hash type "raw-sha1", but the string is also recognized as "raw-sha1-linkedin"
Use the "--format=raw-sha1-linkedin" option to force loading these as that type instead
--format
Hence, pretty clear that you should use, in that case, --format=raw-sha1-linkedin
So the command line goes as:
./john --format=raw-sha1-linkedin [path and name of the hash file]
--session
The --session option allows you to stop a session and restart where you left it later, useful, huh? Then use it!
./john -- session=linkedin --format=raw-sha1-linkedin [path and name of the hash file]
--restore
the --restore option allows you to restart an interupted session, with all the previous parameter just where you left it, pretty handy, huh?
/john -- restore=linkedin
--mask
the --mask option allows you to search a specific keyspace: If you have a good idea of what the password(s) could be, the mask option could save you a billion years or two. (not kidding)
Let's pretend that you forgot a password, and that somehow, you rememberer that it was composed of 3 digits, 3 letters and 3 signs.
?A is for everything
?a is for printable ASCII (English characters only, no funny è or ù)
?d is for digit
?l is for letters
?s is for signs
hence --mask=?d?d?d?l?l?l?s?s?s
In John the default length is 8 max and that also mean that a 10 ch long password will not be (cannot be cracked for sure) by the "All" method alone unless you go under the hood as explained below.
Bruteforce is, generally, and should be considered as the last resort: it very slow to complete the whole keyspace.
To discourage you a bit more, look below for the speed table and the "Speed the Things Up"
So, the solution resides in: a) a very good Wordlist, b) better [Rules] AKA "iRules" and some "finesse"
For instance, most websites today requires at 6 to 8 characters, made of at least numbers and letters, and sometimes number(s), letters and signs.
Bad news: It's longer to crack
Good news: The brain size of the average human has NOT increased that much
Hence, before, the dummy would have used "password" as password. Now they use "p@ssw0rd" or "p@55w0rd" and, as usual, people use mostly "words", as proof of concept:
lov3b3ans | Syr4cu$e | C0mmitted | fuzzym0nkey |inth3loop | L1fel0ng , etc etc
So, you end up with 3 choices.
-1 Have a 50,000 terabytes wordlist, along with 25,000 external HDD
-2 Have the patience of a buddhist monk
-3 Have an excellent wordlist coupled with intelligent rule that permutes a for @, append numbers at the end of a word, i.e linkedin1980, etc ..
And your choice is? -3? Good answer!
☞ If you have thought about a new cracking method, It's probably already in JtR. (Matt Weir) (quoted liberally)
John will try "as is" (rule= : ) [(not ;) or ;-)] you dummy, the rule is ":"
then apply funny rules such as "<* >2 !?A l $1" which in good ol' English means: # Lowercase pure alphabetic words and append '1'
As aforementioned, the dummy is absolutely convinced that "password123", or "P@ssw0rd123" is unbreakable, or even unguessable, that is until, our brights readers think about "<* >2 !?A l $123"
Out of the first 330,000 -unique- passwords (meaning dupes removed) that (we)* have cracked from the Linkedin hash dump, 1344 instances of "123" were found, along with 100's of "love", etc etc
Do you catch my drift? The snowball effect: The more you crack, the faster you crack the rest. Up till you reach the crazy ones ... :)
4- Use the most probable rules first and the really funky last, i.e: # Really weird charset conversions, like "england" -> "rmh;smf" (shifting one key to the right)
5- Preferably use a statistically sorted Wordlist, most used first: it will greatly reduce your running time and read the "rules" in the doc folder, you'll be then able to mingle anything without using 50,000 terabytes.
6- Lastly, there is a limit (memory / preprocessor ) on the number/complexity of the rules that you apply. You can go wild, but avoid the "crazy".
The proof of concept is demonstrated in the video.
Optimized john.conf is available for download at the end, but please, read the "Read me" and the command lines first
John The Ripper Commands and examples
the main options are the following
--session=[name]
--wordlist=[path and name]
--format=[format name]
--show [path and name of the hash file]
--restore=[session name]
--rules
--config
--loopback
--markov
--mask
☞ All options have a shorthand, for sake of clarity we here use the longhand.
i.e -ru = --rules ; -w = --wordlist. See /John/doc/examples
☞ To Abort John , use ctrl-c (control c) and NOT CTRL-Z. Also, press ctrl-c one time, not twice.
☞ We've mentioned to place John in a top directory, and to rename "john-1.7.9-jumbo-6 2" into "John". Indeed, you'll have to type command lines, and if you have placed john in a funny far-far away directory , the command line will most likely drive you crazy: Keep it simple!
☞ You can always drag and drop a file into terminal, it will automagically write the path for you. Without errors.
☞ If you do not know the hash type, john will find it for you, but it's always a bit better to force load one type of hash Vs. having John trying multiple hash, sometimes, one hash can be recognized under other names.
So, let's try John with the Linkedin dump (I suppose one could find it on the Internet with minimal Google-Fu competences)
Go to the appropriate directory AKA: /John/run and type
./john [path and name of the Linkedin hash file]
You'll see that John has found multiple possible hash and gives you (few) warnings
Warning: detected hash type "raw-sha1", but the string is also recognized as "raw-sha1-linkedin"
Use the "--format=raw-sha1-linkedin" option to force loading these as that type instead
--format
Hence, pretty clear that you should use, in that case, --format=raw-sha1-linkedin
So the command line goes as:
./john --format=raw-sha1-linkedin [path and name of the hash file]
--session
The --session option allows you to stop a session and restart where you left it later, useful, huh? Then use it!
./john -- session=linkedin --format=raw-sha1-linkedin [path and name of the hash file]
--restore
the --restore option allows you to restart an interupted session, with all the previous parameter just where you left it, pretty handy, huh?
/john -- restore=linkedin
--mask
the --mask option allows you to search a specific keyspace: If you have a good idea of what the password(s) could be, the mask option could save you a billion years or two. (not kidding)
Let's pretend that you forgot a password, and that somehow, you rememberer that it was composed of 3 digits, 3 letters and 3 signs.
?A is for everything
?a is for printable ASCII (English characters only, no funny è or ù)
?d is for digit
?l is for letters
?s is for signs
hence --mask=?d?d?d?l?l?l?s?s?s
Now, if you were fortunate enough to remember chunks of it, i.e. 123????@?, you could mask such as --mask=123?l?l?l?s@?s hence reducing the keyspace to 19,140,264 possible passwords candidates.
--wordlist
The --wordlist option is for a ... wordlist! yay! with the path if necessary.
If like me you have decided to rename your John directory into JTR, it is suggested that you use the --wordlist option , that is, if you have left your john.conf alone , see line Wordlist = $JOHN/password.lst in file john.conf
☞ Warning! on the 32bit version, if you attempt to use a --wordlist option with a dictionary greater than 2GB you may receive the following error: Error, dictionary file is empty.
1) count the lines with wc -l [filename]
1a) Divide by 2 (roughly) , and round it up to the next integer (full number)
2) Split the dictionary with split -l [#lines] . the output by default is xaa, xab, xac etc .
3) Don't use the the option by size , you'll end up cutting a password in 2.
./john -- session=linkedin --wordlist=masterpswd.txt --format=raw-sha1-linkedin [path and name of the hash file]
Loading multiple wordlists at once
John does not allow, by default, to load multiple Wordlists at once, but you can trick him.
The most probable reason why the maker of JtR have not implemented this option by default resides in a word of caution: Rules are going to be applied as described in your "whatever.conf"
Loading 300 million lines is one thing, having rules applied to 300 million is another altogether: If your Rules generate an output of 10,000 variations on ONE password, one could expect the simple math to be 10,000*300,000,000 = See you in 3 years
Hence: CURB YOUR ENTHUSIASM!
If you wish to do a quick chop-chop on large set of wordlists, edit/create a specific .conf file with very simple and very fast rules, i.e :,l,u,S , etc.
See /doc/Rules and what's below under --rules and --config
1) Create a directory in /John and name it "Wlist" or "Store". Anything you want but keep it short.
2) Place in it your favorites Wordlists, avoiding repeats and duplicates, even in the wordlists.
Solution: Where "Wlist" is the directory containing your Wordlists, and grabthefiles, an argument. You can replace grabmethefiles by anything that fits your mood.
Type: ls /John/Wlist | xargs -t -I grabthefiles ./john --session=xargs --wordlist=/John/Wlist/grabthefiles --rules [etc etc..... ]
☞ " xargs -t -I " it's a overscore "i" , not a l,L or | --> "xargs -t -I"
☞ xargs calls multiple times the same ./john command line changing each time for the correct wordlist, be aware that it is highly recommended to use --session otherwise, if you have to pause you'll have to restart from scratch.
The ETA is for each wordlists and not for the total time.
--rules
The --rules option call for a specific set of rules as defined in John.conf under names such as [List.Rules:Wordlist]
using --rules will call for all the rules, if you want to use only a specific set, i.e wordlist, then use --rules=wordlist
./john -- session=linkedin --wordlist=masterpswd.txt --rules=wordlist --format=[hash format] [path and name of the hash file]
☞ Be aware that calling a large set of rules could lead to some extra-extra time, always check that you are not performing a duplicate work. i.e calling twice the same rule or asking to lowercase an already all lower case wordlist.
☞ Rules are processed by a preprocessor. Writing extremely large rules or set of rules will send your memory usage off the chart. See John.log
--show
The option --show shows you the cracked hashes, it's best used with a redirection to a file
./john -- show [path and name of the hash file] > showpass.txt
To see what's left to crack, use --show=left
☞ The option --show works faster if you include the --format option
./john --show=left --format=[name] [path and name of the hash file] > showhash.txt
--config
The option --config=[name] allows you to use multiple configurations and set of rules. You can create your own configuration files and use it at will, i.e a "mini.conf" configuration to crack the easy one first. Don't forget that a wordlist that have 100m passphrases in it, mingled with 100 rules equals a 100x100m words equivalent. Translated in space, it like having, about, 95,000 MB worth of space. 95 TeraBytes
☞ See at the end for downloadable Config/Rules files
☞ See "Making List.Rules" before making 99 different config files
--loopback
--loop
A rarely used option. Too bad, it's a good one! The --loopback allows you to check against your john.pot file. You have already cracked some passwords and they are all stored in john.pot, hence you can re-use them for a quick check.
For a longer check, I'll give you a hint: those are real passwords: the ham not the spam! so re-use them with rules: If you have found "password" , you'll find "password123"
--Markov
A statistical attack derived from probabilistic stochastic processes. AKA Markov's Chains.
I am scaring the shit of of you with Markov, huh? I am not?
Well... don't be afraid ... I don't understand it myself. I read what I could, got a serious headache and decided not to pursue.
All I know is that it's working!
As a matter of fact it's working pretty darn well and it's really fast too.
Mr Andrey (Andrei) Andreyevich Markov (1856-1922) must be thrilled to know that we're all very satisfied with his research. Thank you Mr Markov!
As I don't understand the intricate details of Mr Markov thoughts, I switched to a highly scientific proven method: "The Empirical Poke Around"™
The --wordlist option is for a ... wordlist! yay! with the path if necessary.
If like me you have decided to rename your John directory into JTR, it is suggested that you use the --wordlist option , that is, if you have left your john.conf alone , see line Wordlist = $JOHN/password.lst in file john.conf
☞ Warning! on the 32bit version, if you attempt to use a --wordlist option with a dictionary greater than 2GB you may receive the following error: Error, dictionary file is empty.
1) count the lines with wc -l [filename]
1a) Divide by 2 (roughly) , and round it up to the next integer (full number)
2) Split the dictionary with split -l [#lines] . the output by default is xaa, xab, xac etc .
3) Don't use the the option by size , you'll end up cutting a password in 2.
./john -- session=linkedin --wordlist=masterpswd.txt --format=raw-sha1-linkedin [path and name of the hash file]
Loading multiple wordlists at once
John does not allow, by default, to load multiple Wordlists at once, but you can trick him.
The most probable reason why the maker of JtR have not implemented this option by default resides in a word of caution: Rules are going to be applied as described in your "whatever.conf"
Loading 300 million lines is one thing, having rules applied to 300 million is another altogether: If your Rules generate an output of 10,000 variations on ONE password, one could expect the simple math to be 10,000*300,000,000 = See you in 3 years
Hence: CURB YOUR ENTHUSIASM!
If you wish to do a quick chop-chop on large set of wordlists, edit/create a specific .conf file with very simple and very fast rules, i.e :,l,u,S , etc.
See /doc/Rules and what's below under --rules and --config
1) Create a directory in /John and name it "Wlist" or "Store". Anything you want but keep it short.
2) Place in it your favorites Wordlists, avoiding repeats and duplicates, even in the wordlists.
Solution: Where "Wlist" is the directory containing your Wordlists, and grabthefiles, an argument. You can replace grabmethefiles by anything that fits your mood.
Type: ls /John/Wlist | xargs -t -I grabthefiles ./john --session=xargs --wordlist=/John/Wlist/grabthefiles --rules [etc etc..... ]
☞ " xargs -t -I " it's a overscore "i" , not a l,L or | --> "xargs -t -I"
☞ xargs calls multiple times the same ./john command line changing each time for the correct wordlist, be aware that it is highly recommended to use --session otherwise, if you have to pause you'll have to restart from scratch.
The ETA is for each wordlists and not for the total time.
--rules
The --rules option call for a specific set of rules as defined in John.conf under names such as [List.Rules:Wordlist]
using --rules will call for all the rules, if you want to use only a specific set, i.e wordlist, then use --rules=wordlist
./john -- session=linkedin --wordlist=masterpswd.txt --rules=wordlist --format=[hash format] [path and name of the hash file]
☞ Be aware that calling a large set of rules could lead to some extra-extra time, always check that you are not performing a duplicate work. i.e calling twice the same rule or asking to lowercase an already all lower case wordlist.
☞ Rules are processed by a preprocessor. Writing extremely large rules or set of rules will send your memory usage off the chart. See John.log
--show
The option --show shows you the cracked hashes, it's best used with a redirection to a file
./john -- show [path and name of the hash file] > showpass.txt
To see what's left to crack, use --show=left
☞ The option --show works faster if you include the --format option
./john --show=left --format=[name] [path and name of the hash file] > showhash.txt
--config
The option --config=[name] allows you to use multiple configurations and set of rules. You can create your own configuration files and use it at will, i.e a "mini.conf" configuration to crack the easy one first. Don't forget that a wordlist that have 100m passphrases in it, mingled with 100 rules equals a 100x100m words equivalent. Translated in space, it like having, about, 95,000 MB worth of space. 95 TeraBytes
☞ See at the end for downloadable Config/Rules files
☞ See "Making List.Rules" before making 99 different config files
--loopback
--loop
A rarely used option. Too bad, it's a good one! The --loopback allows you to check against your john.pot file. You have already cracked some passwords and they are all stored in john.pot, hence you can re-use them for a quick check.
For a longer check, I'll give you a hint: those are real passwords: the ham not the spam! so re-use them with rules: If you have found "password" , you'll find "password123"
--Markov
A statistical attack derived from probabilistic stochastic processes. AKA Markov's Chains.
I am scaring the shit of of you with Markov, huh? I am not?
Well... don't be afraid ... I don't understand it myself. I read what I could, got a serious headache and decided not to pursue.
All I know is that it's working!
As a matter of fact it's working pretty darn well and it's really fast too.
Mr Andrey (Andrei) Andreyevich Markov (1856-1922) must be thrilled to know that we're all very satisfied with his research. Thank you Mr Markov!
As I don't understand the intricate details of Mr Markov thoughts, I switched to a highly scientific proven method: "The Empirical Poke Around"™
Hence, I poked around. Empirically.
First things first.
1) grab a high quality password file. Please be sure to use a US95 ASCII txt file (no é or ñ) unless you are using the -p option
2) in /John/run type ./calc_stat <name of dictionary file> stats
2) in /John/run type ./calc_stat <name of dictionary file> stats
3) let it work, it should take about 10 min, based on the Dic size.
When done type your average John command line, this time, include --Markov
./John --markov [path and name of hash file]
On the screen you'll see something as: MKV start (stats=$JOHN/stats, lvl=200 len=12 pwd=238032699)
and rapidly, Mr Markov will go to work ...
len=12 is the max password length to be tested
lvl=200 is the level.
pwd=238,032,699 is ...well, you've guessed.
"lvl" is what is going to increase or decrease the number of password generated. Try to stick between 200 and 250. At 300 my config generated 6,243,105,973,969 passwords. It's a bit too much. See the "Empirical Poke Around Graph"
You can modify those parameters in John.conf , or directly with --markov[modes]
./john --markov=230:0:0:12 (level, start, end, length)
The 0:0 values are start/end in %. 0:0 being the default, otherwise you need to put a %. i.e --markov=200:10%:20%:12
☞ Be aware that there is a bit of a catch: The Markov's Swiss Cheese Illogism™
- The lower the level, the lower the number of password generated, but the greater the quality, hence the fastest time... To crack the lowest amount of hashes.
- On the other hand: The higher the level, the greater the number of passwords generated, but with the lowest quality, hence the longest time... To crack the highest amount of hashes.
Do you follow me? The more holes in cheese, the less cheese. But the less cheese, the more holes. If the more holes, the more cheese. Hence more holes = more cheese.
Roughly to say that if you push the enceloppe a bit too high, you'll have such a large number of possibilities that you'll be close to bruteforcing. Keep the numbers between 150 and 250. (Surprise, the default value is 200)
The 0:0 values are start/end in %. 0:0 being the default, otherwise you need to put a %. i.e --markov=200:10%:20%:12
☞ Be aware that there is a bit of a catch: The Markov's Swiss Cheese Illogism™
- The lower the level, the lower the number of password generated, but the greater the quality, hence the fastest time... To crack the lowest amount of hashes.
- On the other hand: The higher the level, the greater the number of passwords generated, but with the lowest quality, hence the longest time... To crack the highest amount of hashes.
Do you follow me? The more holes in cheese, the less cheese. But the less cheese, the more holes. If the more holes, the more cheese. Hence more holes = more cheese.
Roughly to say that if you push the enceloppe a bit too high, you'll have such a large number of possibilities that you'll be close to bruteforcing. Keep the numbers between 150 and 250. (Surprise, the default value is 200)
Markvov Vs. Bruteforcing
I had about 1.5 million hashes left and it was getting harder to crack the remaining ones. Then I decided to test Markov Vs Bruteforcing, the -surprising- results are as follow:
Markov: guesses: 18,072 time: 0:01:30:00 c/s: 6654G
Bruteforce: guesses: 4,590 time: 1:07:04:57 c/s: 3817G
c/s Speed: Markov is 74% Faster than bruteforce: More bang for your buck!
r/t ( Passwords recovered / Tries ) Markov wins!
Recovery speed: Markov recovered 3.34 pswd/sec on average, Bruteforce 0.85 pswd/sec, which make Markov 394% faster
Markov will not recover all passwords, and cannot guess true random one, but you can attempt passwords length greater than bruteforce, on the other hand Bruteforce will recover any password under 10ch long. If you have the time.
EPAG
Empirical Poke Around Graph
Bruteforce: guesses: 4,590 time: 1:07:04:57 c/s: 3817G
c/s Speed: Markov is 74% Faster than bruteforce: More bang for your buck!
r/t ( Passwords recovered / Tries ) Markov wins!
Recovery speed: Markov recovered 3.34 pswd/sec on average, Bruteforce 0.85 pswd/sec, which make Markov 394% faster
Markov will not recover all passwords, and cannot guess true random one, but you can attempt passwords length greater than bruteforce, on the other hand Bruteforce will recover any password under 10ch long. If you have the time.
EPAG
Empirical Poke Around Graph
John.pot
John keeps a list of already cracked hash in run/John.pot, keep that file safe ...
the format looks like:
$dynamic_26$32bf58ba66ef765e214ca1b6fe70244dfe5b5427:link@din2010
[header:hash:password]
You can easily trim the fat with cut -c 51- [filename] > output.txt
51- being the # of ch to remove. yes, it is "51 dash" "dash 51" will leave the first 51 ch.
As many times mentioned, because we've found "link@din2010" , one could bet that we will find something close to it. Another genius has thought very hard and used "name of the website + year" or something in the same family ... So of course, we found relatives...
Here is the brother ...
2ce773d7ffbbe7491e51272783d1c6f411a1d34b:link@din2012
And the uncles...
033a2970983d5675152a6213d7d4228bc977399c:linkedinpass1234
6a9535be0d9ef156d5fa7465bd419d15843bb2b0:linkedinpass1402
01679a9ea64997f7e693159670329061c9dd22c3:linkedinpass1423
5077ab2005d5253f9b55b9b0979aa9401fcad706:linkedinpass1704
Bruteforce Vs. Wordlists + Rules
Bruteforce is extremely, extremely time consuming and should be used only as last resort, specifically for long -er passwords: Bruteforcing 2 to 5 ch long is fairly fast and easy, 6 to 7 is medium, 8 and above will test your determination. No need to mention 15 or 16...
Hence, you've already cracked the easy ones... i.e "password" you might want to re-use them.
As mentioned above, john.pot keeps track of the hashes previously cracked and will skip them and it's a good thing: No need to work on already cracked hashes. You should always try to chop-chop trough the easy ones first, then use bruteforce on last resort for the complex ones.
If you find "Linkedin", an (existing) rule can easily double the password: "LinkedinLinkedin" , then once either re-injected in a dictionary, re-used with --loopback or created via Rules, you could find "LinkedinLinkedin2012" or "L!nk3d1nL!nk3d1n2012"
Finding such "L!nk3d1nL!nk3d1n" by mean of simple bruteforce is not a job for you! it's a job for your grandgrandgrandgrand son, or daughter: Seriously, limit yourself to less than 8 ch long unless you own a very-very fast machine.
What Mr Dingbat could have done was to use roman characters, i.e é, ñ, an uppercase, sign, and number. i.e 1966L!ñkédin1966 That would have forced you on the whole range of printable ASCII. You will be then, pretty much dead in the water.
Don't get me wrong, it is still a stupid password because of the pattern, but it's a whole lot stronger ... by a factor of 104, or 10,406% stronger
Now, take the same stuff and use Rules .... What was extremely far far away is now feasible: we know that "linkedin" is a big fave, we know that people like appending and/or prefixing numbers, and we know that using "!" for "i" will not get you a Nobel Prize.
Proof that it's easily feasible with Rules? I did it!
Check the quick analysys of the Linkedin passwords at the end.
Bruteforcing Speed
Disclaimer: This section was specifically written to discourage you.
The good news is that JtR does not bruteforce stupidly in order (0, 00, 000 etc) JtR uses an algorithm to generate a smart-er bruteforcing order. Nevertheless...
Bruteforcing 4 ch long is very fast, 5 is ok, 6 is slow, etc
here are the speed for an average machine, one core running, No GPU, on raw sha1,
length Keyspace Key/sec Time
1 to 4 ch long 82,317,120 ~ 2,655,391 31 Seconds
1 to 5 7,820,126,495 ~ 2,655,391 46 minutes
1 to 6 742,912,017,120 ~ 2,655,391 73 hours
1 to 7 70,576,641,626,495 ~ 2,655,391 289 days
1 to 8 6,704,780,954,517,020 ~ 2,655,391 75 years
There you have it.
Even if you have a fast machine, you'll still be waiting for few years. In order to go into the "Weeks" or "Days", it's GPU assisted only. A good GC/GPU will take you into warp speed, tests on This Card are showing results as high as 8.2 billion passwords/second.
With a single of one of those, your ETA goes from 75 years to 23 hours.
One notable counter intuitive perception is that, the smaller the hash file, the slower the speed (in c/s, not in overall time) and not the logical opposite, and this is due on the inner working of any Cracking program, lemme explain...
A Cracking program does not "guess" or reverse engineer the hash, it simply compares it.
1) You feed the program a test password, i.e password1
2) A hash is generated: e38ad214943daad1d64c102faec29de4afe9da3d
3) The program compares it with the list you provided.
If there is a match, good news. If not, then try again with another test password.
And that's why: It's faster to compare 1 generated hash against a large list of existing ones than to have to generate a lot of hashes to compare to a small list. Generate one, compare to millions Vs. Generate millions to compare to few.
6,2 million hash list c/s speed = 4,284,000,000,000 c/s
10 (ten) hash list c/s speed = 17,859,000 c/s
Speed the thing up! (Part One)
You can go two ways: get the fastest machine or get smart:
Get smart is even faster then the fastest machine...
Get some geeky friend to help you.
1) Each member of the team choose a mode or a set of different rules, and start working on it's own piece. Going trough long rules alone can be a long long project, when the rules/modes are divided amongst individuals it works much faster.
In the mean time, share a dropbox folder with your friends.
After 45 min or so, do a ctrl-c to stop the session and do a:
./john --show [hashfile] > /dropbox/public/sharedfolder/showpass_myname.txt
Your friends having done the same, you have x password files. Use Textwrangler to concatenate them, clean and remove the dupes in it, and rename as showpass_all.txt, you can now use that file to expand your wordlist(s), i.e a common bigdic.txt that everyone will use (put the new password first) Each time someone will update the file, Dropbox will update it too, hence you always have the latest copy. Simply point John --wordlist= to that location and from time to time, restart the crack under different session name.
The concepts behind it are:
a) Distribution of the attack: You have now 12, 20 or even 40 cores working
b) Faster use of complex rules
c) Greater chances to crack reoccurring passwords much faster: In a dump like Linkedin, some patterns passwords are present up to 900 times, i.e link, l!nked!n , etc
If you had a 40 cores, you still have to go trough the hash one by one.
As you are now criss-crossing your results with your friends using a file that contains everybody's result, you do not need to spend time crack a password already found.
Remember? the first rule of wordlist is "as is"
This solution is faster than "40 cores" alone. Don't reinvent the wheel....
(we)* : Thanks to:
Terek, Score 40%
Trae, Score 0% (aka ADHD Boy) QuadCore i7 running on one leg ;)
Speed the thing up! (Part Two)
let's be clear: Rules Rules!
Without Rules, Markov aside, you would be condemned to two main "solutions"
1) Endless Wordlist, 50,000 TeraBytes of it, and $200,000 worth of Hard Drive.
2) Bruteforcing for the next century, and a $200,000 utility bill.
Rules allow you to generate or re-generate new passwords to be tested, and also, to do it much faster than anything else, plus you would NOT have the space to store such wordlists.
The KISF Rule
Keep it Simple First!
Before going bonkers with complex rules (that will make you proud) why don't you try the simple ones first? They are fast and replicate human mnemonic patterns: Capitalize, Upper, Mirror, duplicate, etc etc. Did I mention the docs? Where rules are explained?
Rules Vs. Endless Wordlists
Rules are not as fast as reading directly, (yes, you are using some CPU/memory to generate them) but the space saved is huge. Futhermore, you can turn on/off rules, add, mingle or remove , etc. With gigormous wordlist, (aka bragging rights wordlists on the internet for 100 or 200GB list*) you have to store them, edit them -if you can-, etc . Good luck with that. The solution resides again in an excellent set of Wordlist and a solid set of rules. ( *Bragging rights: 200 GB WPA(?) Wordlist )
The caveat is that, reading rules, understanding and editing them will give you a serious headache. Example: -[:c] l /a /l /[os] sa4 sl1 s\0\p[0$] (?\p1[za] \p1[:c] Well, that's not the most friendly thing to understand.
...Knowing grep will help you a bit, but ... as you've read so far... you deserve a little bonus for your perseverance:
John The Ripper Rules Generator!
- Yay!
By Matt Weir **
No only you will generate rules easily, without needing a Costco sized bottle of aspirin, but you'll quickly learn the tricks and syntax. Otherwise, read the doc in JtR and order aspirin by the pound.
i.e , Swap Case of all Keyboard Values, Reverse, Concatenate, even modify the Character Set. G-d bless you Matt Weir!
Where? : https://sites.google.com/site/reusablesec2/jtrconfiggenerator
Prerequisite? : Xcode / gcc
How? : sudo --user --shall readtheefingdoc
run? : ./jtrMakeConfig
If for whatever reason you do NOT wish to use the JtR Configuration Generator, you'll want to look at one of those things... It will feel the same ... a big PIA
Nevertheless, always check your rules with a small test file, just to avoid duplicates or very slow stuff: Loading 50,000 rules is un-efficient. Having an ETA of +50 days should be a sign...Believe me, I have made mistakes ...
Strategies ..
- First, when you hear about a large dump being released, you Google it and try to find the dump. Seconds after the download started, you should start Google-ing again for the first cracked passwords: Someone out there is faster than you, has a better machine(s), and has already cracked few of them. In order to comply with the "Bragging Rights Theory", short list may have been published, those will help you a lot to start your crack. Get them, and keep on Googling from time to time.
Also, it's highly possible that by the time you find a link or a paste, the sole answer will be "content no longer available". In that case one could thank Google for the feature called Google Cache. Thank you Mr Google for that. Try it ;-)
- Start small, good dictionary, small rules: Each time a hash is cracked, it's stored in John.pot and will not be reloaded. Each time it's cracked, JtR goes faster ....
- Check the (hash) source if you can, i.e the website. For instance, American Express has stupid rules for passwords: no spaces, only % & _ ? # = - and best of all, is not case sensitive. Hence, it has greatly reduced your workload. If a website does not allow certain charaters, just don't use them. If the website has a policy of "minimum 8 ch long", don't attempt to bruteforce 0-7. You'll save few hours. (If you have ever attempted to crack a zero Ch. long password, please seek medical attention immediately)
- use --loopback and from time to time , append your wordlist with the already cracked passwords
- use pipal or PACK to generate an analysis of what's been cracked, always useful to see a pattern or the most used strings
In the case of the Linkedin dump for example, you can try a small bruteforcing in the middle, 1-6 ch long, you'll always find something to chew on, 7 ch is slow, 8 is very slow...
- use the option --mkpc=1 and check your john.log file: You'll see which rule is associated with the cracked password, then make an educated guess...
Making List.Rules
Open John.conf with TextWrangler and start looking for lines that contains [List.Rules."Whatever"]
Those are "paragraphs" stating a set of rules to be called by the option --rules="whatever"
i.e --rules=jumbo
You can create your own paragraphs with your own set of rules, i.e [List.Rules.Veryfast]
Include in it "very fast" rules such as "as is" "Capitalize" "Duplicate" etc ...
it might look like that ...
##### Veryfast #####
[List.Rules.Veryfast]
# no-op: do nothing to the input word
:
# convert to lowercase
l
# convert to uppercase
u
# capitalize
c
# lowercase the first character, and uppercase the rest
C
# toggle case of all characters in the word
t
# reverse: "Fred" -> "derF"
r
# duplicate: "Fred" -> "FredFred"
d
# reflect: "Fred" -> "FredderF"
f
# rotate the word left: "jsmith" -> "smithj"
{
# rotate the word right: "smithj" -> "jsmith"
}
##### End Of Veryfast #####
☞ Before going wild, double check that you are not calling duplicate rules, or you'll be doing double work for nothing. i.e ":" (Trying "as is", No op ) is already called in [List.Rules.Single], [List.Rules.Wordlist]. As [List.Rules.Jumbo] also calls "Wordlist", if you add an extra one, your hash will only be checked for a fourth time. ;-)
Length control
If you know that the password you are looking for is of a certain character length, or range, i.e 8ch long, there is no need for you to check anything outside that range. In that case limit the search by adding a character length limitation, you can gain a huge amount of time.
Example: limiting to 8 ch long
# Trying 8 ch long only
[List.Rules:8only]
>7'8
# End of Trying 8 ch long only
The first >7 reject any word that is less than 8 ch long
The second '8 truncates words greater than length 8
You can, of course, add this control to other rule commands, i.e
$[0-9]>7'8
The above suffix a number and limits the length of the password tested.
IF the password tested is:
America --> America0 , then America1 etc etc...
IF the password tested is:
UnitedStates --> UnitedSt (truncated at 8, without adding the digits)
Rules that calls Rules
Look for the Rule called [List.Rules.Jumbo] and you'll quickly understand that you can call sub-rules. [List.Rules.Jumbo] calls the rules "Wordlist" then "Single" then "Extra", etc.
Example:
# For Wordlist mode and very fast hashes
[List.Rules:Jumbo]
.include [List.Rules:Wordlist]
.include [List.Rules:Single]
.include [List.Rules:Extra]
.include [List.Rules:NT]
Hence, you can also create your own [List.Rules.Myrules] by using .include [List.Rules:Whatever]
Again, be aware that some rules are going to be called twice when using "Jumbo", or that you'll call subrules twice too, hence double check -again- that your set does not call again the same rules over and over again, i.e using [List.Rules:Jumbo] and [List.Rules:Single-Extra]
Ordered Rules?
Let's go back to Mr Dingbat and Friends, The append/prefix a number to a password is obvious. In JtR, the rule to append a digit to a password is $ "your digit" such as $a will add an "a" at the end .For a number $1, for a range $[0-9] or $[0123456789]
Got it?
$a password >> passworda
$[123] password >> password1, password2, password3 (no 4 and 5, you didn't ask)
To be able to add more than, you repeat ...
$[0-9]$[0-9]$[0-9] password >> password000 to password999
hence, the following
$[0-9]
$[0-9]$[0-9]
$[0-9]$[0-9]$[0-9]
$[0-9]$[0-9]$[0-9]$[0-9]
$[0-9]$[0-9]$[0-9]$[0-9]$[0-9]
$[0-9]$[0-9]$[0-9]$[0-9]$[0-9]$[0-9]
Will go from append 0 to 999,999. Repeat the same rule but interchange $ for ^, and you'll prefix.
You have now 999,999 + 999,000 permutation per password.
Take a 50m line wordlist and John will develop it into a virtual 99,999,950,000,000 password list. That's 99,999 billions. So, again, to wrap your mind around it, it's about 5,500 2TB Hard Drive worth of space,or in moolah: $675,000 (Geez, the money you save reading this blog)
So, Rules is a no brainer, but .... 99,999,950,000,000 passwords, it's going to take a while... ETA +30 days and the question is asked: Do the order of rules impact the cracking speed?
Yes and yes
a) The more cracked passwords, the greater your chance to see a pattern, leading to more passwords being recovered.
b) Due to the human nature, what would be more unlikely? Mr Dingbat appending and prefixing 5 or 2 digits?
Let's grep it and we'll find out!
Out of about 50% of the passwords cracked, the distribution indicates such patterns:
abc..00 593,914 hits , or 17% of the total
abc..0000 400,114 11.4%
abc..0 367,969 10.5%
abc..000 219,942 6.3%
0abc... 79,224 2.3%
down to ..
00000abc.. 5,200 0.1%
Hence the logical order of trying 1,2,3,4,5,6 digit either after or before is not the most optimized and will take you longer. The proper order in that case would be:
(Warning slow stuff!!!)
$[0-9]$[0-9]
$[0-9]$[0-9]$[0-9]$[0-9]
$[0-9]
$[0-9]$[0-9]$[0-9]
^[0-9]
^[0-9]^[0-9]
$[0-9]$[0-9]$[0-9]$[0-9]$[0-9]^[0-9]
^[0-9]^[0-9]^[0-9]
^[0-9]^[0-9]^[0-9]^[0-9]^[0-9]
^[0-9]^[0-9]^[0-9]^[0-9]
Terek, Score 40%
Trae, Score 0% (aka ADHD Boy) QuadCore i7 running on one leg ;)
Speed the thing up! (Part Two)
let's be clear: Rules Rules!
Without Rules, Markov aside, you would be condemned to two main "solutions"
1) Endless Wordlist, 50,000 TeraBytes of it, and $200,000 worth of Hard Drive.
2) Bruteforcing for the next century, and a $200,000 utility bill.
Rules allow you to generate or re-generate new passwords to be tested, and also, to do it much faster than anything else, plus you would NOT have the space to store such wordlists.
The KISF Rule
Keep it Simple First!
Before going bonkers with complex rules (that will make you proud) why don't you try the simple ones first? They are fast and replicate human mnemonic patterns: Capitalize, Upper, Mirror, duplicate, etc etc. Did I mention the docs? Where rules are explained?
Rules Vs. Endless Wordlists
Rules are not as fast as reading directly, (yes, you are using some CPU/memory to generate them) but the space saved is huge. Futhermore, you can turn on/off rules, add, mingle or remove , etc. With gigormous wordlist, (aka bragging rights wordlists on the internet for 100 or 200GB list*) you have to store them, edit them -if you can-, etc . Good luck with that. The solution resides again in an excellent set of Wordlist and a solid set of rules. ( *Bragging rights: 200 GB WPA(?) Wordlist )
The caveat is that, reading rules, understanding and editing them will give you a serious headache. Example: -[:c] l /a /l /[os] sa4 sl1 s\0\p[0$] (?\p1[za] \p1[:c] Well, that's not the most friendly thing to understand.
...Knowing grep will help you a bit, but ... as you've read so far... you deserve a little bonus for your perseverance:
John The Ripper Rules Generator!
- Yay!
By Matt Weir **
No only you will generate rules easily, without needing a Costco sized bottle of aspirin, but you'll quickly learn the tricks and syntax. Otherwise, read the doc in JtR and order aspirin by the pound.
i.e , Swap Case of all Keyboard Values, Reverse, Concatenate, even modify the Character Set. G-d bless you Matt Weir!
Where? : https://sites.google.com/site/reusablesec2/jtrconfiggenerator
Prerequisite? : Xcode / gcc
How? : sudo --user --shall readtheefingdoc
run? : ./jtrMakeConfig
If for whatever reason you do NOT wish to use the JtR Configuration Generator, you'll want to look at one of those things... It will feel the same ... a big PIA
Nevertheless, always check your rules with a small test file, just to avoid duplicates or very slow stuff: Loading 50,000 rules is un-efficient. Having an ETA of +50 days should be a sign...Believe me, I have made mistakes ...
Strategies ..
- First, when you hear about a large dump being released, you Google it and try to find the dump. Seconds after the download started, you should start Google-ing again for the first cracked passwords: Someone out there is faster than you, has a better machine(s), and has already cracked few of them. In order to comply with the "Bragging Rights Theory", short list may have been published, those will help you a lot to start your crack. Get them, and keep on Googling from time to time.
Also, it's highly possible that by the time you find a link or a paste, the sole answer will be "content no longer available". In that case one could thank Google for the feature called Google Cache. Thank you Mr Google for that. Try it ;-)
- Start small, good dictionary, small rules: Each time a hash is cracked, it's stored in John.pot and will not be reloaded. Each time it's cracked, JtR goes faster ....
- Check the (hash) source if you can, i.e the website. For instance, American Express has stupid rules for passwords: no spaces, only % & _ ? # = - and best of all, is not case sensitive. Hence, it has greatly reduced your workload. If a website does not allow certain charaters, just don't use them. If the website has a policy of "minimum 8 ch long", don't attempt to bruteforce 0-7. You'll save few hours. (If you have ever attempted to crack a zero Ch. long password, please seek medical attention immediately)
- use --loopback and from time to time , append your wordlist with the already cracked passwords
- use pipal or PACK to generate an analysis of what's been cracked, always useful to see a pattern or the most used strings
In the case of the Linkedin dump for example, you can try a small bruteforcing in the middle, 1-6 ch long, you'll always find something to chew on, 7 ch is slow, 8 is very slow...
- use the option --mkpc=1 and check your john.log file: You'll see which rule is associated with the cracked password, then make an educated guess...
Making List.Rules
Open John.conf with TextWrangler and start looking for lines that contains [List.Rules."Whatever"]
Those are "paragraphs" stating a set of rules to be called by the option --rules="whatever"
i.e --rules=jumbo
You can create your own paragraphs with your own set of rules, i.e [List.Rules.Veryfast]
Include in it "very fast" rules such as "as is" "Capitalize" "Duplicate" etc ...
it might look like that ...
##### Veryfast #####
[List.Rules.Veryfast]
# no-op: do nothing to the input word
:
# convert to lowercase
l
# convert to uppercase
u
# capitalize
c
# lowercase the first character, and uppercase the rest
C
# toggle case of all characters in the word
t
# reverse: "Fred" -> "derF"
r
# duplicate: "Fred" -> "FredFred"
d
# reflect: "Fred" -> "FredderF"
f
# rotate the word left: "jsmith" -> "smithj"
{
# rotate the word right: "smithj" -> "jsmith"
}
##### End Of Veryfast #####
☞ Before going wild, double check that you are not calling duplicate rules, or you'll be doing double work for nothing. i.e ":" (Trying "as is", No op ) is already called in [List.Rules.Single], [List.Rules.Wordlist]. As [List.Rules.Jumbo] also calls "Wordlist", if you add an extra one, your hash will only be checked for a fourth time. ;-)
Length control
If you know that the password you are looking for is of a certain character length, or range, i.e 8ch long, there is no need for you to check anything outside that range. In that case limit the search by adding a character length limitation, you can gain a huge amount of time.
Example: limiting to 8 ch long
# Trying 8 ch long only
[List.Rules:8only]
>7'8
# End of Trying 8 ch long only
The first >7 reject any word that is less than 8 ch long
The second '8 truncates words greater than length 8
You can, of course, add this control to other rule commands, i.e
$[0-9]>7'8
The above suffix a number and limits the length of the password tested.
IF the password tested is:
America --> America0 , then America1 etc etc...
IF the password tested is:
UnitedStates --> UnitedSt (truncated at 8, without adding the digits)
Rules that calls Rules
Look for the Rule called [List.Rules.Jumbo] and you'll quickly understand that you can call sub-rules. [List.Rules.Jumbo] calls the rules "Wordlist" then "Single" then "Extra", etc.
Example:
# For Wordlist mode and very fast hashes
[List.Rules:Jumbo]
.include [List.Rules:Wordlist]
.include [List.Rules:Single]
.include [List.Rules:Extra]
.include [List.Rules:NT]
Hence, you can also create your own [List.Rules.Myrules] by using .include [List.Rules:Whatever]
Again, be aware that some rules are going to be called twice when using "Jumbo", or that you'll call subrules twice too, hence double check -again- that your set does not call again the same rules over and over again, i.e using [List.Rules:Jumbo] and [List.Rules:Single-Extra]
Ordered Rules?
Let's go back to Mr Dingbat and Friends, The append/prefix a number to a password is obvious. In JtR, the rule to append a digit to a password is $ "your digit" such as $a will add an "a" at the end .For a number $1, for a range $[0-9] or $[0123456789]
Got it?
$a password >> passworda
$[123] password >> password1, password2, password3 (no 4 and 5, you didn't ask)
To be able to add more than, you repeat ...
$[0-9]$[0-9]$[0-9] password >> password000 to password999
hence, the following
$[0-9]
$[0-9]$[0-9]
$[0-9]$[0-9]$[0-9]
$[0-9]$[0-9]$[0-9]$[0-9]
$[0-9]$[0-9]$[0-9]$[0-9]$[0-9]
$[0-9]$[0-9]$[0-9]$[0-9]$[0-9]$[0-9]
Will go from append 0 to 999,999. Repeat the same rule but interchange $ for ^, and you'll prefix.
You have now 999,999 + 999,000 permutation per password.
Take a 50m line wordlist and John will develop it into a virtual 99,999,950,000,000 password list. That's 99,999 billions. So, again, to wrap your mind around it, it's about 5,500 2TB Hard Drive worth of space,or in moolah: $675,000 (Geez, the money you save reading this blog)
So, Rules is a no brainer, but .... 99,999,950,000,000 passwords, it's going to take a while... ETA +30 days and the question is asked: Do the order of rules impact the cracking speed?
Yes and yes
a) The more cracked passwords, the greater your chance to see a pattern, leading to more passwords being recovered.
b) Due to the human nature, what would be more unlikely? Mr Dingbat appending and prefixing 5 or 2 digits?
Let's grep it and we'll find out!
Out of about 50% of the passwords cracked, the distribution indicates such patterns:
abc..00 593,914 hits , or 17% of the total
abc..0000 400,114 11.4%
abc..0 367,969 10.5%
abc..000 219,942 6.3%
0abc... 79,224 2.3%
down to ..
00000abc.. 5,200 0.1%
Hence the logical order of trying 1,2,3,4,5,6 digit either after or before is not the most optimized and will take you longer. The proper order in that case would be:
(Warning slow stuff!!!)
$[0-9]$[0-9]
$[0-9]$[0-9]$[0-9]$[0-9]
$[0-9]
$[0-9]$[0-9]$[0-9]
^[0-9]
^[0-9]^[0-9]
$[0-9]$[0-9]$[0-9]$[0-9]$[0-9]^[0-9]
^[0-9]^[0-9]^[0-9]
^[0-9]^[0-9]^[0-9]^[0-9]^[0-9]
^[0-9]^[0-9]^[0-9]^[0-9]
Charset making
This section is specific to part 2) Bruteforcing Longer than 8ch long
Having modified params.h is a prerequisite, as described in 2)
You can always re-compile if you've missed it the first time.
Before doing it, we recommend that your John.pot has gain some "fat": crack few hashes
1) Open Terminal and go to your /John/run folder
1a) Run ./John --make-charset=[choose a name].chr
i.e ./John --make-charset=longforce.chr
hit return and wait for John to finish
2) Open John.conf with TextWrangler
2a) Look for the section containing " # Incremental Modes"
2b) copy the part
[Incremental:All]
File = $JOHN/all.chr
MinLen = 1
MaxLen = 8
CharCount = 95
Paste below and change the parameters to match your hopes, example:
[Incremental:longforce]
File = $JOHN/longforce.chr
MinLen = 10
MaxLen = 15
CharCount = 95
"longforce" being the incremental name, "longforce.chr" the charset name, "MinLen" the Minimum paswd length tested , and MaxLen the max one.
Min/max 10-15 is already a stupid long keyspace, hence you can create as many section as you wish , i.e "longforce13" and only attempt to Bruteforce 13 long passwords
MinLen = 13
MaxLen = 13
( I would limit myself to a specific time frame, i.e a day or two.)
When ready, just run ./john --incremental=longforce13 [other useful parameters ....]
☞ You can always run one instance of John per Core. 4 Cores, 4 Instances. Each of them running a separate "bruteforcing" length i.e 10,11,12,13 ch long.
That should keep you busy for a while...
** Matt Weir
If you want the advice of a real specialist, you might want to read Matt Weir's blog
http://reusablesec.blogspot.com/
Matt has now left this earth... Well...no, he is still alive, he has just stopped blogging for professional reason. He's a bit like Obi-Wan Kenobi: not here anymore, but you can still feel The Force.
Just like Elvis, there have been some sightings! The last report of a Matt Weir sighting was at DEFCON2012. If you have experienced such, please report your findings immediately.
Matt Weir has also made some optimized (scientifically optimized, (It's Dr. Weir)) Config, you can read about it, and even download them:
Matt Weir's Pack o' Configs You M.U.S.T read the little "read me" in each file!
Optimizing john single mode
Follow up on single mode
Kore Logic Rules, Modified by Solar Designer himself (The Creator of JtR)
Theses are "rules" and not a "John.conf" with rules
Update, Sept '12
As soon as the article was done, The JtR Team made few improvements :)
- A GUI JtR was released for Linux
- A Newer pre-compiled Version of JtR Jumbo 1.7.9 was released too
Nevertheless, there is always a delay between the most recent JtR version and the JtR, Hence compile it yourself.
ALLA
(Another Linkedin Lame Analysis)
Fun Fact about the Linkedin dump
First Character usage, Most used first
ae1iInrosl0t2mdc3uh9kb748g5p6yjfvwzxASMLB!RCTEq@NDPGHKOJF$.#W*UV_Y-Z&XQ+%/?,=);(^':~["^<]>|{}
Hypothesis:
Even though the keyspace remains the same than an alphanumericaly sorted character set, a sorted by usage Charset should be slightly faster as more hash -should- be cracked earlier.
The analysis of the 1st to 6th characters distribution indicates almost a constant pattern.
Does anyone has a documented opinion? Anyone?
Distribution of first to sixth Ch.
Character usage, Reversed
}{|>]<^"[~:'^(;)=,?/%+QX&Z-Y_VU*W#.$FJOKHGPDN@qETCR!BLMSAxzwvfjy6p5g847bk9hu3cdm2t0lsorniI1ea
Most "unlikely" password
}{|>]<^"[~:'^(;)=,?/%+QX&
The ones that are hard to find:
(fund 123) קרן 123
привет (Hello)
سعمفشى (Sultan)
قخنشغش (Rokaya)
Comments:
Please, if you leave a comment, let us know:
1) Your OS version
2) The JtR Version
3) Your machine type
Also, it's cd /john/src and not /john/src
cd as Change Directory
Hypothesis:
Even though the keyspace remains the same than an alphanumericaly sorted character set, a sorted by usage Charset should be slightly faster as more hash -should- be cracked earlier.
The analysis of the 1st to 6th characters distribution indicates almost a constant pattern.
Does anyone has a documented opinion? Anyone?
Distribution of first to sixth Ch.
Click To Enlarge |
Character usage, Reversed
}{|>]<^"[~:'^(;)=,?/%+QX&Z-Y_VU*W#.$FJOKHGPDN@qETCR!BLMSAxzwvfjy6p5g847bk9hu3cdm2t0lsorniI1ea
Most "unlikely" password
}{|>]<^"[~:'^(;)=,?/%+QX&
The ones that are hard to find:
(fund 123) קרן 123
привет (Hello)
سعمفشى (Sultan)
قخنشغش (Rokaya)
Comments:
Please, if you leave a comment, let us know:
1) Your OS version
2) The JtR Version
3) Your machine type
Also, it's cd /john/src and not /john/src
cd as Change Directory
I tried the "make clean macosx-x86-sse2" command in the src folder but it told me "-bash: make: command not found"
ReplyDeleteCheck step 1, xcode
DeleteHaha, it sounds so pathetic that I didn't follow the first step. I initially did attempt to download xcode but the app store said I needed os x 1.7.4 (or later) to install it. I just thought I could at least get through the jtr install without it.
DeleteYup, That's why it's called "Step 1"
Deletemake[1]: mpicc: No such file or directory
ReplyDeletemake[1]: *** [john-mpi.o] Error 1
make: *** [macosx-x86-sse2] Error 2
i get both of these whenever i run either of the make clean commands, and i can't get passed that step.
am I missing anything?
"am I missing anything?"
DeleteYou could start by mentioning your OS and the version of JtR you are trying to install ...
That would greatly help ....
Mac osx 10.8.2
Deletejohn 1.7.9 jumbo 5
The last version of John is 1.7.9 Jumbo 6 , or even 9 on Unix
Deleteplease use the latest version
the line "make: *** [macosx-x86-sse2] Error 2" seems to indicate that you asked for a 32 bit version of JtR
Mac OS 10.8.2 is 64-bit only
- for the 64 bit version: make clean macosx-x86-64
when I tried the 64 bit it did the same thing.
DeleteEvery time a downloaded a Jumbo 6, it didn't have an src folder. Would you happen to have a link to one that does?
"Every time a downloaded a Jumbo 6, it didn't have an src folder."
DeleteI tried 2 minutes ago. There is a SRC folder. Ver. john-1.7.9-jumbo-7
Apparently, you are downloading a pre-compiled version, and trying to compile it again, or doing something really silly. I am almost ready to ask the following: Did you untar the download?
Try the following link, This too shall pass ....
http://www.openwall.com/john/g/john-1.7.9-jumbo-7.tar.gz
You are wrong Admin, Jacob have an Normal & logic error, beacause since LION & Now Mountain Lion, have no more OpenMPI included on OSX, you have to download again & intall openMPI as well on your MAC.
ReplyDeleteYou haven't the error Admin, beacause you use Leopard or Snow Leopard
My 2 cent's ;-)
Thanks for your 2 cents, I'll double check. Nevertheless, the source folder "SRC" should be present, 10.7, 10.8 or Not.
DeleteNewAngels is right, no OpenMPI since 10.7. After making sure the latest version of Xcode is installed head over to
ReplyDeletehttp://www.open-mpi.org/software/
and download the latest source of openmpi (1.6.4 right now). Download the source code as .tar.gz, then
tar zxvf openmpi-1.6.1.tar.gz
cd into the created directory and
./configure --prefix=/usr/local
if configuration runs without issues, compile the code by
make all
if the code compiles without issues, install by
sudo make all
Once installed compiling JTR Jumbo will work without any issue
Volker,
DeleteI apologize, I completely forgot to thank you for your input.
That last step should be:
Deletesudo make all install
Hi. Same as Jacob.
ReplyDeleteI get:
make[1]: mpicc: No such file or directory
make[1]: *** [john-mpi.o] Error 1
make: *** [macosx-x86-64] Error 2
When I try to do either make clean command.
Mac OSx 10.8.3 Mountain Lion
Ver. john-1.7.9-jumbo-7
Thanks.
Is there any useful tutorials on how to use JtR against an encrypted DMG file? I have one which I forgot the password. I have compiled JtR and gotten a decent wordlist to use, but I can't seem to find any clear examples of how to set the options for JtR to try and crack it. Any suggestions?
ReplyDeleteThanks
I could write an extension to this article, but it will not be done in the next few days, or at least in details...
DeleteThe generic version of JTR does not work on AES, you have to get the bleeding jumbo.
The main issue, and I want to REALLY stress this out, is the fact that an AES Encryption is a REALLY slow hash. Meaning that the number of tries per second is extremely slow compared to a SHA-1 for example.
If you have no idea of what the password was made of, or if do not know what characters were used, you'll end up with too many possibilities for a human lifetime of work.
I am all for a good Wordlist, BUT, I would seriously consider taking a deep look at the "Rules"
IF your password is 8ch long, and IF you have somehow limited the possible keyspace to 20 characters, you'll then need a wordlist of
(8^20)*8 bit of space = 1,099,460,249,953 MB in size
Be aware that you also need a FAST machine...
AES is NSA/CIA grade encryption. You're not watching a movie.
posted
Deletehttp://easymactips.blogspot.com/2013/07/how-to-crack-dmg-encrypted-dmg-file.html
Thanks for the reply. I think with the rules I can likely narrow it down a bit but I complete understand your point. (You mean they don't do realtime password cracking in the movies??? ha!) I just haven't been able to find much in the docs and examples about how to setup the command line params for a DMG file. Maybe I've been searching for the wrong words and should have searched more with AES encryption instead of DMG's but there hasn't been a lot useful I've found. I did just compile the latest jumbo version but I think I didn't hit the bleeding edge version so I'll go back there and check that out. And unlike some, this isn't a "must get this cracked now" kinda thing. I'd like to get my files back soon but if there lost, there lost, so I don't mind firing it off and letting the job run. Secondarily, I do have access to an compute cluster I could launch the thing off on too, again but as a novice at this, figuring out how to configure it to run on the cluster doesnt sound like it'll be an easy task.
ReplyDeleteThanks again for any direction you can offer.
the command line params for a DMG file"
ReplyDelete-- They are the same as for any other hash. mpirun -np[cores] ./ john [option] [option] [option] dmg.txt
depending on what/where you do it, you may want to use the idle cycle or not.
Also, thinking about --session is a good thing
" And unlike some, this isn't a "must get this cracked now" kinda thing."
-- It's a good thing, because most likely, you'll need the patience of a Buddhist monk. Or a whole bunch of GPUs...
AES is painfully slow to crack. (Wut? they didn't make it easy???)
"Secondarily, I do have access to an compute cluster..."
-- As always, Google is your friend. Don't reinvent the wheel...
http://openwall.info/wiki/john/parallelization
http://louwrentius.com/blog/2011/02/parallel-/-distributed-password-cracking-with-john-the-ripper-and-mpi/
http://www.youtube.com/watch?v=92aOeQ0o6J0
Instead of "Cluster" search for "Parallelization" or "Distributed"
When your cluster is working, let me know: I'll be interested on some benchmark.
I have myself a cluster of 1 working very well. :P
Hey admin,
ReplyDeleteI'm having troubles at part 3 when I type: "make clean macosx-x86-64"
It says:
make clean macosx-x86-64
make: *** No rule to make target `clean'. Stop.
I read about OpenMPI, is it this? what should i do?
OS X .7.5
JTR 1.8.0
Also at part 1.b) i dont have (below) in my file. Is it because i'm in 1.8.0 and your tutorial is 1.7.9 ?
## Uncomment the TWO lines below for MPI (can be used together with OMP as well)
## If you experience problems with MPI_Barrier, remove -DJOHN_MPI_BARRIER
## If you experience problems with MPI_Abort, remove -DJOHN_MPI_ABORT
##CC = mpicc -DHAVE_MPI -DJOHN_MPI_BARRIER -DJOHN_MPI_ABORT
##MPIOBJ = john-mpi.o
Thanks.
I have reproduced your error on 10.7.5 with JTR 1.8.0
DeleteFor the Lolz's sake, could you copy your *entire command line* and post it please?
Let's see what is funny :-)
ReplyDeleteLast login: Tue Aug 6 19:01:27 on ttys000
MacBook-Pro-de-name:~ name$ /john
-bash: /john: is a directory
MacBook-Pro-de-name:~ name$ /src
-bash: /src: No such file or directory
MacBook-Pro-de-Victor-le-Breton:~ name$ make clean macosx-x86-64
make: *** No rule to make target `clean'. Stop.
MacBook-Pro-de-name:~ name$
That's funny:
DeleteMacBook-Pro-de-name:~ name$ /src
-bash: /src: No such file or directory
That's hilarious:
MacBook-Pro-de-Victor-le-Breton:~ name$ make clean macosx-x86-64
make: *** No rule to make target `clean'. Stop.
The issue with terminal is that it does EXACTLY what you are asking for terminal to do, and not what you EXPECT terminal to do.
You are *almost* there...so close ....
I'll let you dig a little, and that's for your own good.
Oops yeah i missed here,
ReplyDeleteYesterday i did it the "right way", like this, but still getting the probleme
Last login: Tue Aug 6 19:05:43 on ttys000
MacBook-Pro-de-name:~ name$ /john/src
-bash: /john/src: is a directory
MacBook-Pro-de-name:~ name$ make clean macosx-x86-64
make: *** No rule to make target `clean'. Stop.
MacBook-Pro-de-name:~ name$
Nope...
DeleteStill the same error on your side ....
Ok i got it, I remember at first i wrote the "cd" but i didnt work
ReplyDeleteNow it did,
I'll continue alone for now.
Just about the multi core optimisation, do you confirm that you cant find this in part 1b) ?
## Uncomment the TWO lines below for MPI (can be used together with OMP as well)
## If you experience problems with MPI_Barrier, remove -DJOHN_MPI_BARRIER
## If you experience problems with MPI_Abort, remove -DJOHN_MPI_ABORT
##CC = mpicc -DHAVE_MPI -DJOHN_MPI_BARRIER -DJOHN_MPI_ABORT
##MPIOBJ = john-mpi.o
"Ok i got it, I remember at first i wrote the "cd" but i didnt work
DeleteNow it did"
-- Yeah, right ... ;)
# Mac OS X (llvm-gcc) with OpenMP
OMPFLAGS = -fopenmp -D_FORTIFY_SOURCE=0
Ok thank you, what should i type then to use both cores?
ReplyDeletempirun -np 2 ./john --test=10 doesn't work : -bash: mpirun: command not found
Also ( :-S ) when i want to try with the classical method, i have this issue:
./john /Users/name/Desktop/password.7z
No password hashes loaded (see FAQ)
So i go to FAQ, there I See that i have to "unshadow" my file.
umask 077
unshadow /Users/name/Desktop/password.7z
-bash: unshadow: command not found
Any hint? :-)
Finally. About the word list. I'm interested in Crackium but:
- Is it compressed for the download?
- Is it the same list for KissMac and casual password cracking?
- Does it support wep/wap AND WAP2 ?
Das thank you ;-)
what should i type then to use both cores?"
Delete./john --test=10
"./john /Users/name/Desktop/password.7z"
password.7z is (most likely) a compressed file. Does it contain any hashes???? have you tried to unzip it?
Crackium
yes, compressed. As indicated.
KissMAC --> KisMAC , yes. it can be used for both. Or also for JTR. And Crowbar. Or also for Hashcat. As indicated too...
"Does it support wep/wap AND WAP2 ?"
WAP --> WPA (WAP is an old phone protocol)
Yes for WPA, WPA2, and all the other WPA's WPA AES, TPIK, and brothers
WEP: yes, too, but why the phoque would you use a Wordlist on WEP?
WEP: yes, too, but why the phoque would you use a Wordlist on WEP? => Just asking :)
ReplyDeleteI know it is a compressed file, but it is the file that has the password.
I asked a friend to a file with a password, he sent me a .7z (even if i asked for .zip, anyway)
Sorry but i'd say i'm a newbie. hashes? :-S
"Sorry but i'd say i'm a newbie"
ReplyDeleteNo, you did not. But it was understood.
As for your questions, previous and present:
Have you considered a KisMAC school session? Seriously considered it? For your own good?
- Yes. -> Good, you'll save a great amount of time, effort and pain.
- No. -> You are going to suffer. It's going to take a very long time...
"I'd say" => I would say
ReplyDeleteWhy a KisMac Session?
JTR Can't crack a .7z ?
I don't see the link with KisMac and JTR.
ReplyDeleteKisMac is for Wifi only no?
Also, yes I don't know what are hashes, yes the "unshadow" is not working for me. If I post here it is because I need some help.
If you don't want to help me, just tell me I'll leave.
Victor,
DeleteI am a bit late on this one, but by now, you know that the password has been found by Rich: alohomora (password.7z)
What you may have missed is:
1) the password that you were looking for was in *clear* in the Master_Passwords wordlist
2) you could have also limited your keyspace to 9ch only, hence cracking it in less than 50 seconds.
Crackium
ReplyDeleteyes, compressed. As indicated.
KissMAC --> KisMAC , yes. it can be used for both. Or also for JTR. And Crowbar. Or also for Hashcat. As indicated too.....!
Sorry, but what are we talking about here?
DeleteHey Admin,
ReplyDeleteI have been trying to install John the Ripper for a while now, to no avail. I have had a few errors along the way and have managed to solve most of them, except for one. I have solved an issue regarding gcc & Xcode, and now I'm just left with this one error, which has completely stumped me:
ld: symbol(s) not found for architecture x86_64
collect2: error: ld returned 1 exit status
make[1]: *** [../run/john] Error 1
make: *** [macosx-x86-64] Error 2
I've done a bit of googling and this error seems fairly common, however it seems that many problems can cause it. I've trying pretty much all of the solution to that above error and yet still so luck. However if I Scroll further up in the terminal window, there is another error which seems pretty unique to me:
ld: warning: ignoring file /usr/local/ssl/lib/libssl.a, file was built for archive which is not the architecture being linked (x86_64): /usr/local/ssl/lib/libssl.a
ld: warning: ignoring file /usr/local/ssl/lib/libcrypto.a, file was built for archive which is not the architecture being linked (x86_64): /usr/local/ssl/lib/libcrypto.a
Undefined symbols for architecture x86_64:
Those lines tell me that theres something wrong with OpenSSL, thus I have tried to Update, Reinstall and Remove OpenSSL to no avail. At this stage I am completely lost and have no idea where to continue from.
Thanks for the help,
Tom
OS: OS X Mavericks 10.9.4
JTR: 1.7.9 Jumbo 7
Hi Tom,
DeleteI am currently traveling in Europe, I'll get back to you in a few days.
Hi Admin,
ReplyDeleteAfter almost pulling out my hair from frustration, I gave up and decided to come back the next day. I was certain that it was a problem with OpenSSL so I did a bit of Googling and it turns out that I had reinstalled OpenSSL in the wrong spot; so I installed it in the correct spot this time and then John finally installed. Anyway, thank you for the wonderful article.
Tom
--> OS: OS X Mavericks 10.9.4 JTR: 1.7.9 Jumbo 7
DeleteTom,
You should try the Bleeding jumbo version, especially if you want to use your GPU with JTR. Also, installing homebrew can help.
Without going into many details, double check with lists.openwall. The guy named Magnum is *the* reference when you have an install issue.
There is also an Help secton specifically for OS X.
TTYL
Hi!
ReplyDeleteI'm trying to compile JTR against macosx-x86-64
But i have next error:
ld: library not found for -lgomp
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make[1]: *** [../run/john] Error 1
JTR - john-1.7.9-jumbo-7
MacOS - 10.9.4
Thnx
Hi,
DeleteTry a newer version of JTR, i.e a bleeding jumbo.
Clang: try Homebrew instead.
Lastly, double check the Readme files, specifically the install section on OS X.
Mine is working fine on 10.9.4 [macosx-x86-64-opencl]
Hi Admin, Got my john installed but I am truly new to this. My password is for a DMG file. it is a date between the years 2009 - 2012
ReplyDelete6 or 8 digits (only digits). where do I start now?
thanks
The only thing not specified in clear is that you'll have to extract the hash from the DMG with dmg2John.py
DeleteAfter that, reading the "John The Ripper Commands and examples" in this very article and the JTR documentation are a prerequisite.
I downloaded JTR but in the RUN folder I don't have John's archive, What can i do?
ReplyDeletePlease, re-read the install tutorial
DeleteHi Admin.
ReplyDeleteI'm trying to run JTR from the word list available on your tutorial, but i can't figure out my problem. I'm trying to run JTR but nothing.
My command is ./john --session=linkedin --wordlist=/Users/MYNAME/Desktop/john/run/wordlist.txt --format=raw-sha1-linkedin I got an error with" Password files required, but none specified". Can you please help me?
Path to hash file missing. what file or password do you want to crack?
ReplyDeleteYou're welcome. please don;t hesitate to ask a question again.
Deletesorry for all the posts.. you might as well just delete them :(
ReplyDeletetried instructions here:
https://wiki.openssl.org/index.php/Compilation_and_Installation#Mac
and here:
http://apple.stackexchange.com/questions/208848/install-john-the-ripper-jumbo
and of course the stuff on your page.
it seems to me el capitan sucks and the correct method is not the same as anything posted. can't find any 2015 instructions for compiling JtR.
i'm usually good at following instructions, but i don't know jack about all this sh*t, so when instructions don't work, the only thing i can do is ask people like you who know better.
hope you can delete previous comments, they're no longer needed (and if you can steer me somewhere with updated compile instructions that would be a bonus!)
thanks.
Hello,
Delete"I'm usually good at following instructions, but i don't know jack about all this sh*t, so when instructions don't work, the only thing i can do is ask people like you who know better."
- Knowing that you don't know is the first step at knowing something. ;-)
I have not installed JTR on El Cap. (yet)
There is an install readme.doc, double check it: I, myself, had to grind my face with a cheese grater because I overlooked that file.
Second solution, create a Bootable USB with a lower OS, i.e. Yosemite. then boot from that. If you end up with a CharlieFox (AKA ClusterF*k) you can always wipe it at no damage or cost ;-)
Third solution:
I would suggest that you refer to openwall.com and sign up for their user list "john-users"
Then ask your questions to the community, don't forget the please and thank you, and you shall receive an answer, most likely from Magnum.
Before asking, *show* that you have done your research: "pliz help, Iz not w0rking" wioth no info whatsoever is not well received. Don't forget to mention your OS build, as well as the Bleeding Jumbo build.
Good luck, and let me know.
[facepalm]
Delete...
thanks admin, followed the install readme and all is well, john is up and running.
for the record, i am using:
el crapitan 10.11.2
john 1.8.0.6 bleeding jumbo (64 bit intel build)
the johnny frontend also worked without issues after build was complete, just in case anyone was wondering :)
Welcome to my world :-)
Delete- for the 64 bit version: make clean macosx-x86-64 - then i get "make: *** No rule to make target `clean'. Stop." - what went wrong... did google around to try and solve this, but my limited terminal understanding made answers very hard to "decode"
ReplyDeletei downloaded the "John the Ripper 1.8.0 (sources, tar.gz, 5.2 MB) and its signature" file..
also when trying to follow your instructions on
"1a) Open TextWrangler
Look for the file /John/src/makefile and open it" there are 4 different makefile, and non of them contained what i was looking for
running os X 10.11 beta
What went wrong is: The example above is for 1.7.9 Jumbo 6.2, and you have 1.8.0
ReplyDeleteLook for the INSTALL file in (JTR directory)/DOC/INSTALL
ex:
Compiling the sources on a Unix-like system.
Enter the directory into which you extracted the source code
distribution of John. Enter the "src" subdirectory.
cd src
This version of Jumbo has autoconf - that is, it supports the very common
chain of:
./configure && make
You might want to add "-s" to make, for suppressing normal output and just
print warnings and errors. For a multi-core host you can also add eg. "-j4"
for using 4 cores in parallel when building. This can be written together,
as in:
./configure && make -sj4
if you want to install CUDA and GPU stuff, read the documentation files