Table of contents about Jhon the Ripper
Using Feedback for Efficient Cracking
We addressed the concepts of power and efficiency as they relate to password cracking at the beginning of this section. Power represents the speed at which a cracker can generate guesses. A cracker will be ultimately successful with a brute-force attack that completes every possible guess—the catch is that producing every guess may be computationally infeasible for large character sets and long password lengths. Efficiency represents the cracker’s likelihood to generate successful guesses sooner than later—but the guesses are based on assumptions whose relevance is difficult to measure.
We can apply several tricks that take advantage of John’s successful guesses in order to make new guesses more likely to be successful. Use the following examples as a departure point for your own innovations and methodologies for password cracking. Each specific step will produce different rates of success for different password targets, but the concepts will help you in the long run.
One trick is to reuse cracked passwords as input for wordlist rules. This helps find passwords that users choose based on patterns of patterns. For example, one user’s password might (unwittingly) be the seed for another user’s password, who merely added a number at the beginning of the word or appended the domain name of a web site at the end. The following commands show how to extract cracked passwords from a john.pot file and use them as a basis for building charset and stats files:
$ ./john –make-charset=guesses.chr –pot=john.pot
Loaded 34977 plaintexts
Generating charsets… 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 DONE
Generating cracking order… DONE
Successfully written charset file: guesses.chr (89 characters)
$ cut -d’:’ -f2- john.pot | sort -u > guesses.txt
$ ./john –wordlist=guesses.txt –rules=AHT4 unix.txt
$ ./calc_stat guesses.txt guesses.stats
$ cp stats orig.stats
$ cp guesses.stats stats
$ ./john –markov=300:0:0:1-10 unix.txt
Then, you can take any new passwords identified from the previous run and repeat the step. For example, the following command extracts all guesses from the john.pot file, sorts them, ignores any strings already found from the previously generated guesses.txt file, and saves the new ones in new_guesses.txt. (The key part is the grep command; use -v to reject matches, -F to treat strings as literals instead of patterns, and -f to load strings from a file.)
$ cut -d’:’ -f2- john.pot | sort -u | grep -v -F -f guesses.txt > new_guesses.txt
Then, you could use the new_guesses.txt file as a wordlist for another round of guessing. You can repeat these steps with variations that focus on a specific word length, then increase the word length one character at a time. Also pay attention to the kinds of passwords you discover. It’s a good bet that you’ll notice certain patterns, like the presence of numbers (such as years, or “magic” numbers like 42, 666, 24601, 90210), domain names, short words (“my,” “this,” “for”), and cusswords (come on, you know what these are). Build rules to reflect what you think are likely mutations for a word list. For example, the following rules tend to be very successful with wordlists:
After a while you’ll have built a john.pot file from which you can generate charsets and stats files that produce successful first passes against new passwords.