Table of contents about Jhon the Ripper
Incremental Mode Cracking
John’s incremental mode uses “charset” files and john.conf directives to control what kinds of guesses it performs (and therefore how many guesses and how long the guesses will take to complete). John comes will several predefined incremental modes. We’ll start with those before we customize them to our needs.
For the following example, rename the john.pot file to something else so that we can crack the unix.txt passwords anew and then run a brute-force attack for passwords that have only lowercase alphabetical characters. By default, the mode tries all combinations between one and eight characters long.
$ mv john.pot john.pot.old
$ ./john –incremental=Alpha unix.txt
If we want to target a specific length, we can edit the john.conf file to add a new incremental mode. Add the following directive:
File = $JOHN/alpha.chr
MinLen = 5 Max
Len = 5
CharCount = 26
Look through the other incremental modes inside the john.conf file. We could choose to target guesses for eight-digit passwords (Digits8), or for seven-character passwords with uppercase, lowercase, numeric, and punctuation combinations (All7). Each of these modes uses a charset file that contains the seed characters to build guesses. John builds the charset file with statistical properties from an input file that contains the target characters. We can increase the power of a brute-force attack by adding more CPU resources; John tries to make the attack more efficient by trying more likely combinations first.
After you’ve built a large collection of cracked passwords, you may wish to create custom charset files that reflect the trends and characters of passwords people choose (or at least that you’ve observed in the cracked passwords). Create a new charset file with the –make-charset option. John reads the cracked passwords from its pot file to build the new charset. The following example creates a custom charset based on a pot file that I created on my own. You can omit the –pot option to use the john.pot file, or you can specify your own alternate pot file. My own pot file contained nine plaintexts and 50 unique characters.
$ ./john –make-charset=custom.chr –pot=test.pot
Loaded 9 plaintexts
Generating charsets… 1 2 3 4 5 6 7 8 DONE
Generating cracking order… DONE
Successfully written charset file: custom.chr (50 characters)
Then, we need to create a new mode to take advantage of the custom charset. The following mode would make guesses using the 50 characters from the charset:
File = $JOHN/custom.chr
MinLen = 8
MaxLen = 8
CharCount = 50
One of the things we’ll need to do to target “modern” passwords is modify John to consider password lengths longer than eight characters. (Such passwords are modern in the sense that web sites and apps routinely recommend long passwords on the order of 12 characters or more.) We need to edit the source code to make this adjustment.
It’s an easy change. If you’re comfortable with diff files (you read Chapter 1, right?), apply the following patch to the src directory:
diff a/john-1.7.9-jumbo-7/src/params.h b/john-1.7.9-jumbo-7/src/params.h
index e1672f4..93afaac 100644
@@ -276,7 +276,7 @@ extern int password_hash_thresholds[PASSWORD_HASH_SIZES];
#define CHARSET_MIN ‘ ‘
#define CHARSET_MAX 0x7E
#define CHARSET_SIZE (CHARSET_MAX – CHARSET_MIN + 1)
-#define CHARSET_LENGTH 8
+#define CHARSET_LENGTH 19
* Compiler parameters.
Or, just increase the CHARSET_LENGTH in the params.h file to the value you desire. Keep in mind that a complete brute force of 19-character password combinations is infeasible, but it is useful for wordlists and custom charset files with limited character counts. Recompile John after you’ve made the change. (Run a make clean command to make sure your changes are in the new binary.)
After you’ve rebuilt John you’ll need to regenerate the charset files so that they match the increased length. Use the –make-charset option as described previously.