Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
==================================
These examples are to give you some tips on what John's features can be
used for. Some of them may not be obvious, I'm sorry if others are, but
anyway, I just got tired of answering questions.
Command Line
-------------1. First, you need to get a copy of your password file. If you got shadow
passwords, then (as root):
unshadow /etc/passwd /etc/shadow > passwd.1
or similar should do (replace the filenames as needed, and make sure that
your combined password file isn't readable by others). Otherwise, just:
cp /etc/passwd passwd.1
If you're going to crack AFS or NT passwords, then use 'unafs' or Jeremy
Allison's PWDump (ftp://samba.anu.edu.au/pub/samba/pwdump/), respectively.
2. Assume you just got a password file, 'passwd.1', and want to crack it.
The simplest way is to use the default order of cracking modes:
john passwd.1
This will try "single crack" mode first, then use a wordlist with rules,
and finally go for incremental mode. Read doc/MODES for more information
on these modes.
It is highly recommended that you obtain a larger wordlist, and edit the
'Wordfile =' line in ~/john.ini before running John.
3. Now, you got some passwords cracked, they are saved in ~/john.pot. You
want to retrieve them:
john -show passwd.1
If the account list gets large and doesn't fit on the screen, you can, of
course, use output redirection. (There's intentionally no example here, a
few people have asked for one, but they shouldn't be using John anyway.)
Now, you may notice that many accounts have a disabled shell, you can make
John ignore these (assume that shell is called '/etc/expired'):
john -show -shells:-/etc/expired passwd.1
or, shorter, but will also match '/any/path/expired':
john -show -shells:-expired passwd.1
or, if you also want to ignore some other shell, say '/etc/newuser':
john -show -shells:-expired,newuser passwd.1
(Note: the above syntax has changed since version 1.4 so that it's more
logical and shorter to type.)
-makechars:all.chr
-makechars:alpha.chr -external:filter_alpha
-makechars:digits.chr -external:filter_digits
-makechars:lanman.chr -external:filter_lanman
In the example above, John will overwrite the charset files with new ones
that are based on your entire ~/john.pot (John uses the entire file if you
don't specify any password files). Note that the word filters used here
are pre-defined in ~/john.ini supplied with John, for your convenience.
8. Finally, you might want to mail all the users who got weak passwords,
to tell them to change the passwords. It's not always a good idea though
(unfortunately, lots of people seem to ignore such mail, it can be used
as a hint for crackers, etc), but anyway, I'll assume you know what you're
doing. Edit the 'mailer' script supplied with John: the message it sends,
and possibly the mail command (especially if the password file is from a
different box than you got John running on). Then run:
mailer passwd.1
Configuration File
-------------------1. Assume you notice that in some password file a lot of users have their
passwords set to login names with '?!' appended. Then you just make a new
"single crack" mode rule (see doc/RULES for information on the syntax),
and place it somewhere near the beginning:
[List.Rules:Single]
$?$!
Hint: if you want to temporarily comment out all the default rules, you
can simply rename the section to something John doesn't use, and define
a new one with the section's old name, but be sure to leave the 'list.'
part of the name, so that you don't get a parse error.
All the same applies to the wordlist rules also.
2. If you generate a custom charset file (described above) you will also
need to define a ~/john.ini section with the incremental mode parameters.
In the simplest case it will be like this (where 'Custom' can be replaced
with any name you like):
[Incremental:Custom]
File = custom.chr
This will make John use characters that were in passwords used to generate
the charset file only. To make John try some more characters, add:
Extra = !@#$%
These extra characters will then be added, but still considered the least
probable. If you want to make sure that, with your extra characters, John
will try all the 95 characters, you can add:
CharCount = 95
This will make John print a warning if it only has less than 95 characters
in its charset.
You can also use CharCount to limit the number of different characters
that John tries, even if the charset file has more:
CharCount = 25
If you didn't use any filters when generating the charset file, setting
CharCount that low will most likely disable some rare characters, and make
John try complicated long passwords earlier. However, the default length
switching is usually smart enough so that you shouldn't need such a trick.
To make John try passwords of some lengths only, use the following lines:
MinLen = 6
MaxLen = 8
Setting 'MinLen' high, as in the example above, is reasonable if shorter
passwords weren't allowed to set on the machine you got the password file
from (however, note that root can usually set any password for any user).
On the contrary, you might want to set 'MaxLen' low if you think there's
a lot of short passwords.
3. Another example: a lot of users at some site use short duplicated words
as their passwords, such as "fredfred". As the number of such potential
passwords is fairly low, it makes sense to code a new external cracking
mode that tries them all, up to some length.
You can find the actual implementation of such a cracking mode with lots
of comments in the default ~/john.ini supplied with John. See doc/EXTERNAL
for information on the language used.