John The Ripper Tutorial, Examples and Optimization

Mac Tips and "How To" On a Mac: John The Ripper Tutorial, Examples and Optimization http://easymactips.blogspot.com/2012/09/john-ripper-tutorial-examples-and.
html
MA C TIPS A ND "HOW TO" ON A M A C

A F T E R 2 0 + Y E A R S O N W I N D O W S A N D P C , I T T O O K M E 2 D A Y S O N A MA C T O R E A L I Z E T H A T I W A ST E D 2 0 Y E A R S O F M Y L I F E O N W I N D O W S. B U M M E R .
K ALI APP MA KES THEM WORK TH E H IG H ES T F O RM O F I GNO R A NC E I S WH E N YO U RE J EC T SO ME TH IN G Y O U D O N' T KN O W A NY TH I NG A B O U T.
Wayne Dyer (b 1940)
John The Ripper Tutorial, Examples and Optimization

Suka Jadilah orang pertama di antara teman-teman yang menyukai ini.
John The Ripper Mac Installation, Tutorial and Optimization
A while ago, I wrote this tutorial on how to install the simple version (pre-compiled) of John The Ripper on a Mac
It's now time to optimize John. Why? it's working!
Yes, it's working, but can you make it work much better?
John The Ripper, AKA John/JTR is the extreme opposite of intuitive, and unless you are an UberGeek, you've probably missed out few subtleties.
Secondly, John The Ripper is a bit like a Muscle Car delivered from the factory with the "Eco" settings enabled by default. If you want the "Muscle", you'll have to open the hood. Once done, you'll get more muscle than you can
DONATE
probably chew on.
Subtleties?
Well, for a start, the precompiled version on OSX does not use all cores, the "compiled on site" can ...
So if you have a quad-core, you'll make a 196% speed improvement, and that's only on raw benchmark.
The default password list is absolute crap, and the configuration could use a few improvements.
When you'll start playing just with those 2, the result(s) could be as shown below.
3 9. 8 M I LL IO N P M K' S / S EC O ND
Deemed worth reading?

Ok?
Let's install it ...

Precomputed Tables: 2.75 million % faster than Aircrack
1- You'll need Xcode, if not already installed, download it , it's free.
B LOG AR CHIVE Open App Store, search XCode, download and install.
The install is going to take some time....
2012 (2)
If you wonder if you have Xcode installed, just open terminal and type gcc
September (1)
John The Ripper Tutorial, Examples and Optimizati...
August (1)
2011 (26)
2010 (11)
2009 (31)
The "no input file" is a good sign. Otherwise, install it.
2007 (1)
2000 (1) 1a- If you do not wish to install Xcode, you can always refer to here, but be kindly warned that you'll have a "less effectiv e" version of JTR.
1990 (3)
2- Grab a copy of the latest John The Ripper @ http://www.openwall.com/john/
1 of 17 9/15/2013 9:18 AM
Mac Tips and "How To" On a Mac: John The Ripper Tutorial, Examples and Optimization http://easymactips.blogspot.com/2012/09/john-ripper-tutorial-examples-and.html
look for the community enhanced version (more patches), as of today, it's the john 1.7.9 jumbo 6 2.
2a - While patiently looking at your download screen, grab a free copy of TextWrangler, not the truncated App Store Version, The full one from BareBones and install, you'll thank me later.
3- Xcode and TextWrangler have been installed, John has been downloaded, refreshments have been served.
4- Go to your "Download" directory and look for John 1.7.9.jumbo 6 tar.gz, or whatever you have downloaded, and double click on it, it will decompress it.
5- You have now a directory called John "something"

Please replace "something" in your head by the appropriate designation, i.e "John-1.7.9-jumbo 6 2"
6-Create a folder,and name it "John" anywhere on you Mac, but, recommended, that you either create it in "Macintosh HD" or your home folder, i.e ~/"myname".
Please, don't use the quotes for "John". Just John. ( Somebody is going to create a "Just john", that's guaranteed, and if you do, you will be flamed. Guaranteed too)
7- Copy all folders & files contained in "John-1.7.9-jumbo 6 2" into the newly created John folder. Only the contents, no need to copy the John-1.7.9-jumbo 6 2 folder too. If you do, you'll have to type a very long command line.
8- You have now a folder named John, with in it the 5 items as shown above.
Unfortunately, now is the time to make a choice...
Das Kompilation!
You'll have to make a choice, roughly between 32 bit, or 64 bit

64 bit seems the choice, no? Hold your horses!
One little thing: as of now, Aug 2012, when cracking pure raw-sha1(i.e Linkedin) the 32-bit is a bit faster. (no pun intended)
For generic use, select "64 bit", for Raw-Sha1 only, go for the 32 bit sse2.
The difference is not that extreme, and lastly, the 64bit version accepts Wordlists larger than 2GB.
For UberGeeks, well... install both. Your humble servant has 3 versions (for research purpose only, I am not geeking, 2 of them will be deleted soon)
- JTR is the Mac OSX pre-built

- JTR32 is the 32bit
R ET WE ET T H IS B L O G - JTR64 is ... well, you've guessed by now.
View stats
So, make a choice (hint: 64 bit) and we'll start...
FOLLOW BY EMAIL 1) Open Terminal and go to the "src" folder of John, by typing
cd /john/src If you have placed john somewhere else, then go there...
1a) Second choice to make:

Please read carefully as it trapped me the first time:
L O O KI NG F O R S O M ET H IN G?
JtR runs natively on one core.
You can safely run 2, or more instances on JtR at the same time, for instance one instance running a set of rules and the other instance running something else.
S EA RC H T H IS B L O G
But you can also ask John to run on all cores. On Mac it's called "mpirun"
mpirun has to be enabled in the Makefile before compiling.
I highly suggest to do so, as it enable both parallel and multicore.
In order to do so:
C OOL FR EE A P P LICA TIONS FOR M A C
All Listed below ar e Free unless stated otherwise 1a) Open TextWrangler
(You may want to consider a little donation to the author(s) Look for the file /John/src/makefile and open it
1b) Search for the following paragraph:

AN XIET Y
## Uncomment the TWO lines below for MPI (can be used together with OMP as well)
## If you experience problems with MPI_Barrier, remove -DJOHN_MPI_BARRIER
## If you experience problems with MPI_Abort, remove -DJOHN_MPI_ABORT
##CC = mpicc -DHAVE_MPI -DJOHN_MPI_BARRIER -DJOHN_MPI_ABORT
##MPIOBJ = john-mpi.o
1c) Un-comment the 2 last line, (remove the ##)
2 of 17 9/15/2013 9:18 AM
1d) Save
2) Decide if you wish or will attempt to Bruteforce longer than 8ch long passwords. If you don't know, don't touch it now and come back later.
If you do not want to change the max bruteforce length, Skip to directly to part 3)
Before going bonkers, read the "Bruteforcing Speed" part below, take a look at the ETA, and you'll realize that attempting a 20ch Keyspace is not really feasible.
Done reading?
Ok, Here is how you can force JtR to Bruteforce longer than 8ch long.
Superlight interface to check all your tasks

2a) Open TextWrangler
Look for the file params.h in /John/src and open it
AP P CL EA NER . In that file, look for the section:

#define CHARSET_MIN ' '
#define CHARSET_MAX 0x7E
#define CHARSET_SIZE (CHARSET_MAX - CHARSET_MIN + 1)
#define CHARSET_LENGTH 8
Clean thoroughly & uninstall easly 2b) Change the 8 into what you want, i.e 15 or 30.
#define CHARSET_MIN ' '
#define CHARSET_MAX 0x7E
#define CHARSET_SIZE (CHARSET_MAX - CHARSET_MIN + 1)
#define CHARSET_LENGTH 15
Warning: There are spaces and tabs, don't replace them by "spaces"
Use the Show Invisible in Text Wrangler.
2c) Save the file params.h and go to part 3) compilation.

Once the compilation is done, Go to "Charset making "for the final part. (did I mention that you'll have to go under the hood?)
We can now start the compilation. In /John/src

B U NCH O' FR EE A P P
3) In /John/src, type exactly, or copy/paste
- for the 32 bit version: make clean macosx-x86-sse2
- for the 64 bit version: make clean macosx-x86-64
Hit "Return" and plenty of things will appear on terminal screen, don't panic.
While waiting, and for the curious, you can open the file "makefile" with textwrangler and look at all the options, just in case you want to install JTR on a PowerPC Mac
The compile options look like:
@echo "macosx-x86-64 Mac OS X 10.5+, Xcode 3.0+, x86-64 with SSE2 (best)"
@echo "macosx-x86-64-opencl Mac OS X 10.5+, Xcode 3.0+, x86-64 with SSE2, OpenCL support"
@echo "macosx-x86-sse2 Mac OS X, x86 with SSE2"
@echo "macosx-ppc64 Mac OS X 10.4+, PowerPC 64-bit"
@echo "macosx-universal Mac OS X, Universal Binary (x86 + x86-64 + PPC)"
You'll also find all Linux options, just in case ....

C A M OU FL A G E
4) Now that the install is done, test it by typing

cd /john/run
./john
Warning: the ./ are mandatory and you must be in the proper /run directory
If you try "john" as is, you'll receive an error.
You should see the short help for John The Ripper
Camouflage Hides your Icons in a Click
S A V EC IR CL E
If you see something like that:

bash: ./john: No such file or directory
3 of 17 9/15/2013 9:18 AM
it means that, either: The compilation has failed, or, that you have not typed the proper path/command. In both case, retry or re-read the above. All of it: You've failed once and that's probably for a good reason: rtfm!
Das Optimization!
We're going to glide over few things rapidly, for a deeper look at what does what, there is a folder named "doc" , inside they have docs!. Yay!
1) John, by default, runs on one core only. If you have a single core, it's good news, otherwise not so much. So let's test it , and type
./john --test=10 --format=raw-sha1-linkedin
after 10 sec, you see something like:
Autosave Frontmost App. A Must Have Benchmarking: Raw SHA-1 LinkedIn [128/128 SSE2 4x]... DONE
Raw: 9540K c/s real, 9559K c/s virtual
MONOL INGUA L Now, let's try something else, type

mpirun -np 2 ./john --test=10 --format=raw-sha1-linkedin
And the results are:

Benchmarking: Raw SHA-1 LinkedIn [128/128 SSE2 4x]... (2xMPI) DONE
Raw: 17655K c/s real, 18923K c/s virtual
This time, we were twice as fast. Yup! 2 cores. So if you have a quad core, try the "mpirun -np 4". (yes, Mr Trae, that's why your quadcore is apparently slower than my dual)
john.conf
2) Open Textwrangler app, and look for a file named john.conf in /john/run
open that file and make right away a backup, that you will intelligently call "backup_john.conf".
In this john.conf, you'll find roughly 2 types of configuration: General config and Rules config.
For instance look at the line:
Remove unused languages and free up to 5 Gb of space
# Use idle cycles only
Idle = Y
FOLL OWE RS it means that John will only use the CPU power left Vs. requesting full power, hence you could (should) switch it to "No"
# Use idle cycles only
Idle = N
with Google Friend Connect
Members (46) More Look at the other options and choose what you want on/off. As a rule of thumb, don't finagle too much if you don't understand it, i.e trying funky settings such as [Incremental:All] MaxLen = 99
Still, you have a backup now, don't you? :) , so you can play a little...
2a) As we are going to talk about Wordlist, think about that line:
# Wordlist file name, to be used in batch mode
Wordlist = $JOHN/password.lst
Already a member? Sign in
the default wordlist in John is password.lst , and is crap. Using this wordlist will not take you far at all.
2b) if you have changed the name of the main directory for John, i.e JTR, you should change the parameter to $JTR/password.lst
2c) ditto with the password.lst, if you use mydic.txt , then change it too.
the easiest way is simply to keep the name password.lst, or to use the --wordlist option
2d) Wordlist itself

As mentioned above, the default password.lst is crap. if your wish to run john for weeks on end, keep it. Otherwise, get this Wordlist
Here is why: on default mode , John will first try the wordlist "as is" , then mingle it with rules contained in John.conf under [List.Rules:SIngle] for "Single crack Mode"
Once done, it will switch to incremental mode, All alphanumerical characters. one by one.
Problem: You are now at day 3, and you are seeing 0.00% progress. Why?
Because you are trying all possible combinations of 1 to 8 ch long, over 95 possible characters. it's called the Keyspace and that number is 6,704,780,954,517,120
it simply means that you'll see progress at 0.00% for few weeks....See you in 3 months...
In John the default length is 8 max and that also mean that a 10 ch long password will not be (cannot be cracked for sure) by the "All" method alone unless you go under the hood as explained below.
Bruteforce is, generally, and should be considered as the last resort: it very slow to complete the whole keyspace.
To discourage you a bit more, look below for the speed table and the "Speed the Things Up"
So, the solution resides in: a) a very good Wordlist, b) better [Rules] AKA "iRules" and some "finesse"
For instance, most websites today requires at 6 to 8 characters, made of at least numbers and letters, and sometimes number(s), letters and signs.
Bad news: It's longer to crack
Good news: The brain size of the average human has NOT increased that much
Hence, before, the dummy would have used "password" as password. Now they use "p@ssw0r d" or "p@55w0rd" and, as usual, people use mostly "words", as proof of concept:
lov3b3ans | Syr4cu$e | C0mmitted | fuzzym0nkey |inth3loop | L1fel0ng , etc etc
So, you end up with 3 choices.

-1 Have a 50,000 terabytes wordlist, along with 25,000 external HDD
-2 Have the patience of a buddhist monk
-3 Have an excellent wordlist coupled with intelligent rule that permutes a for @, append numbers at the end of a word, i.e linkedin1980, etc ..
4 of 17 9/15/2013 9:18 AM
And your choice is? -3? Good answer!
If you have thought about a new cracking method, It's probably already in JtR. (Matt Weir) (quoted liberally)
John will try "as is" (rule= : ) [(not ;) or ;-)] you dummy, the rule is ":"
then apply funny rules such as "<* >2 !?A l $1" which in good ol' English means: # Lowercase pure alphabetic words and append '1'
As aforementioned, the dummy is absolutely convinced that "password123", or "P@ssw0rd123" is unbreakable, or even unguessable, that is until, our brights readers think about "<* >2 !?A l $123"
Out of the first 330,000 -unique- passwords (meaning dupes removed) that (we)* have cracked from the Linkedin hash dump, 1344 instances of "123" were found, along with 100's of "love", etc etc
Do you catch my drift? The snowball effect: The more you crack, the faster you crack the rest. Up till you reach the crazy ones ... :)
4- Use the most probable rules first and the really funky last, i.e: # Really weird charset conversions, like "england" -> "rmh;smf" (shifting one key to the right)
5- Preferably use a statistically sorted Wordlist, most used first: it will greatly reduce your running time and read the "rules" in the doc folder, you'll be then able to mingle anything without using 50,000 terabytes.
6- Lastly, there is a limit (memory / preprocessor ) on the number/complexity of the rules that you apply. You can go wild, but avoid the "crazy".
The proof of concept is demonstrated in the video.
Optimized john.conf is available for download at the end, but please, read the "Read me" and the command lines first
John The Ripper Commands and examples
the main options are the following
--session=[name]
--wordlist=[path and name]
--format=[format name]
--show [path and name of the hash file]
--restore=[session name]
--rules
--config
--loopback
--markov
All options have a shorthand, for sake of clarity we here use the longhand.
i.e -ru = --rules ; -w = --wordlist. See /John/doc/examples
To Abort John , use ctrl-c (control c) and NOT CTRL-Z. Also, press ctrl-c one time, not twice.
We've mentioned to place John in a top directory, and to rename "john-1.7.9-jumbo-6 2" into "John". Indeed, you'll have to type command lines, and if you have placed john in a funny far-far away directory , the command line will most likely drive you crazy:
Keep it simple!
You can always drag and drop a file into terminal, it will automagically write the path for you. W ithout err ors.
If you do not know the hash type, john will find it for you, but it's always a bit better to force load one type of hash Vs. having John trying multiple hash, sometimes, one hash can be recognized under other names.
So, let's try John with the Linkedin dump (I suppose one could find it on the Internet with minimal Google-Fu competences)
Go to the appropriate directory AKA: /John/run and type
./john [path and name of the Linkedin hash file]
You'll see that John has found multiple possible hash and gives you (few) warnings
Warning: detected hash type "raw-sha1", but the string is also recognized as "raw-sha1-linkedin"
Use the "--format=raw-sha1-linkedin" option to force loading these as that type instead
--format
Hence, pretty clear that you should use, in that case, --format=raw-sha1-linkedin
So the command line goes as:
./john --format=raw-sha1-linkedin [path and name of the hash file]
--session
The --session option allows you to stop a session and restart where you left it later, useful, huh? Then use it!
./john -- session=linkedin --format=raw-sha1-linkedin [path and name of the hash file]
--restore
the --restore option allows you to restart an interupted session, with all the previous parameter just where you left it, pretty handy, huh?
/john -- restore=linkedin
--wordlist
The --wordlist option is for a ... wordlist! yay! with the path if necessary.
If like me you have decided to rename your John directory into JTR, it is suggested that you use the --wordlist option , that is, if you have left your john.conf alone , see line Wordlist = $JOHN/password.lst in file john.conf
Warning! on the 32bit version, if you attempt to use a --wordlist option with a dictionary greater than 2GB you may receive the following error: Error, dictionary file is empty.
5 of 17 9/15/2013 9:18 AM
1) count the lines with wc -l [filename]

1a) Divide by 2 (roughly) , and round it up to the next integer (full number)
2) Split the dictionary with split -l [#lines] . the output by default is xaa, xab, xac etc .
3) Don't use the the option by size , you'll end up cutting a password in 2.
./john -- session=linkedin --wordlist=masterpswd.txt --format=raw-sha1-linkedin [path and name of the hash file]
Loading multiple wordlists at once
John does not allow, by default, to load multiple Wordlists at once, but you can trick him.
The most probable reason why the maker of JtR have not implemented this option by default resides in a word of caution: Rules are going to be applied as described in your "whatever.conf"
Loading 300 million lines is one thing, hav ing rules applied to 300 million is another altogether: If your Rules generate an output of 10,000 variations on ONE password, one could expect the simple math to be 10,000*300,000,000 = See you in 3 years
Hence: CURB YOUR ENTHUSIASM!
If you wish to do a quick chop-chop on large set of wordlists, edit/create a specific .conf file with very simple and very fast rules, i.e :,l,u,S , etc.
See /doc/Rules and what's below under --rules and --config
1) Create a directory in /John and name it "Wlist" or "Store". Anything you want but keep it short.
2) Place in it your favorites Wordlists, avoiding repeats and duplicates, even in the wordlists.
Solution: Where "Wlist" is the directory containing your Wordlists, and grabthefiles, an argument. You can replace grabmethefiles by anything that fits your mood.
Type: ls /John/Wlist | xargs -t -I grabthefiles ./john --session=xargs --wordlist=/John/Wlist/grabthefiles --rules [etc etc..... ]
" xargs -t -I " it's a overscore "i" , not a l,L or | --> "xargs -t -I"
xargs calls multiple times the same ./john command line changing each time for the correct wordlist, be aware that it is highly recommended to use --session otherwise, if you have to pause you'll have to restart from scratch.
The ETA is for each wordlists and not for the total time.
--rules
The --rules option call for a specific set of rules as defined in John.conf under names such as [List.Rules:Wordlist]
using --rules will call for all the rules, if you want to use only a specific set, i.e wordlist, then use --rules=wordlist
./john -- session=linkedin --wordlist=masterpswd.txt --rules=wordlist --format=[hash format] [path and name of the hash file]
Be aware that calling a large set of rules could lead to some extra-extra time, always check that you are not performing a duplicate work. i.e calling twice the same rule or asking to lowercase an already all lower case wordlist.
Rules are processed by a preprocessor. Writing extremely large rules or set of rules will send your memory usage off the chart. See John.log
--show
The option --show shows you the cracked hashes, it's best used with a redirection to a file
./john -- show [path and name of the hash file] > showpass.txt
To see what's left to crack, use --show=left
The option --show works faster if you include the --format option
./john --show=left --format=[name] [path and name of the hash file] > showhash.txt
--config
The option --config=[name] allows you to use multiple configurations and set of rules. You can create your own configuration files and use it at will, i.e a "mini.conf" configuration to crack the easy one first. Don't forget that a wordlist that have 100m passphrases in it,
mingled with 100 rules equals a 100x100m words equivalent. Translated in space, it like having, about, 95,000 MB worth of space. 95 TeraBytes
See at the end for downloadable Config/Rules files
See "Making List.Rules" before making 99 different config files
--loopback
--loop
A rarely used option. Too bad, it's a good one! The --loopback allows you to check against your john.pot file. You have already cracked some passwords and they are all stored in john.pot, hence you can re-use them for a quick check.
For a longer check, I'll give you a hint: those are real passwords: the ham not the spam! so re-use them with rules: If you have found "password" , you'll find "password123"
--Markov
A statistical attack deriv ed from pr obabilistic stochastic processes. AKA Markov's Chains.
I am scaring the shit of of you with Markov, huh? I am not?
Well... don't be afraid ... I don't understand it myself. I read what I could, got a serious headache and decided not to pursue.
All I know is that it's working!
As a matter of fact it's working pretty darn well and it's really fast too.
Mr Andrey (Andrei) Andreyevich Mark ov (1856-1922) must be thrilled to know that we're all very satisfied with his research. Thank you Mr Markov!
As I don't understand the intricate details of Mr Markov thoughts, I switched to a highly scientific proven method: "The Empirical Poke Around"
Hence, I poked around. Empirically.
First things first.
1) grab a high quality password file. Please be sure to use a US95 ASCII txt file (no or ) unless you are using the -p option
2) in /John/run type ./calc_stat <name of dictionary file> stats
3) let it work, it should take about 10 min, based on the Dic size.
When done type your average John command line, this time, include --Mark ov
./John --markov [path and name of hash file]
On the screen you'll see something as: MKV star t (stats=$JOHN/stats, lvl=200 len=12 pw d=238032699)
6 of 17 9/15/2013 9:18 AM
and rapidly, Mr Markov will go to work ...

len=12 is the max password length to be tested
lvl=200 is the level.
pwd=238,032,699 is ...well, you've guessed.
"lvl" is what is going to increase or decrease the number of password generated. Try to stick between 200 and 250. At 300 my config generated 6,243,105,973,969 passwords. It's a bit too much. See the "Empirical Poke Around Graph"
You can modify those parameters in John.conf , or directly with --markov[modes]
./john --markov=230:0:0:12 (level, star t, end, length)
The 0:0 values are start/end in %. 0:0 being the default, otherwise you need to put a %. i.e --markov=200:10%:20%:12
Be aware that there is a bit of a catch: The Markov's Swiss Cheese Illogism
- The lower the level, the lower the number of password generated, but the greater the quality, hence the fastest time... To crack the lowest amount of hashes.
- On the other hand: The higher the level, the gr eater the number of passwords generated, but with the lowest quality, hence the longest time... To crack the highest amount of hashes.
Do you follow me? The more holes in cheese, the less cheese. But the less cheese, the more holes. If the more holes, the more cheese. Hence more holes = more cheese.
Roughly to say that if you push the enceloppe a bit too high, you'll have such a large number of possibilities that you'll be close to bruteforcing. Keep the numbers between 150 and 250. (Surprise, the default value is 200)
Markvov Vs. Bruteforcing

I had about 1.5 million hashes left and it was getting harder to crack the remaining ones. Then I decided to test Markov Vs Bruteforcing, the -surprising- results are as follow:
Markov: guesses: 18,072 time: 0:01:30:00 c/s: 6654G
Brutefor ce: guesses: 4,590 time: 1:07:04:57 c/s: 3817G
c/s Speed: Mark ov is 74% Faster than brutefor ce: More bang for your buck!
r/t ( Passwords recovered / Tries ) Markov wins!
Recovery speed: Mark ov recovered 3.34 pswd/sec on average, Bruteforce 0.85 pswd/sec, which make Markov 394% faster
Markov will not recover all passwords, and cannot guess true random one, but you can attempt passwords length greater than bruteforce, on the other hand Bruteforce will recover any password under 10ch long. If you have the time.
EPAG
Empirical Poke Around Graph
John.pot
John keeps a list of already cracked hash in run/John.pot, keep that file safe ...
the format looks like:
$dynamic_26$32bf58ba66ef765e214ca1b6fe70244dfe5b5427:link@din2010
[header:hash:password]
You can easily trim the fat with cut -c 51- [filename] > output.txt
51- being the # of ch to remove. yes, it is "51 dash" "dash 51" will leave the first 51 ch.
As many times mentioned, because we've found "link@din2010" , one could bet that we will find something close to it. Another genius has thought very hard and used "name of the website + year" or something in the same family ... So of course, we found
relativ es...
Here is the brother ...
2ce773d7ffbbe7491e51272783d1c6f411a1d34b:link@din2012
And the uncles...

033a2970983d5675152a6213d7d4228bc977399c:linkedinpass1234
6a9535be0d9ef156d5fa7465bd419d15843bb2b0:linkedinpass1402
01679a9ea64997f7e693159670329061c9dd22c3:linkedinpass1423
5077ab2005d5253f9b55b9b0979aa9401fcad706:linkedinpass1704
Bruteforce Vs. Wordlists + Rules

Brutefor ce is extremely, extremely time consuming and should be used only as last resort, specifically for long -er passwords: Bruteforcing 2 to 5 ch long is fairly fast and easy, 6 to 7 is medium, 8 and above will test your determination. No need to mention 15 or
16...
Hence, you've already cracked the easy ones... i.e "password" you might want to re-use them.
As mentioned above, john.pot keeps track of the hashes previously cracked and will sk ip them and it's a good thing: No need to work on already cracked hashes. You should always try to chop-chop trough the easy ones first, then use bruteforce on last resort for
the complex ones.
If you find "Linkedin", an (existing) rule can easily double the password: "LinkedinLinkedin" , then once either re-injected in a dictionary, re-used with --loopback or created via Rules, you could find "LinkedinLinkedin2012" or "L!nk3d1nL!nk3d1n2012"
Finding such "L!nk3d1nL!nk3d1n" by mean of simple bruteforce is not a job for you! it's a job for your grandgrandgrandgrand son, or daughter: Seriously, limit yourself to less than 8 ch long unless you own a very-very fast machine.
What Mr Dingbat could have done was to use roman characters, i.e , , an uppercase, sign, and number. i.e 1966L!kdin1966 That would have forced you on the whole range of printable ASCII. You will be then, pretty much dead in the water.
Don't get me wr ong, it is still a stupid password because of the pattern, but it's a whole lot stronger ... by a factor of 104, or 10,406% stronger
Now, take the same stuff and use Rules .... What was extremely far far away is now feasible: we know that "linkedin" is a big fave, we know that people like appending and/or prefixing numbers, and we know that using "!" for "i" will not get you a Nobel Prize.
Proof that it's easily feasible with Rules? I did it!
Check the quick analysys of the Linkedin passwords at the end.
7 of 17 9/15/2013 9:18 AM
Bruteforcing Speed
Disclaimer: This section was specifically written to discourage you.
The good news is that JtR does not brutefor ce stupidly in order (0, 00, 000 etc) JtR uses an algorithm to generate a smart-er bruteforcing order. Nevertheless...
Brutefor cing 4 ch long is very fast, 5 is ok, 6 is slow, etc
here are the speed for an average machine, one core running, No GPU, on raw sha1,
length Keyspace Key/sec Time
1 to 4 ch long 82,317,120 ~ 2,655,391 31 Seconds
1 to 5 7,820,126,495 ~ 2,655,391 46 minutes
1 to 6 742,912,017,120 ~ 2,655,391 73 hours
1 to 7 70,576,641,626,495 ~ 2,655,391 289 days
1 to 8 6,704,780,954,517,020 ~ 2,655,391 75 years
There you have it.

Even if you have a fast machine, you'll still be waiting for few years. In order to go into the "W eeks" or "Days", it's GPU assisted only. A good GC/GPU will take you into warp speed, tests on This Card are showing results as high as 8.2 billion passwords/second.
With a single of one of those, your ETA goes from 75 years to 23 hours.
One notable counter intuitive perception is that, the smaller the hash file, the slower the speed (in c/s, not in overall time) and not the logical opposite, and this is due on the inner working of any Cracking progr am, lemme explain...
A Cracking progr am does not "guess" or reverse engineer the hash, it simply compares it.
1) You feed the pr ogram a test password, i.e password1
2) A hash is generated: e38ad214943daad1d64c102faec29de4afe9da3d
3) The pr ogram compares it with the list you provided.
If there is a match, good news. If not, then try again with another test password.
And that's why: It's faster to compare 1 generated hash against a large list of existing ones than to have to generate a lot of hashes to compare to a small list. Generate one, compare to millions Vs. Generate millions to compare to few.
6,2 million hash list c/s speed = 4,284,000,000,000 c/s
10 (ten) hash list c/s speed = 17,859,000 c/s
Speed the thing up! (Part One)
You can go two ways: get the fastest machine or get smart:
Get smart is even faster then the fastest machine...

Get some geeky friend to help you.
1) Each member of the team choose a mode or a set of different rules, and start working on it's own piece. Going trough long rules alone can be a long long project, when the rules/modes are divided amongst individuals it works much faster.
In the mean time, share a dropbox folder with your friends.
After 45 min or so, do a ctrl-c to stop the session and do a:

./john --show [hashfile] > /dropbox/public/sharedfolder/showpass_myname.txt
Your friends having done the same, you have x password files. Use Textwrangler to concatenate them, clean and remove the dupes in it, and rename as showpass_all.txt, you can now use that file to expand your wordlist(s), i.e a common bigdic.txt that everyone will use
(put the new password first) Each time someone will update the file, Dropbox will update it too, hence you always have the latest copy. Simply point John --wordlist= to that location and from time to time, restart the crack under different session name.
The concepts behind it are:

a) Distribution of the attack: You have now 12, 20 or even 40 cores working
b) Faster use of complex rules
c) Greater chances to crack reoccurring passwords much faster: In a dump like Linkedin, some patterns passwords are present up to 900 times, i.e link, l!nked!n , etc
If you had a 40 cores, you still have to go trough the hash one by one.
As you are now criss-crossing your results with your friends using a file that contains everybody's result, you do not need to spend time crack a password already found.
Remember? the first rule of wordlist is "as is"
This solution is faster than "40 cores" alone. Don't reinvent the wheel....
(we)* : Thanks to:

Terek, Score 40%
Trae, Score 0% (aka ADHD Boy) QuadCore i7 running on one leg ;)
Speed the thing up! (Part Two)
let's be clear: Rules Rules!
Without Rules, Markov aside, you would be condemned to two main "solutions"
1) Endless Wordlist, 50,000 TeraBytes of it, and $200,000 worth of Hard Drive.
2) Bruteforcing for the next century, and a $200,000 utility bill.
Rules allow you to generate or re-generate new passwords to be tested, and also, to do it much faster than anything else, plus you would NOT have the space to store such wordlists.
The KISF Rule

Keep it Simple First!
Before going bonkers with complex rules (that will make you proud) why don't you try the simple ones first? They are fast and replicate human mnemonic patterns: Capitalize, Upper, Mirror, duplicate, etc etc. Did I mention the docs? Where rules are explained?
8 of 17 9/15/2013 9:18 AM
Rules Vs. Endless Wordlists
Rules are not as fast as reading directly, (yes, you are using some CPU/memory to generate them) but the space saved is huge. Futhermore, you can turn on/off rules, add, mingle or remove , etc. With gigor mous wordlist, (aka bragging rights wordlists on the
internet for 100 or 200GB list*) you have to store them, edit them -if you can-, etc . Good luck with that. The solution resides again in an excellent set of W ordlist and a solid set of r ules. ( *Bragging rights: 200 GB WPA(?) Wordlist )
The caveat is that, reading rules, understanding and editing them will give you a serious headache. Example: -[:c] l /a /l /[os] sa4 sl1 s\0\p[0$] (?\p1[za] \p1[:c] Well, that's not the most friendly thing to understand.
...Knowing grep will help you a bit, but ... as you've read so far... you deserv e a little bonus for your perseverance:
John The Ripper Rules Generator!
- Yay!
By Matt Weir **
No only you will generate rules easily, without needing a Costco sized bottle of aspirin, but you'll quickly learn the tricks and syntax. Otherwise, read the doc in JtR and order aspirin by the pound.
i.e , Swap Case of all Keyboard Values, Reverse, Concatenate, even modify the Character Set. G-d bless you Matt Weir!
Where? : https://sites.google.com/site/reusablesec2/jtrconfiggenerator
Prerequisite? : Xcode / gcc
How? : sudo --user --shall readtheefingdoc
run? : ./jtrMakeConfig
If for whatever reason you do NOT wish to use the JtR Configuration Generator, you'll want to look at one of those things... It will feel the same ... a big PIA
Nevertheless, always check your rules with a small test file, just to avoid duplicates or very slow stuff: Loading 50,000 rules is un-efficient. Having an ETA of +50 days should be a sign...Believe me, I have made mistakes ...
Strategies ..
- First, when you hear about a large dump being released, you Google it and try to find the dump. Seconds after the download started, you should start Google-ing ag ain for the first cracked passwords: Someone out there is faster than you, has a better
machine(s), and has already cracked few of them. In order to comply with the "Bragging Rights Theory", short list may have been published, those will help you a lot to star t your crack. Get them, and keep on Googling from time to time.
Also, it's highly possible that by the time you find a link or a paste, the sole answer will be "content no longer available". In that case one could thank Google for the feature called Google Cache. Thank you Mr Google for that. Try it ;-)
- Start small, good dictionary, small rules: Each time a hash is cracked, it's stored in John.pot and will not be reloaded. Each time it's cracked, JtR goes faster ....
- Check the (hash) source if you can, i.e the website. For instance, American Express has stupid rules for passwords: no spaces, only % & _ ? # = - and best of all, is not case sensitiv e. Hence, it has gr eatly reduced your workload. If a website does not allow
certain charaters, just don't use them. If the website has a policy of "minimum 8 ch long", don't attempt to bruteforce 0-7. You'll save few hours. (If you have ever attempted to c rack a zero Ch. long password, please seek medical attention immediately)
- use --loopback and from time to time , append your w ordlist with the already cracked passwords
- use pipal or PACK to generate an analysis of what's been cracked, always useful to see a pattern or the most used strings
In the case of the Linkedin dump for example, you can try a small br uteforcing in the middle, 1-6 ch long, you'll always find something to chew on, 7 ch is slow, 8 is very slow...
- use the option --mkpc=1 and check your john.log file: You'll see which rule is associated with the cracked password, then make an educated guess...
Making List.Rules
Open John.conf with TextWrangler and start looking for lines that contains [List.Rules."Whatever"]
Those are "paragraphs" stating a set of rules to be called by the option --rules="whatever"
i.e --rules=jumbo
You can create your own paragraphs with your own set of rules, i.e [List.Rules.Veryfast]
Include in it "very fast" rules such as "as is" "Capitalize" "Duplicate" etc ...
it might look like that ...
##### Veryfast #####

[List.Rules.Veryfast]
# no-op: do nothing to the input word
:
# convert to lowercase
l
# convert to uppercase
u
9 of 17 9/15/2013 9:18 AM
# capitalize
c
# lowercase the first character, and uppercase the rest
C
# toggle case of all characters in the word
t
# reverse: "Fred" -> "derF"
r
# duplicate: "Fred" -> "FredFred"
d
# reflect: "Fred" -> "FredderF"
f
# rotate the word left: "jsmith" -> "smithj"
{
# rotate the word right: "smithj" -> "jsmith"
}
##### End Of Veryfast #####
Before going wild, double check that you are not calling duplicate rules, or you'll be doing double work for nothing. i.e ":" (Trying "as is", No op ) is already called in [List.Rules.Single], [List.Rules.Wordlist]. As [List.Rules.Jumbo] also calls "Wordlist", if you add an extra
one, your hash will only be checked for a fourth time. ;-)
Length control
If you know that the password you are looking for is of a certain character length, or range, i.e 8ch long, there is no need for you to check anything outside that range. In that case limit the search by adding a character length limitation, you can gain a huge amount of
time.
Example: limiting to 8 ch long
# Trying 8 ch long only
[List.Rules:8only]
>7'8
# End of Trying 8 ch long only
The first >7 reject any word that is less than 8 ch long
The second '8 truncates words greater than length 8
You can, of course, add this control to other rule commands, i.e
$[0-9]>7'8
The above suffix a number and limits the length of the password tested.
IF the password tested is:
America --> America0 , then America1 etc etc...
IF the password tested is:
UnitedStates --> UnitedSt (truncated at 8, without adding the digits)
Rules that calls Rules

Look for the Rule called [List.Rules.Jumbo] and you'll quickly understand that you can call sub-rules. [List.Rules.Jumbo] calls the rules "Wordlist" then "Single" then "Extra", etc.
Example:
# For Wordlist mode and very fast hashes
[List.Rules:Jumbo]
.include [List.Rules:Wordlist]
.include [List.Rules:Single]
.include [List.Rules:Extra]
.include [List.Rules:NT]
Hence, you can also create your own [List.Rules.Myrules] by using .include [List.Rules:Whatever]
Again, be aware that some rules are going to be called twice when using "Jumbo", or that you'll call subrules twice too, hence double check -again- that your set does not call again the same rules over and over again, i.e using [List.Rules:Jumbo] and [List.Rules:Single-
Extra]
Ordered Rules?
Let's go back to Mr Dingbat and Friends, The append/prefix a number to a password is obvious. In JtR, the rule to append a digit to a password is $ "your digit" such as $a will add an "a" at the end .For a number $1, for a range $[0-9] or $[0123456789]
Got it?
$a password >> passworda
$[123] password >> password1, password2, password3 (no 4 and 5, you didn't ask)
To be able to add more than, you repeat ...

$[0-9]$[0-9]$[0-9] password >> password000 to password999
hence, the following

$[0-9]
$[0-9]$[0-9]
$[0-9]$[0-9]$[0-9]
$[0-9]$[0-9]$[0-9]$[0-9]
$[0-9]$[0-9]$[0-9]$[0-9]$[0-9]
$[0-9]$[0-9]$[0-9]$[0-9]$[0-9]$[0-9]
10 of 17 9/15/2013 9:18 AM
Will go from append 0 to 999,999. Repeat the same rule but interchange $ for ^, and you'll prefix.
You have now 999,999 + 999,000 permutation per password.
Take a 50m line wordlist and John will develop it into a virtual 99,999,950,000,000 password list. That's 99,999 billions. So, again, to wrap your mind around it, it's about 5,500 2TB Hard Drive worth of space,or in moolah: $675,000 (Geez, the money you save
reading this blog)
So, Rules is a no brainer, but .... 99,999,950,000,000 passwords, it's going to take a while... ETA +30 days and the question is asked: Do the order of rules impact the cracking speed?
Yes and yes
a) The more cracked passwords, the gr eater your chance to see a pattern, leading to more passwords being recovered.
b) Due to the human nature, what would be more unlikely? Mr Dingbat appending and pr efixing 5 or 2 digits?
Let's gr ep it and we'll find out!
Out of about 50% of the passwords cracked, the distribution indicates such patterns:
abc..00 593,914 hits , or 17% of the total

abc..0000 400,114 11.4%
abc..0 367,969 10.5%
abc..000 219,942 6.3%
0abc... 79,224 2.3%
down to ..
00000abc.. 5,200 0.1%
Hence the logical order of trying 1,2,3,4,5,6 digit either after or before is not the most optimized and will take you longer. The pr oper order in that case would be:
(Warning slow stuff!!!)
$[0-9]$[0-9]
$[0-9]$[0-9]$[0-9]$[0-9]
$[0-9]
$[0-9]$[0-9]$[0-9]
^[0-9]
^[0-9]^[0-9]
$[0-9]$[0-9]$[0-9]$[0-9]$[0-9]^[0-9]
^[0-9]^[0-9]^[0-9]
^[0-9]^[0-9]^[0-9]^[0-9]^[0-9]
^[0-9]^[0-9]^[0-9]^[0-9]
Charset making
This section is specific to part 2) Bruteforcing Longer than 8ch long

Having modified params.h is a prerequisite, as described in 2)
You can always re-compile if you've missed it the first time.
Before doing it, we recommend that your John.pot has gain some "fat": crack few hashes
1) Open Terminal and g o to your /John/run folder

1a) Run ./John --make-charset=[choose a name].chr
i.e ./John --make-charset=longforce.chr

hit return and wait for John to finish
2) Open John.conf with TextWrangler

2a) Look for the section containing " # Incremental Modes"
2b) copy the part
[Incremental:All]
File = $JOHN/all.chr
MinLen = 1
MaxLen = 8
CharCount = 95
Paste below and change the parameters to match your hopes, example:
[Incremental:longforce]
File = $JOHN/longforce.chr
MinLen = 10
MaxLen = 15
CharCount = 95
"longforce" being the incremental name, "longforce.chr" the charset name, "MinLen" the Minimum paswd length tested , and MaxLen the max one.
Min/max 10-15 is already a stupid long keyspace, hence you can create as many section as you wish , i.e "longforce13" and only attempt to Bruteforce 13 long passwords
MinLen = 13
MaxLen = 13
( I would limit myself to a specific time fr ame, i.e a day or two.)
When ready, just run ./john --incremental=longforce13 [other useful parameters ....]
You can always run one instance of John per Core. 4 Cores, 4 Instances. Each of them running a separate "bruteforcing" length i.e 10,11,12,13 ch long.
11 of 17 9/15/2013 9:18 AM
That should keep you busy for a while...
** Matt Weir
If you want the advice of a real specialist, you might want to read Matt Weir's blog
http://reusablesec.blogspot.com/
Matt has now left this earth... Well...no, he is still alive, he has just stopped blogging for professional reason. He's a bit like Obi-Wan Kenobi: not here anymore, but you can still feel The Force.
Just like Elvis, there hav e been some sightings! The last report of a Matt Weir sighting was at DEFCON2012. If you have experienced such, please report your findings immediately.
Matt Weir has also made some optimized (scientifically optimized, (It's Dr . Weir)) Config, you can read about it, and even download them:
Matt Weir's Pack o' Configs You M.U.S.T read the little "read me" in each file!
Optimizing john single mode
Follow up on single mode
Kore Logic Rules, Modified by Solar Designer himself (The Creator of JtR)
Theses are "r ules" and not a "John.conf" with rules
Update, Sept '12

As soon as the article was done, The JtR Team made few improvements :)
- A GUI JtR was released for Linux
- A Newer pre-compiled Version of JtR Jumbo 1.7.9 was released too
Nevertheless, there is always a delay between the most recent JtR version and the JtR, Hence compile it yourself.
ALLA
(Another Linkedin Lame Analysis)
Fun Fact about the Linkedin dump
First Character usage, Most used first

ae1iInrosl0t2mdc3uh9kb748g5p6yjfvwzxASMLB!RCTEq@NDPGHKOJF$.#W*UV_Y-Z&XQ+%/?,=);(^':~["^<]>|{}
Hypothesis:
Even though the keyspace remains the same than an alphanumericaly sorted character set, a sorted by usage Charset should be slightly faster as more hash -should- be cracked earlier.
The analysis of the 1st to 6th characters distribution indicates almost a constant pattern.
Does anyone has a documented opinion? Anyone?
Distribution of first to sixth C h.
Click To Enlarg e
Character usage, Reversed

}{|>]<^"[~:'^(;)=,?/%+QX&Z-Y_VU*W#.$FJOKHGPDN@qETCR!BLMSAxzwvfjy6p5g847bk9hu3cdm2t0lsorniI1ea
Most "unlikely" password

}{|>]<^"[~:'^(;)=,?/%+QX&
The ones that are hard to find:
(fund 123) 123

(Hello)
(Sultan)
( Rokaya)
Comments:
Please, if you leave a comment, let us know:
1) Your OS version
2) The JtR Version
3) Your machine type
Also, it's cd /john/src and not /john/src

cd as Change Directory
35 COMMENTS:
12 of 17 9/15/2013 9:18 AM
Zachary October 16, 2012 at 3:16 AM

I tried the "make clean macosx-x86-sse2" command in the src folder but it told me "-bash: make: command not found"
Reply
Replies
Admin October 16, 2012 at 7:01 AM

Check step 1, xcode
Zachary October 16, 2012 at 10:23 PM

Haha, it sounds so pathetic that I didn't follow the first step. I initially did attempt to download xcode but the app store said I needed os x 1.7.4 (or later) to install it. I just thought I could at least get through the jtr install without it.
Admin October 17, 2012 at 9:01 AM

Yup, That's why it's called "Step 1"
Reply
Jacob Sorenson Febr uary 22, 2013 at 3:06 AM

make[1]: mpicc: No such file or directory
make[1]: *** [john-mpi.o] Error 1
make: *** [macosx-x 86-sse2] Error 2
i get both of these whenever i run either of the make clean commands, and i can't get passed that step.
am I missing anything?
Reply
Replies
Admin Febr uary 22, 2013 at 7:03 AM

"am I missing anything?"
You could start by mentioning your OS and the version of JtR you are trying to install ...
That would greatly help ....
Jacob Sorenson Febr uary 22, 2013 at 10:48 PM

Mac osx 10.8.2
john 1.7.9 jumbo 5

The last version of John is 1.7.9 Jumbo 6 , or even 9 on Unix
please use the latest version
the line "make: *** [macosx-x 86-sse2] Error 2" seems to indicate that you asked for a 32 bit version of JtR
Mac OS 10.8.2 is 64-bit only
- for the 64 bit version: make clean macosx-x86-64
Jacob Sorenson Febr uary 26, 2013 at 2:40 AM

when I tried the 64 bit it did the same thing.
Every time a downloaded a Jumbo 6, it didn't have an sr c folder. Would you happen to have a link to one that does?

"Every time a downloaded a Jumbo 6, it didn't have an src folder."
I tried 2 minutes ago. There is a SRC folder. Ver. john-1.7.9-jumbo-7

Apparently, you are downloading a pre-compiled version, and tr ying to compile it again, or doing something really silly. I am almost ready to ask the following: Did you untar the download?
Try the following link, This too shall pass ....
http://www.openwall.com/john/g/john-1.7.9-jumbo-7.tar.gz
Reply
NewAngels Febr uary 26, 2013 at 10:56 AM

You are wrong Admin, Jacob have an Normal & logic error, beacause since LION & Now Mountain Lion, have no more OpenMPI included on OSX, you have to download again & intall openMPI as well on your MAC.
You haven't the error Admin, beacause you use Leopard or Snow Leopard
My 2 cent's ;-)
Reply
Replies
13 of 17 9/15/2013 9:18 AM

Thanks for your 2 cents, I'll double check. Nevertheless, the source folder "SRC" should be present, 10.7, 10.8 or Not.
Reply
Volker Riebartsch April 4, 2013 at 4:47 AM

NewAngels is right, no OpenMPI since 10.7. After making sure the latest version of Xcode is installed head over to
http://www.open-mpi.org/software/
and download the latest source of openmpi (1.6.4 right now). Download the source code as .tar.gz, then
tar zxvf openmpi-1.6.1.tar.gz
cd into the created directory and
./configure --prefix=/usr/local
if configuration runs without issues, compile the code by
make all
if the code compiles without issues, install by
sudo make all
Once installed compiling JTR Jumbo will work without any issue
Reply
Replies
Admin August 6, 2013 at 10:03 AM

Volker,
I apologize, I completely forgot to thank you for your input.
Reply
Riki Matsumoto May 18, 2013 at 6:55 AM

Hi. Same as Jacob.
I get:
make[1]: mpicc: No such file or directory
make[1]: *** [john-mpi.o] Error 1
make: *** [macosx-x 86-64] Error 2
When I try to do either make clean command.
Mac OSx 10.8.3 Mountain Lion

Ver. john-1.7.9-jumbo-7
Thanks.
Reply
Scott Rushing July 30, 2013 at 9:50 PM

Is there any useful tutorials on how to use JtR against an encrypted DMG file? I have one which I forgot the password. I have compiled JtR and gotten a decent wordlist to use, but I can't seem to find any clear examples of how to set the options for JtR to try
and crack it. Any suggestions?
Thanks
Reply
Replies
Admin July 31, 2013 at 8:07 AM

I could write an extension to this article, but it will not be done in the next few days, or at least in details...
The generic version of JTR does not work on AES, you have to get the bleeding jumbo.
The main issue, and I want to REALLY stress this out, is the fact that an AES Encryption is a REALLY slow hash. Meaning that the number of tries per second is extremely slow compared to a SHA-1 for example.
If you have no idea of what the password was made of, or if do not know what characters were used, you'll end up with too many possibilities for a human lifetime of work.
I am all for a good Wordlist, BUT, I would seriously consider taking a deep look at the "Rules"
IF your password is 8ch long, and IF you have somehow limited the possible keyspace to 20 characters, you'll then need a wordlist of
(8^20)*8 bit of space = 1,099,460,249,953 MB in size
Be aware that you also need a FAST machine...
AES is NSA/CIA grade encryption. You're not watching a movie.
Admin July 31, 2013 at 1:28 PM

posted
http://easymactips.blogspot.com/2013/07/how-to-crack-dmg-encrypted-dmg-file.html
Reply
Scott Rushing August 1, 2013 at 8:31 AM

Thanks for the reply. I think with the rules I can likely narr ow it down a bit but I complete understand your point. (You mean they don't do realtime password cracking in the movies??? ha!) I just haven't been able to find much in the docs and examples about
how to setup the command line params for a DMG file. Maybe I've been searching for the wrong words and should have searched more with AES encryption instead of DMG's but there hasn't been a lot useful I've found. I did just compile the latest jumbo
version but I think I didn't hit the bleeding edge version so I'll go back there and check that out. And unlike some, this isn't a "must get this cracked now" kinda thing. I'd like to get my files back soon but if there lost, there lost, so I don't mind firing it off and
letting the job run. Secondar ily, I do hav e access to an compute cluster I could launch the thing off on too, again but as a novice at this, figuring out how to configure it to run on the cluster doesnt sound like it'll be an easy task.
Thanks again for any direction you can offer.
14 of 17 9/15/2013 9:18 AM
Reply

the command line params for a DMG file"
-- They are the same as for any other hash. mpirun -np[cores] ./ john [option] [option] [option] dmg.txt
depending on what/where you do it, you may want to use the idle cycle or not.
Also, thinking about --session is a good thing
" And unlike some, this isn't a "must get this cracked now" kinda thing."
-- It's a good thing, because most likely, you'll need the patience of a Buddhist monk. Or a whole bunch of GPUs...
AES is painfully slow to crack. (Wut? they didn't make it easy???)
"Secondarily, I do have access to an compute cluster..."

-- As always, Google is your friend. Don't reinvent the wheel...
http://openwall.info/wiki/john/parallelization
http://louwrentius.com/blog/2011/02/parallel-/-distributed-password-cracking-with-john-the-ripper-and-mpi/
http://www.youtube.com/watch?v=92aOeQ0o6J0
Instead of "Cluster" search for "Parallelization" or "Distributed"
When your cluster is working, let me know: I'll be interested on some benchmark.
I have myself a cluster of 1 working very well. :P
Reply
The AntiPingouin August 5, 2013 at 12:26 PM

Hey admin,
I'm having troubles at part 3 when I type: "make clean macosx-x86-64"

It says:
make clean macosx-x86-64

make: *** No rule to make target `clean'. Stop.
I read about OpenMPI, is it this? what should i do?
OS X .7.5
JTR 1.8.0
Also at part 1.b) i dont have (below) in my file. Is it because i'm in 1.8.0 and your tutorial is 1.7.9 ?
Thanks.
Reply
Replies

I have reproduced your error on 10.7.5 with JTR 1.8.0
For the Lolz's sake, could you copy your *entire command line* and post it please?
Reply
The AntiPingouin August 6, 2013 at 11:13 AM

Let's see what is funny :-)
Last login: Tue Aug 6 19:01:27 on ttys000

MacBook-Pro-de-name:~ name$ /john
-bash: /john: is a directory
MacBook-Pro-de-name:~ name$ /src
-bash: /src: No such file or directory
MacBook-Pro-de-Victor-le-Br eton:~ name$ make clean macosx-x86-64
MacBook-Pro-de-name:~ name$
Reply
Replies
Admin August 6, 2013 at 12:15 PM

That's funny:
MacBook-Pro-de-name:~ name$ /src
-bash: /src: No such file or directory
That's hilarious:
MacBook-Pro-de-Victor-le-Breton:~ name$ make clean macosx-x86-64
The issue with terminal is that it does EXACTLY what you are asking for terminal to do, and not what you EXPECT terminal to do.
You are *almost* there...so close ....
I'll let you dig a little, and that's for your own good.
15 of 17 9/15/2013 9:18 AM
Reply

Oops yeah i missed here,
Yesterday i did it the "right way", like this, but still getting the pr obleme
Last login: Tue Aug 6 19:05:43 on ttys000

MacBook-Pro-de-name:~ name$ /john/src
-bash: /john/src: is a directory
MacBook-Pro-de-name:~ name$ make clean macosx-x86-64
MacBook-Pro-de-name:~ name$
Reply
Replies

Nope...
Still the same error on your side ....
Reply

Ok i got it, I remember at first i wrote the "cd" but i didnt work
Now it did,
I'll continue alone for now.
Just about the multi core optimisation, do you confirm that you cant find this in part 1b) ?
Reply
Replies

"Ok i g ot it, I remember at first i wrote the "cd" but i didnt work
Now it did"
-- Yeah, right ... ;)
# Mac OS X (llvm-gcc) with OpenMP

OMPFLAGS = -fopenmp -D_FORTIFY_SOURCE=0
Reply

Ok thank you, what should i type then to use both cores?
mpirun -np 2 ./john --test=10 doesn't work : -bash: mpirun: command not found
Also ( :-S ) when i want to try with the classical method, i have this issue:
./john /Users/name/Desktop/password.7z
No password hashes loaded (see FAQ)
So i go to FAQ, there I See that i have to "unshadow" my file.
umask 077
unshadow /Users/name/Desktop/password.7z
-bash: unshadow: command not found
Any hint? :-)
Finally. About the word list. I'm interested in Crackium but:

- Is it compressed for the download?
- Is it the same list for KissMac and casual password cracking?
- Does it support wep/wap AND WAP2 ?
Das thank you ;-)

Reply
Replies

what should i type then to use both cores?"
./john --test=10
"./john /Users/name/Desktop/password.7z"
password.7z is (most likely) a compressed file. Does it contain any hashes???? have you tried to unzip it?
Crackium
yes, compressed. As indicated.
16 of 17 9/15/2013 9:18 AM
KissMAC --> KisMAC , yes. it can be used for both. Or also for JTR. And Crowbar. Or also for Hashcat. As indicated too...
"Does it support wep/wap AND WAP2 ?"

WAP --> WPA (WAP is an old phone pr otocol)
Yes for WPA, WPA2, and all the other W PA's WPA AES, TPIK, and brothers
WEP: yes, too, but why the phoque would you use a Wordlist on WEP?
Reply

WEP: yes, too, but why the phoque would you use a Wordlist on WEP? => Just asking :)
I know it is a compressed file, but it is the file that has the password.
I asked a friend to a file with a password, he sent me a .7z (even if i asked for .zip, anyway)
Sorry but i'd say i'm a newbie. hashes? :-S
Reply

"Sorry but i'd say i'm a newbie"
No, you did not. But it was understood.
As for your questions, previous and present:
Have you considered a KisMAC school session? Seriously considered it? For your own good?
- Yes. -> Good, you'll save a great amount of time, effort and pain.
- No. -> You are going to suffer. It's going to take a very long time...
Reply

"I'd say" => I would say
Why a KisMac Session?

JTR Can't crack a .7z ?
Reply

I don't see the link with KisMac and JTR.
KisMac is for Wifi only no?
Also, yes I don't know what are hashes, yes the "unshadow" is not working for me. If I post here it is because I need some help.
If you don't want to help me, just tell me I'll leave.
Reply
Replies

Victor,
I am a bit late on this one, but by now, you know that the password has been found by Rich: alohomora (password.7z)
What you may hav e missed is:
1) the password that you were looking for was in *clear* in the Master_Passwords wordlist
2) you could have also limited your keyspace to 9ch only, hence cracking it in less than 50 seconds.
Reply
Comment as:
L INK S T O T HIS PO S T
Create a Link
Home Older Post
Subscribe to: Post Comments (Atom)
17 of 17 9/15/2013 9:18 AM

John The Ripper Tutorial, Examples and Optimization

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

John The Ripper Tutorial, Examples and Optimization

Caricato da

Copyright:

Formati disponibili

Mac Tips and "How To" On a Mac: John The Ripper Tutorial, Examples and Optimization http://easymactips.blogspot.com/2012/09/john-ripper-tutorial-examples-and.

MA C TIPS A ND "HOW TO" ON A M A C

K ALI APP MA KES THEM WORK TH E H IG H ES T F O RM O F I GNO R A NC E I S WH E N YO U RE J EC T SO ME TH IN G Y O U D O N' T KN O W A NY TH I NG A B O U T.

Wayne Dyer (b 1940)

John The Ripper Tutorial, Examples and Optimization

John The Ripper Mac Installation, Tutorial and Optimization

Deemed worth reading?

Let's install it ...

1- You'll need Xcode, if not already installed, download it , it's free.

5- You have now a directory called John "something"

You'll have to make a choice, roughly between 32 bit, or 64 bit

- JTR is the Mac OSX pre-built

So, make a choice (hint: 64 bit) and we'll start...

1a) Second choice to make:

1b) Search for the following paragraph:

1c) Un-comment the 2 last line, (remove the ##)

Superlight interface to check all your tasks

AP P CL EA NER . In that file, look for the section:

2c) Save the file params.h and go to part 3) compilation.

We can now start the compilation. In /John/src

You'll also find all Linux options, just in case ....

4) Now that the install is done, test it by typing

Camouflage Hides your Icons in a Click

If you see something like that:

MONOL INGUA L Now, let's try something else, type

And the results are:

2d) Wordlist itself

lov3b3ans | Syr4cu$e | C0mmitted | fuzzym0nkey |inth3loop | L1fel0ng , etc etc

So, you end up with 3 choices.

And your choice is? -3? Good answer!

The proof of concept is demonstrated in the video.

John The Ripper Commands and examples

the main options are the following

./john -- session=linkedin --format=raw-sha1-linkedin [path and name of the hash file]

1) count the lines with wc -l [filename]

Loading multiple wordlists at once

and rapidly, Mr Markov will go to work ...

Markvov Vs. Bruteforcing

And the uncles...

Bruteforce Vs. Wordlists + Rules

Check the quick analysys of the Linkedin passwords at the end.

There you have it.

Speed the thing up! (Part One)

Get smart is even faster then the fastest machine...

In the mean time, share a dropbox folder with your friends.

After 45 min or so, do a ctrl-c to stop the session and do a:

The concepts behind it are:

(we)* : Thanks to:

Speed the thing up! (Part Two)

let's be clear: Rules Rules!

The KISF Rule

Rules Vs. Endless Wordlists

John The Ripper Rules Generator!

##### Veryfast #####

Rules that calls Rules

To be able to add more than, you repeat ...

hence, the following

Let's gr ep it and we'll find out!

abc..00 593,914 hits , or 17% of the total

This section is specific to part 2) Bruteforcing Longer than 8ch long

1) Open Terminal and g o to your /John/run folder

i.e ./John --make-charset=longforce.chr

2) Open John.conf with TextWrangler