"Fossies" - the Fresh Open Source Software Archive

Member "john-1.9.0/doc/EXAMPLES" (29 May 2013, 15084 Bytes) of package /linux/privat/john-1.9.0.tar.xz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the last Fossies "Diffs" side-by-side code changes report for "EXAMPLES": 1.7.9-jumbo-7_vs_1.8.0-jumbo-1.

    1 	John the Ripper usage examples.
    2 
    3 These examples are to give you some tips on what John's features can be
    4 used for.
    5 
    6 
    7 	Command line.
    8 
    9 1. First, you need to get a copy of your password file.  If your system
   10 uses shadow passwords, you may use John's "unshadow" utility to obtain
   11 the traditional Unix password file, as root:
   12 
   13 	umask 077
   14 	unshadow /etc/passwd /etc/shadow > mypasswd
   15 
   16 (You may need to replace the filenames as needed.)
   17 
   18 Then make "mypasswd" available to your non-root user account that you
   19 will run John under.  No further commands will need to be run as root.
   20 
   21 If your system is ancient enough that it keeps passwords right in the
   22 world-readable /etc/passwd, simply make a copy of that file.
   23 
   24 If you're going to be cracking Kerberos AFS passwords, use John's
   25 "unafs" utility to obtain a passwd-like file.
   26 
   27 Similarly, if you're going to be cracking Windows passwords, use any of
   28 the many utilities that dump Windows password hashes (LM and/or NTLM) in
   29 Jeremy Allison's PWDUMP output format.  Some of these utilities may be
   30 obtained here:
   31 
   32 	http://www.openwall.com/passwords/pwdump
   33 
   34 2. Now, let's assume you've got a password file, "mypasswd", and want to
   35 crack it.  The simplest way is to let John use its default order of
   36 cracking modes:
   37 
   38 	john mypasswd
   39 
   40 This will try "single crack" mode first, then use a wordlist with rules,
   41 and finally go for "incremental" mode.  Please refer to MODES for more
   42 information on these modes.
   43 
   44 It is highly recommended that you obtain a larger wordlist than John's
   45 default password.lst and edit the "Wordlist = ..." line in the
   46 configuration file (see CONFIG) before running John.  Some wordlists may
   47 be obtained here:
   48 
   49 	http://www.openwall.com/wordlists/
   50 
   51 Of those available in the collection at the URL above, all.lst
   52 (downloadable as all.gz) and huge.lst (only available on the CD) are
   53 good candidates for the "Wordlist = ..." setting.
   54 
   55 3. If you've got some passwords cracked, they are stored in
   56 $JOHN/john.pot.  The john.pot file is not meant to be human-friendly.
   57 You should be using John itself to display the contents of its "pot
   58 file" in a convenient format:
   59 
   60 	john --show mypasswd
   61 
   62 If the account list gets large and doesn't fit on the screen, you
   63 should, of course, use your shell's output redirection.
   64 
   65 You might notice that many accounts have a disabled shell.  You can make
   66 John skip those in the report.  Assuming that the disabled shell is
   67 called "/etc/expired", the command would be:
   68 
   69 	john --show --shells=-/etc/expired mypasswd
   70 
   71 or shorter, but will also match "/any/path/expired":
   72 
   73 	john --show --shells=-expired mypasswd
   74 
   75 or if you also want to ignore some other shell, say "/etc/newuser":
   76 
   77 	john --show --shells=-expired,newuser mypasswd
   78 
   79 To check if any root (UID 0) accounts got cracked:
   80 
   81 	john --show --users=0 mypasswd
   82 
   83 or to check for cracked root (UID 0) accounts in multiple files:
   84 
   85 	john --show --users=0 *passwd* *.pwd
   86 
   87 To display the root (username "root") account only:
   88 
   89 	john --show --users=root mypasswd
   90 
   91 And finally, to check for privileged groups:
   92 
   93 	john --show --groups=0,1 mypasswd
   94 
   95 4. You might prefer to manage the cracking modes manually.  It is wise
   96 to start with "single crack" mode:
   97 
   98 	john --single mypasswd
   99 
  100 or since the GNU-style double dashes are optional and since option
  101 names can be abbreviated for as long as they remain unambiguous:
  102 
  103 	john -si mypasswd
  104 
  105 You should not abbreviate options in scripts which you would want to
  106 work with future versions of John since what is unambiguous now might
  107 become ambiguous with the addition of more options.
  108 
  109 If you have more files to crack, it is preferable to load them at the
  110 same time:
  111 
  112 	john --single passwd1 passwd2
  113 
  114 or even:
  115 
  116 	john --single *passwd* *.pwd
  117 
  118 This way, John will run faster and might even crack more passwords than
  119 it would if you ran it on each password file separately.
  120 
  121 5. To catch weak passwords not derived from readily available users'
  122 personal information, you should proceed with cracking modes demanding
  123 more processor time.  First, let's try a tiny wordlist with word
  124 mangling rules enabled:
  125 
  126 	john --wordlist=password.lst --rules mypasswd
  127 
  128 or abbreviating the options:
  129 
  130 	john -w=password.lst -ru mypasswd
  131 
  132 Then proceed with a larger wordlist, also applying the mangling rules:
  133 
  134 	john --wordlist=all.lst --rules mypasswd
  135 
  136 If you've got a lot of spare disk space to trade for performance and the
  137 hash type of your password files is relatively slow, you may use John's
  138 "unique" utility to eliminate any duplicate candidate passwords:
  139 
  140 	john --wordlist=all.lst --rules --stdout | unique mangled.lst
  141 	john --wordlist=mangled.lst mypasswd
  142 
  143 If you know that your target hash type truncates passwords at a given
  144 length, you may optimize this even further:
  145 
  146 	john --wordlist=all.lst --rules --stdout=8 | unique mangled8.lst
  147 	john --wordlist=mangled8.lst mypasswd
  148 
  149 Alternatively, you may simply use huge.lst available on Openwall
  150 wordlist collection CDs.  It has word mangling rules pre-applied for the
  151 most common languages and it has any duplicates purged.
  152 
  153 Depending on target hash type, the number of different salts (if
  154 applicable), the size of your wordlist, rules, and processor
  155 performance, wordlist-based cracking may take anywhere from under a
  156 second to many days.
  157 
  158 You do not have to leave John running on a (pseudo-)terminal.  If
  159 running John on a Unix-like system, you can simply disconnect from the
  160 server, close your xterm, etc.  John will catch the SIGHUP ("hangup"
  161 signal) and continue running.  Alternatively, you may prefer to start it
  162 in the background right away:
  163 
  164 	john --wordlist=all.lst --rules mypasswd &
  165 
  166 Obviously, the "&" is specific to Unix shells and will not work on most
  167 other platforms.
  168 
  169 You may further enhance this by specifying a session name:
  170 
  171 	john --session=allrules --wordlist=all.lst --rules mypasswd &
  172 
  173 This ensures that you won't accidentally interfere with the instance of
  174 John running in the background if you proceed to start other sessions.
  175 
  176 To view the status of a running session, use:
  177 
  178 	john --status
  179 
  180 for the default session or:
  181 
  182 	john --status=allrules
  183 
  184 for any other session.  This works for both interrupted and running
  185 sessions.  To obtain the most up-to-date information from a running
  186 session on a Unix-like system, send a SIGHUP to the appropriate "john"
  187 process.
  188 
  189 Any interrupted sessions may be continued with:
  190 
  191 	john --restore
  192 
  193 or:
  194 
  195 	john --restore=allrules
  196 
  197 Finally, to make John have less impact on other processes, you should
  198 set the option "Idle = Y" in the configuration file (see CONFIG).  The
  199 default may vary depending on the version and build of JtR.
  200 
  201 To only crack accounts with a "good" shell (in general, the shell, user,
  202 and group filters described above work for all cracking modes as well):
  203 
  204 	john --wordlist=all.lst --rules --shells=sh,csh,tcsh,bash mypasswd
  205 
  206 Like with all other cracking modes, it is faster to crack all the files
  207 you need cracked simultaneously:
  208 
  209 	john --wordlist=all.lst --rules passwd1 passwd2
  210 
  211 You can crack some passwords only.  This will try cracking all root
  212 (UID 0) accounts in all the password files:
  213 
  214 	john --wordlist=all.lst --rules --users=0 *passwd*
  215 
  216 Alternatively, you may wish to not waste time cracking your very own
  217 passwords, if you're sure they're uncrackable:
  218 
  219 	john --wordlist=all.lst --rules --users=-root,solar *passwd*
  220 
  221 Sometimes it is useful to split your password hashes into two sets which
  222 you crack separately, like:
  223 
  224 	john --wordlist=all.lst --rules --salts=2 *passwd*
  225 	john --wordlist=all.lst --rules --salts=-2 *passwd*
  226 
  227 This will make John try salts used on two or more password hashes first
  228 and then try the rest.  Total cracking time will be almost the same, but
  229 you will get some passwords cracked earlier, which is useful, for
  230 example, for penetration testing and demonstrations to management.
  231 Similarly, you may check all password hashes with a small wordlist, but
  232 only those that you can check faster (with "--salts=2") with a larger
  233 one.  With large numbers of password hashes and/or with a highly
  234 non-uniform distribution of salts, it may be appropriate to use a
  235 threshold larger than 2 with "--salts" (sometimes even values as high as
  236 1000 will do).
  237 
  238 Note that the default wordlist rules include ":" (a no-op - try words as
  239 they are in the list) on the first line.  If you already ran through a
  240 wordlist without using rules, and then decided to also try the same
  241 wordlist with rules, you'd better comment this line out.
  242 
  243 6. The most powerful cracking mode in John is called "incremental" (not a
  244 proper name, but kept for historical reasons).  You can simply run:
  245 
  246 	john --incremental mypasswd
  247 
  248 or:
  249 
  250 	john -i mypasswd
  251 
  252 This will use the default "incremental" mode parameters, which are
  253 defined in the configuration file's section named either
  254 [Incremental:ASCII] (for most hash types) or [Incremental:LM_ASCII] (for
  255 Windows LM hashes).  By default, the [Incremental:ASCII] parameters are
  256 set to use the full printable ASCII character set (95 characters) and
  257 to try all possible password lengths from 0 to 13 (if the current hash
  258 type has a lower maximum password length, incremental mode's length
  259 limit is reduced accordingly).  [Incremental:LM_ASCII] is similar,
  260 except that it takes advantage of LM hashes being case-insensitive and
  261 of their halves being limited to 7 characters each.
  262 
  263 Don't expect "incremental" mode sessions to terminate in a reasonable
  264 time (unless all the passwords are weak and get cracked), read MODES for
  265 an explanation of this.
  266 
  267 In some cases it is faster to use some other pre-defined incremental mode
  268 parameters and only crack simpler passwords, from a limited character
  269 set.  The following command will try 10 different characters only,
  270 passwords from "0" to "99999999999999999999" (in an optimal order):
  271 
  272 	john -i=digits mypasswd
  273 
  274 Of course, you can use most of the additional features demonstrated
  275 above for wordlist mode with "incremental" mode as well.  For example,
  276 on a large-scale penetration test, you may have John crack only root
  277 (UID 0) accounts in a set of password files:
  278 
  279 	john -i -u=0 *.pwd
  280 
  281 7. If you've got a password file for which you already have a lot of
  282 passwords cracked or obtained by other means, and the passwords are
  283 unusual, then you may want to generate a new charset file, based on
  284 character frequencies from that password file only:
  285 
  286 	john --make-charset=custom.chr mypasswd
  287 
  288 Then use that new file with "incremental" mode.
  289 
  290 If you've got many password files from a particular country,
  291 organization, etc., it might be useful to use all of them for the
  292 charset file that you then use to crack even more passwords from these
  293 files or from some other password files from the same place:
  294 
  295 	john --make-charset=custom.chr passwd1 passwd2
  296 	[ Configure your custom "incremental" mode now.  See below. ]
  297 	john -i=custom passwd3
  298 
  299 You can use some pre-defined or custom word filters when generating the
  300 charset file to have John consider some simpler passwords only:
  301 
  302 	john --make-charset=my_alpha.chr --external=filter_alpha mypasswd
  303 
  304 If your "pot file" got large enough (or if you don't have any charset
  305 files at all), you might want to use it to generate a new set of main
  306 charset files:
  307 
  308 	makechr
  309 
  310 where "makechr" is a script that invokes "john --make-charset=..." with
  311 varying filenames, for all of the external mode word filters defined in
  312 the configuration file.  In this example, John will overwrite the
  313 charset files with new ones that are based on your entire $JOHN/john.pot
  314 (John uses the entire "pot file" if you don't specify any password
  315 files).
  316 
  317 8. Finally, you might want to e-mail all users with weak passwords to
  318 tell them to change their passwords.  (This is not always a good idea,
  319 though, since lots of people do not check their e-mail or ignore such
  320 messages, and the messages can be a hint for crackers.)  Edit the
  321 "mailer" script supplied with John: the message it sends and possibly
  322 the mail command (especially if the password file is from a different
  323 machine).  Then run:
  324 
  325 	mailer mypasswd
  326 
  327 
  328 	Configuration file.
  329 
  330 Please refer to CONFIG for general information on the configuration file
  331 and its possible locations.
  332 
  333 1. Let's assume that you notice that in some password file a lot of
  334 users have their passwords set to login names with "?!" appended.  Then
  335 you just make a new "single crack" mode rule (see RULES for information
  336 on the syntax) and place it somewhere near the beginning:
  337 
  338 	[List.Rules:Single]
  339 	Az"?!"
  340 
  341 Hint: if you want to temporarily disable all of the default rules, you
  342 can simply rename the section to something John doesn't use and define
  343 a new one with the section's old name, but be sure to leave the "List."
  344 prefix of the name intact to maintain correct configuration file syntax.
  345 
  346 All the same applies to wordlist mode rules as well.
  347 
  348 2. If you generate a custom charset file (described above) you will also
  349 need to define a configuration file section with the "incremental" mode
  350 parameters.  In the simplest case it will be like this (where "Custom"
  351 can be replaced with any name you like):
  352 
  353 	[Incremental:Custom]
  354 	File = custom.chr
  355 
  356 This way, John will only use characters from passwords used to generate
  357 the charset file only.  To make John try some more characters, add:
  358 
  359 	Extra = !@#$%
  360 
  361 These extra characters will then be added, but still considered the
  362 least probable.  If you want to make sure that, with your extra
  363 characters, John will try 95 different characters, you can add:
  364 
  365 	CharCount = 95
  366 
  367 This will make John print a warning if it only has fewer than 95
  368 characters in its charset.
  369 
  370 You can also use CharCount to limit the number of different characters
  371 that John tries, even if the charset file has more:
  372 
  373 	CharCount = 20
  374 
  375 If you didn't use any filters when generating the charset file, setting
  376 CharCount this low will make John never attempt rare characters and
  377 character combinations, not even for really short passwords, spending
  378 the time on simple longer candidate passwords instead.  However, the
  379 default length switching is usually smart enough so that you shouldn't
  380 need this trick.
  381 
  382 To make John try passwords of certain lengths only, use the following
  383 lines:
  384 
  385 	MinLen = 6
  386 	MaxLen = 8
  387 
  388 Setting "MinLen" high, as in the example above, is reasonable if shorter
  389 passwords weren't allowed to set on the machine you got the password file
  390 from (however, note that root can usually set any password for any user
  391 and there are often loopholes in operating systems' password policy
  392 enforcement capabilities).
  393 
  394 On the contrary, you may want to set "MaxLen" low if you think there are
  395 a lot of short passwords.
  396 
  397 3. Another example: a lot of users at some site use short duplicated
  398 words as their passwords, such as "fredfred".  As the number of such
  399 potential passwords is fairly low, it makes sense to code a new external
  400 cracking mode that tries them all, up to some length.
  401 
  402 You can find the actual implementation of such a cracking mode with lots
  403 of comments in the default configuration file supplied with John.
  404 Please refer to EXTERNAL for information on the programming language
  405 used.
  406 
  407 $Owl: Owl/packages/john/john/doc/EXAMPLES,v 1.10 2013/05/29 18:14:35 solar Exp $