"Fossies" - the Fresh Open Source Software Archive

Member "john-1.9.0/doc/EXAMPLES" (29 May 2013, 15084 Bytes) of package /linux/privat/john-1.9.0.tar.xz:

As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the last Fossies "Diffs" side-by-side code changes report for "EXAMPLES": 1.7.9-jumbo-7_vs_1.8.0-jumbo-1.

    1 	John the Ripper usage examples.
    3 These examples are to give you some tips on what John's features can be
    4 used for.
    7 	Command line.
    9 1. First, you need to get a copy of your password file.  If your system
   10 uses shadow passwords, you may use John's "unshadow" utility to obtain
   11 the traditional Unix password file, as root:
   13 	umask 077
   14 	unshadow /etc/passwd /etc/shadow > mypasswd
   16 (You may need to replace the filenames as needed.)
   18 Then make "mypasswd" available to your non-root user account that you
   19 will run John under.  No further commands will need to be run as root.
   21 If your system is ancient enough that it keeps passwords right in the
   22 world-readable /etc/passwd, simply make a copy of that file.
   24 If you're going to be cracking Kerberos AFS passwords, use John's
   25 "unafs" utility to obtain a passwd-like file.
   27 Similarly, if you're going to be cracking Windows passwords, use any of
   28 the many utilities that dump Windows password hashes (LM and/or NTLM) in
   29 Jeremy Allison's PWDUMP output format.  Some of these utilities may be
   30 obtained here:
   32 	http://www.openwall.com/passwords/pwdump
   34 2. Now, let's assume you've got a password file, "mypasswd", and want to
   35 crack it.  The simplest way is to let John use its default order of
   36 cracking modes:
   38 	john mypasswd
   40 This will try "single crack" mode first, then use a wordlist with rules,
   41 and finally go for "incremental" mode.  Please refer to MODES for more
   42 information on these modes.
   44 It is highly recommended that you obtain a larger wordlist than John's
   45 default password.lst and edit the "Wordlist = ..." line in the
   46 configuration file (see CONFIG) before running John.  Some wordlists may
   47 be obtained here:
   49 	http://www.openwall.com/wordlists/
   51 Of those available in the collection at the URL above, all.lst
   52 (downloadable as all.gz) and huge.lst (only available on the CD) are
   53 good candidates for the "Wordlist = ..." setting.
   55 3. If you've got some passwords cracked, they are stored in
   56 $JOHN/john.pot.  The john.pot file is not meant to be human-friendly.
   57 You should be using John itself to display the contents of its "pot
   58 file" in a convenient format:
   60 	john --show mypasswd
   62 If the account list gets large and doesn't fit on the screen, you
   63 should, of course, use your shell's output redirection.
   65 You might notice that many accounts have a disabled shell.  You can make
   66 John skip those in the report.  Assuming that the disabled shell is
   67 called "/etc/expired", the command would be:
   69 	john --show --shells=-/etc/expired mypasswd
   71 or shorter, but will also match "/any/path/expired":
   73 	john --show --shells=-expired mypasswd
   75 or if you also want to ignore some other shell, say "/etc/newuser":
   77 	john --show --shells=-expired,newuser mypasswd
   79 To check if any root (UID 0) accounts got cracked:
   81 	john --show --users=0 mypasswd
   83 or to check for cracked root (UID 0) accounts in multiple files:
   85 	john --show --users=0 *passwd* *.pwd
   87 To display the root (username "root") account only:
   89 	john --show --users=root mypasswd
   91 And finally, to check for privileged groups:
   93 	john --show --groups=0,1 mypasswd
   95 4. You might prefer to manage the cracking modes manually.  It is wise
   96 to start with "single crack" mode:
   98 	john --single mypasswd
  100 or since the GNU-style double dashes are optional and since option
  101 names can be abbreviated for as long as they remain unambiguous:
  103 	john -si mypasswd
  105 You should not abbreviate options in scripts which you would want to
  106 work with future versions of John since what is unambiguous now might
  107 become ambiguous with the addition of more options.
  109 If you have more files to crack, it is preferable to load them at the
  110 same time:
  112 	john --single passwd1 passwd2
  114 or even:
  116 	john --single *passwd* *.pwd
  118 This way, John will run faster and might even crack more passwords than
  119 it would if you ran it on each password file separately.
  121 5. To catch weak passwords not derived from readily available users'
  122 personal information, you should proceed with cracking modes demanding
  123 more processor time.  First, let's try a tiny wordlist with word
  124 mangling rules enabled:
  126 	john --wordlist=password.lst --rules mypasswd
  128 or abbreviating the options:
  130 	john -w=password.lst -ru mypasswd
  132 Then proceed with a larger wordlist, also applying the mangling rules:
  134 	john --wordlist=all.lst --rules mypasswd
  136 If you've got a lot of spare disk space to trade for performance and the
  137 hash type of your password files is relatively slow, you may use John's
  138 "unique" utility to eliminate any duplicate candidate passwords:
  140 	john --wordlist=all.lst --rules --stdout | unique mangled.lst
  141 	john --wordlist=mangled.lst mypasswd
  143 If you know that your target hash type truncates passwords at a given
  144 length, you may optimize this even further:
  146 	john --wordlist=all.lst --rules --stdout=8 | unique mangled8.lst
  147 	john --wordlist=mangled8.lst mypasswd
  149 Alternatively, you may simply use huge.lst available on Openwall
  150 wordlist collection CDs.  It has word mangling rules pre-applied for the
  151 most common languages and it has any duplicates purged.
  153 Depending on target hash type, the number of different salts (if
  154 applicable), the size of your wordlist, rules, and processor
  155 performance, wordlist-based cracking may take anywhere from under a
  156 second to many days.
  158 You do not have to leave John running on a (pseudo-)terminal.  If
  159 running John on a Unix-like system, you can simply disconnect from the
  160 server, close your xterm, etc.  John will catch the SIGHUP ("hangup"
  161 signal) and continue running.  Alternatively, you may prefer to start it
  162 in the background right away:
  164 	john --wordlist=all.lst --rules mypasswd &
  166 Obviously, the "&" is specific to Unix shells and will not work on most
  167 other platforms.
  169 You may further enhance this by specifying a session name:
  171 	john --session=allrules --wordlist=all.lst --rules mypasswd &
  173 This ensures that you won't accidentally interfere with the instance of
  174 John running in the background if you proceed to start other sessions.
  176 To view the status of a running session, use:
  178 	john --status
  180 for the default session or:
  182 	john --status=allrules
  184 for any other session.  This works for both interrupted and running
  185 sessions.  To obtain the most up-to-date information from a running
  186 session on a Unix-like system, send a SIGHUP to the appropriate "john"
  187 process.
  189 Any interrupted sessions may be continued with:
  191 	john --restore
  193 or:
  195 	john --restore=allrules
  197 Finally, to make John have less impact on other processes, you should
  198 set the option "Idle = Y" in the configuration file (see CONFIG).  The
  199 default may vary depending on the version and build of JtR.
  201 To only crack accounts with a "good" shell (in general, the shell, user,
  202 and group filters described above work for all cracking modes as well):
  204 	john --wordlist=all.lst --rules --shells=sh,csh,tcsh,bash mypasswd
  206 Like with all other cracking modes, it is faster to crack all the files
  207 you need cracked simultaneously:
  209 	john --wordlist=all.lst --rules passwd1 passwd2
  211 You can crack some passwords only.  This will try cracking all root
  212 (UID 0) accounts in all the password files:
  214 	john --wordlist=all.lst --rules --users=0 *passwd*
  216 Alternatively, you may wish to not waste time cracking your very own
  217 passwords, if you're sure they're uncrackable:
  219 	john --wordlist=all.lst --rules --users=-root,solar *passwd*
  221 Sometimes it is useful to split your password hashes into two sets which
  222 you crack separately, like:
  224 	john --wordlist=all.lst --rules --salts=2 *passwd*
  225 	john --wordlist=all.lst --rules --salts=-2 *passwd*
  227 This will make John try salts used on two or more password hashes first
  228 and then try the rest.  Total cracking time will be almost the same, but
  229 you will get some passwords cracked earlier, which is useful, for
  230 example, for penetration testing and demonstrations to management.
  231 Similarly, you may check all password hashes with a small wordlist, but
  232 only those that you can check faster (with "--salts=2") with a larger
  233 one.  With large numbers of password hashes and/or with a highly
  234 non-uniform distribution of salts, it may be appropriate to use a
  235 threshold larger than 2 with "--salts" (sometimes even values as high as
  236 1000 will do).
  238 Note that the default wordlist rules include ":" (a no-op - try words as
  239 they are in the list) on the first line.  If you already ran through a
  240 wordlist without using rules, and then decided to also try the same
  241 wordlist with rules, you'd better comment this line out.
  243 6. The most powerful cracking mode in John is called "incremental" (not a
  244 proper name, but kept for historical reasons).  You can simply run:
  246 	john --incremental mypasswd
  248 or:
  250 	john -i mypasswd
  252 This will use the default "incremental" mode parameters, which are
  253 defined in the configuration file's section named either
  254 [Incremental:ASCII] (for most hash types) or [Incremental:LM_ASCII] (for
  255 Windows LM hashes).  By default, the [Incremental:ASCII] parameters are
  256 set to use the full printable ASCII character set (95 characters) and
  257 to try all possible password lengths from 0 to 13 (if the current hash
  258 type has a lower maximum password length, incremental mode's length
  259 limit is reduced accordingly).  [Incremental:LM_ASCII] is similar,
  260 except that it takes advantage of LM hashes being case-insensitive and
  261 of their halves being limited to 7 characters each.
  263 Don't expect "incremental" mode sessions to terminate in a reasonable
  264 time (unless all the passwords are weak and get cracked), read MODES for
  265 an explanation of this.
  267 In some cases it is faster to use some other pre-defined incremental mode
  268 parameters and only crack simpler passwords, from a limited character
  269 set.  The following command will try 10 different characters only,
  270 passwords from "0" to "99999999999999999999" (in an optimal order):
  272 	john -i=digits mypasswd
  274 Of course, you can use most of the additional features demonstrated
  275 above for wordlist mode with "incremental" mode as well.  For example,
  276 on a large-scale penetration test, you may have John crack only root
  277 (UID 0) accounts in a set of password files:
  279 	john -i -u=0 *.pwd
  281 7. If you've got a password file for which you already have a lot of
  282 passwords cracked or obtained by other means, and the passwords are
  283 unusual, then you may want to generate a new charset file, based on
  284 character frequencies from that password file only:
  286 	john --make-charset=custom.chr mypasswd
  288 Then use that new file with "incremental" mode.
  290 If you've got many password files from a particular country,
  291 organization, etc., it might be useful to use all of them for the
  292 charset file that you then use to crack even more passwords from these
  293 files or from some other password files from the same place:
  295 	john --make-charset=custom.chr passwd1 passwd2
  296 	[ Configure your custom "incremental" mode now.  See below. ]
  297 	john -i=custom passwd3
  299 You can use some pre-defined or custom word filters when generating the
  300 charset file to have John consider some simpler passwords only:
  302 	john --make-charset=my_alpha.chr --external=filter_alpha mypasswd
  304 If your "pot file" got large enough (or if you don't have any charset
  305 files at all), you might want to use it to generate a new set of main
  306 charset files:
  308 	makechr
  310 where "makechr" is a script that invokes "john --make-charset=..." with
  311 varying filenames, for all of the external mode word filters defined in
  312 the configuration file.  In this example, John will overwrite the
  313 charset files with new ones that are based on your entire $JOHN/john.pot
  314 (John uses the entire "pot file" if you don't specify any password
  315 files).
  317 8. Finally, you might want to e-mail all users with weak passwords to
  318 tell them to change their passwords.  (This is not always a good idea,
  319 though, since lots of people do not check their e-mail or ignore such
  320 messages, and the messages can be a hint for crackers.)  Edit the
  321 "mailer" script supplied with John: the message it sends and possibly
  322 the mail command (especially if the password file is from a different
  323 machine).  Then run:
  325 	mailer mypasswd
  328 	Configuration file.
  330 Please refer to CONFIG for general information on the configuration file
  331 and its possible locations.
  333 1. Let's assume that you notice that in some password file a lot of
  334 users have their passwords set to login names with "?!" appended.  Then
  335 you just make a new "single crack" mode rule (see RULES for information
  336 on the syntax) and place it somewhere near the beginning:
  338 	[List.Rules:Single]
  339 	Az"?!"
  341 Hint: if you want to temporarily disable all of the default rules, you
  342 can simply rename the section to something John doesn't use and define
  343 a new one with the section's old name, but be sure to leave the "List."
  344 prefix of the name intact to maintain correct configuration file syntax.
  346 All the same applies to wordlist mode rules as well.
  348 2. If you generate a custom charset file (described above) you will also
  349 need to define a configuration file section with the "incremental" mode
  350 parameters.  In the simplest case it will be like this (where "Custom"
  351 can be replaced with any name you like):
  353 	[Incremental:Custom]
  354 	File = custom.chr
  356 This way, John will only use characters from passwords used to generate
  357 the charset file only.  To make John try some more characters, add:
  359 	Extra = !@#$%
  361 These extra characters will then be added, but still considered the
  362 least probable.  If you want to make sure that, with your extra
  363 characters, John will try 95 different characters, you can add:
  365 	CharCount = 95
  367 This will make John print a warning if it only has fewer than 95
  368 characters in its charset.
  370 You can also use CharCount to limit the number of different characters
  371 that John tries, even if the charset file has more:
  373 	CharCount = 20
  375 If you didn't use any filters when generating the charset file, setting
  376 CharCount this low will make John never attempt rare characters and
  377 character combinations, not even for really short passwords, spending
  378 the time on simple longer candidate passwords instead.  However, the
  379 default length switching is usually smart enough so that you shouldn't
  380 need this trick.
  382 To make John try passwords of certain lengths only, use the following
  383 lines:
  385 	MinLen = 6
  386 	MaxLen = 8
  388 Setting "MinLen" high, as in the example above, is reasonable if shorter
  389 passwords weren't allowed to set on the machine you got the password file
  390 from (however, note that root can usually set any password for any user
  391 and there are often loopholes in operating systems' password policy
  392 enforcement capabilities).
  394 On the contrary, you may want to set "MaxLen" low if you think there are
  395 a lot of short passwords.
  397 3. Another example: a lot of users at some site use short duplicated
  398 words as their passwords, such as "fredfred".  As the number of such
  399 potential passwords is fairly low, it makes sense to code a new external
  400 cracking mode that tries them all, up to some length.
  402 You can find the actual implementation of such a cracking mode with lots
  403 of comments in the default configuration file supplied with John.
  404 Please refer to EXTERNAL for information on the programming language
  405 used.
  407 $Owl: Owl/packages/john/john/doc/EXAMPLES,v 1.10 2013/05/29 18:14:35 solar Exp $