metasploit-framework/data/john/doc/MODES

113 lines
5.0 KiB
Plaintext

John the Ripper's cracking modes.
Mode descriptions here are short and only cover the basic things.
Check other documentation files for information on customizing the
modes.
Wordlist mode.
This is the simplest cracking mode supported by John. All you need to
do is specify a wordlist (a text file containing one word per line)
and some password files. You can enable word mangling rules (which
are used to modify or "mangle" words producing other likely
passwords). If enabled, all of the rules will be applied to every
line in the wordlist file producing multiple candidate passwords from
each source word.
The wordlist should not contain duplicate lines. John does not sort
entries in the wordlist since that would consume a lot of resources
and would prevent you from making John try the candidate passwords in
the order that you define (with more likely candidate passwords listed
first). However, if you don't list your candidate passwords in a
reasonable order, it'd be better if you sort the wordlist
alphabetically: with some hash types, John runs a bit faster if each
candidate password it tries only differs from the previous one by a
few characters. Most wordlists that you may find on the Net are
already sorted anyway.
On the other hand, if your wordlist is sorted alphabetically, you do
not need to bother about some wordlist entries being longer than the
maximum supported password length for the hash type you're cracking.
To give an example, for traditional DES-based crypt(3) hashes only
the first 8 characters of passwords are significant. This means that
if there are two or more candidate passwords in the wordlist whose
first 8 characters are exactly the same, they're effectively the same
8 character long candidate password which only needs to be tried once.
As long as the wordlist is sorted alphabetically, John is smart enough
to handle this special case right.
In fact, it is recommended that you do not truncate candidate
passwords in your wordlist file since the rest of the characters
(beyond the length limit of your target hash type) are likely still
needed and make a difference if you enable word mangling rules.
The recommended way to sort a wordlist for use with default wordlist
rule set is:
tr A-Z a-z < SOURCE | sort -u > TARGET
See RULES for information on writing your own wordlist rules.
"Single crack" mode.
This is the mode you should start cracking with. It will use the
login names, "GECOS" / "Full Name" fields, and users' home directory
names as candidate passwords, also with a large set of mangling rules
applied. Since the information is only used against passwords for the
accounts it was taken from (and against password hashes which happened
to be assigned the same salt), "single crack" mode is much faster than
wordlist mode. This permits for the use of a much larger set of word
mangling rules with "single crack", and their use is always enabled
with this mode. Successfully guessed passwords are also tried against
all loaded password hashes just in case more users have the same
password.
Note that running this mode on many password files simultaneously may
sometimes get more passwords cracked than it would if you ran it on
the individual password files separately.
"Incremental" mode.
This is the most powerful cracking mode, it can try all possible
character combinations as passwords. However, it is assumed that
cracking with this mode will never terminate because of the number of
combinations being too large (actually, it will terminate if you set a
low password length limit or make it use a small charset), and you'll
have to interrupt it earlier.
That's one reason why this mode deals with trigraph frequencies,
separately for each character position and for each password length,
to crack as many passwords as possible within a limited time.
To use the mode you need a specific definition for the mode's
parameters, including password length limits and the charset to use.
These parameters are defined in the configuration file sections called
[Incremental:MODE], where MODE is any name that you assign to the mode
(it's the name that you will need to specify on John's command line).
You can either use a pre-defined incremental mode definition (one of
"All", "Alnum", "Alpha", "Digits", or "LanMan" for LM hashes) or define
a custom one.
See CONFIG and EXAMPLES for information on defining custom modes.
External mode.
You can define an external cracking mode for use with John. This is
done with the configuration file sections called [List.External:MODE],
where MODE is any name that you assign to the mode. The section
should contain program code of some functions that John will use to
generate the candidate passwords it tries. The functions are coded in
a subset of C and are compiled by John at startup when you request the
particular external mode on John's command line. See EXTERNAL.
What modes should I use?
See EXAMPLES for a reasonable order of cracking modes to use.
$Owl: Owl/packages/john/john/doc/MODES,v 1.5 2006/01/02 06:48:40 solar Exp $