113 lines
5.0 KiB
Plaintext
Executable File
113 lines
5.0 KiB
Plaintext
Executable File
John the Ripper's cracking modes.
|
|
|
|
Mode descriptions here are short and only cover the basic things.
|
|
Check other documentation files for information on customizing the
|
|
modes.
|
|
|
|
|
|
Wordlist mode.
|
|
|
|
This is the simplest cracking mode supported by John. All you need to
|
|
do is specify a wordlist (a text file containing one word per line)
|
|
and some password files. You can enable word mangling rules (which
|
|
are used to modify or "mangle" words producing other likely
|
|
passwords). If enabled, all of the rules will be applied to every
|
|
line in the wordlist file producing multiple candidate passwords from
|
|
each source word.
|
|
|
|
The wordlist should not contain duplicate lines. John does not sort
|
|
entries in the wordlist since that would consume a lot of resources
|
|
and would prevent you from making John try the candidate passwords in
|
|
the order that you define (with more likely candidate passwords listed
|
|
first). However, if you don't list your candidate passwords in a
|
|
reasonable order, it'd be better if you sort the wordlist
|
|
alphabetically: with some hash types, John runs a bit faster if each
|
|
candidate password it tries only differs from the previous one by a
|
|
few characters. Most wordlists that you may find on the Net are
|
|
already sorted anyway.
|
|
|
|
On the other hand, if your wordlist is sorted alphabetically, you do
|
|
not need to bother about some wordlist entries being longer than the
|
|
maximum supported password length for the hash type you're cracking.
|
|
To give an example, for traditional DES-based crypt(3) hashes only
|
|
the first 8 characters of passwords are significant. This means that
|
|
if there are two or more candidate passwords in the wordlist whose
|
|
first 8 characters are exactly the same, they're effectively the same
|
|
8 character long candidate password which only needs to be tried once.
|
|
As long as the wordlist is sorted alphabetically, John is smart enough
|
|
to handle this special case right.
|
|
|
|
In fact, it is recommended that you do not truncate candidate
|
|
passwords in your wordlist file since the rest of the characters
|
|
(beyond the length limit of your target hash type) are likely still
|
|
needed and make a difference if you enable word mangling rules.
|
|
|
|
The recommended way to sort a wordlist for use with default wordlist
|
|
rule set is:
|
|
|
|
tr A-Z a-z < SOURCE | sort -u > TARGET
|
|
|
|
See RULES for information on writing your own wordlist rules.
|
|
|
|
|
|
"Single crack" mode.
|
|
|
|
This is the mode you should start cracking with. It will use the
|
|
login names, "GECOS" / "Full Name" fields, and users' home directory
|
|
names as candidate passwords, also with a large set of mangling rules
|
|
applied. Since the information is only used against passwords for the
|
|
accounts it was taken from (and against password hashes which happened
|
|
to be assigned the same salt), "single crack" mode is much faster than
|
|
wordlist mode. This permits for the use of a much larger set of word
|
|
mangling rules with "single crack", and their use is always enabled
|
|
with this mode. Successfully guessed passwords are also tried against
|
|
all loaded password hashes just in case more users have the same
|
|
password.
|
|
|
|
Note that running this mode on many password files simultaneously may
|
|
sometimes get more passwords cracked than it would if you ran it on
|
|
the individual password files separately.
|
|
|
|
|
|
"Incremental" mode.
|
|
|
|
This is the most powerful cracking mode, it can try all possible
|
|
character combinations as passwords. However, it is assumed that
|
|
cracking with this mode will never terminate because of the number of
|
|
combinations being too large (actually, it will terminate if you set a
|
|
low password length limit or make it use a small charset), and you'll
|
|
have to interrupt it earlier.
|
|
|
|
That's one reason why this mode deals with trigraph frequencies,
|
|
separately for each character position and for each password length,
|
|
to crack as many passwords as possible within a limited time.
|
|
|
|
To use the mode you need a specific definition for the mode's
|
|
parameters, including password length limits and the charset to use.
|
|
These parameters are defined in the configuration file sections called
|
|
[Incremental:MODE], where MODE is any name that you assign to the mode
|
|
(it's the name that you will need to specify on John's command line).
|
|
You can either use a pre-defined incremental mode definition (one of
|
|
"All", "Alnum", "Alpha", "Digits", or "LanMan" for LM hashes) or define
|
|
a custom one.
|
|
|
|
See CONFIG and EXAMPLES for information on defining custom modes.
|
|
|
|
|
|
External mode.
|
|
|
|
You can define an external cracking mode for use with John. This is
|
|
done with the configuration file sections called [List.External:MODE],
|
|
where MODE is any name that you assign to the mode. The section
|
|
should contain program code of some functions that John will use to
|
|
generate the candidate passwords it tries. The functions are coded in
|
|
a subset of C and are compiled by John at startup when you request the
|
|
particular external mode on John's command line. See EXTERNAL.
|
|
|
|
|
|
What modes should I use?
|
|
|
|
See EXAMPLES for a reasonable order of cracking modes to use.
|
|
|
|
$Owl: Owl/packages/john/john/doc/MODES,v 1.5 2006/01/02 06:48:40 solar Exp $
|