Introduction
In this lab, you will explore the powerful rule-based cracking capabilities of John the Ripper (JtR). While simple dictionary attacks are effective, real-world passwords often involve variations like capitalization, appended numbers, or special characters. JtR's rule engine allows you to define complex transformations to apply to words in a wordlist, significantly increasing the chances of cracking passwords that are not directly present in the dictionary. You will learn the basic syntax of JtR rules, create your own custom rules, and apply them to a wordlist to see their effect.
Understand John the Ripper Rule Syntax
In this step, you will learn the basic syntax of John the Ripper (JtR) rules. JtR rules are defined in a configuration file, typically john.conf, or can be passed directly via the command line for simple cases. Each rule is a sequence of single-character commands that modify a word.
Common rule commands include:
c: Capitalize the first letter.C: Capitalize all letters.l: Lowercase the first letter.L: Lowercase all letters.t: Toggle case of the first letter.T: Toggle case of all letters.p<N>: Prepend character<N>.a<N>: Append character<N>.s<old><new>: Substitute first occurrence of<old>with<new>.S<old><new>: Substitute all occurrences of<old>with<new>.x<N>: Extract substring of lengthNfrom the beginning.z<N>: Extract substring of lengthNfrom the end.D: Delete the first character.M: Delete the last character.r: Reverse the word.
Let's start by viewing the default john.conf file to see some examples of built-in rules.
Open the john.conf file using nano:
nano /etc/john/john.conf
Scroll through the file to find the [List.Rules:Wordlist] section. You will see various rule sets defined there. For example, you might see rules like c (capitalize first letter) or a[0-9] (append a digit).
Press Ctrl+X to exit nano.
Now, let's try a simple rule directly from the command line using JtR's --stdout option, which applies rules to a wordlist and prints the results to standard output without attempting to crack hashes. This is useful for testing rules.
Execute the following command to apply the c (capitalize first letter) rule to your wordlist.txt:
john --wordlist=~/project/wordlist.txt --rules=single --stdout
You should see the words from your wordlist.txt with their first letter capitalized. For example, "password" becomes "Password".
Password
Secret
Labex
Test
This demonstrates how a simple rule can transform words. In the next steps, you will create and combine more complex rules.
Create a Simple Rule for Capitalization
In this step, you will create a custom rule file to apply capitalization rules. While the single rule set in JtR includes basic capitalization, creating your own rule file gives you more control and allows for more specific transformations.
First, create a new file named my_rules.rule in your ~/project directory. This file will contain your custom rules.
nano ~/project/my_rules.rule
Add the following lines to the my_rules.rule file. These rules will:
c: Capitalize the first letter.C: Capitalize all letters.t: Toggle the case of the first letter (e.g., "password" -> "Password", "Password" -> "password").
c
C
t
Save the file by pressing Ctrl+O, then Enter, and exit nano by pressing Ctrl+X.
Now, apply these custom rules to your wordlist.txt using the --rules option, specifying your new rule file.
john --wordlist=~/project/wordlist.txt --rules=file:~/project/my_rules.rule --stdout
Observe the output. You should see each word from your wordlist.txt transformed by each of the rules you defined. For example, "password" will appear as "Password", "PASSWORD", and "Password" (due to t rule applied to original "password").
Password
SECRET
LABEX
TEST
password
PASSWORD
secret
SECRET
labex
LABEX
test
TEST
Password
Secret
Labex
Test
This demonstrates how to define and use a custom rule file. Each rule in the file is applied sequentially to every word in the wordlist.
Apply Rules for Number Appending
In this step, you will learn how to append numbers to words using JtR rules. Appending numbers is a very common password variation, and JtR provides powerful commands to generate these variations efficiently.
The a<N> command appends a character <N>. To append digits, you can use character ranges like a[0-9] to append a single digit from 0 to 9. You can also combine this with other rules.
Let's add rules to my_rules.rule to append numbers. Open your rule file again:
nano ~/project/my_rules.rule
Add the following lines to the end of the file. These rules will:
a[0-9]: Append a single digit (0-9) to the word.a[0-9][0-9]: Append two digits (00-99) to the word. This rule will generate 100 variations for each word.
a[0-9]
a[0-9][0-9]
Save the file (Ctrl+O, Enter) and exit nano (Ctrl+X).
Now, apply these updated rules to your wordlist.txt. Since a[0-9][0-9] generates many variations, we will limit the output using head for demonstration purposes.
john --wordlist=~/project/wordlist.txt --rules=file:~/project/my_rules.rule --stdout | head -n 50
You will see words like "password0", "password1", ..., "password00", "password01", etc. The head -n 50 command limits the output to the first 50 lines, as the full output would be very long.
Password
SECRET
LABEX
TEST
password
PASSWORD
secret
SECRET
labex
LABEX
test
TEST
Password
Secret
Labex
Test
password0
password1
password2
password3
password4
password5
password6
password7
password8
password9
secret0
secret1
secret2
secret3
secret4
secret5
secret6
secret7
secret8
secret9
labex0
labex1
labex2
labex3
labex4
labex5
labex6
labex7
labex8
labex9
test0
test1
test2
test3
test4
test5
This shows how to effectively generate number-appended variations, which are crucial for cracking common password patterns.
Combine Multiple Rules for Complex Transformations
In this step, you will combine multiple rule commands to create more complex password transformations. JtR allows you to chain rule commands together on a single line, applying them sequentially to each word.
Let's create a rule that capitalizes the first letter and then appends a single digit.
Open your my_rules.rule file again:
nano ~/project/my_rules.rule
Add the following rule to the end of the file. This rule ca[0-9] means:
c: Capitalize the first letter.a[0-9]: Append a single digit (0-9).
ca[0-9]
Save the file (Ctrl+O, Enter) and exit nano (Ctrl+X).
Now, apply these updated rules to your wordlist.txt and observe the output. Again, we'll use head to limit the output.
john --wordlist=~/project/wordlist.txt --rules=file:~/project/my_rules.rule --stdout | head -n 50
You should see variations like "Password0", "Password1", "Secret0", "Secret1", etc.
Password
SECRET
LABEX
TEST
password
PASSWORD
secret
SECRET
labex
LABEX
test
TEST
Password
Secret
Labex
Test
password0
password1
password2
password3
password4
password5
password6
password7
password8
password9
secret0
secret1
secret2
secret3
secret4
secret5
secret6
secret7
secret8
secret9
labex0
labex1
labex2
labex3
labex4
labex5
labex6
labexex7
labex8
labex9
test0
test1
test2
test3
test4
test5
Password0
Password1
Password2
Password3
Password4
Password5
Password6
Password7
Password8
Password9
This demonstrates the power of combining rules. You can create very specific and effective rule sets by chaining commands. For example, s@a!ca[0-9] would substitute '@' with '!', capitalize the first letter, and then append a digit.
Test Custom Rules on a Wordlist
In this final step, you will use your custom rules to attempt to crack a dummy hash. This will simulate a real-world password cracking scenario.
Recall that in the setup, a hash for the word "password" was created and saved in ~/project/hashes.txt. The hash is user1:5f4dcc3b5aa765d61d8327deb882cf99 (MD5 hash of "password").
First, let's ensure your my_rules.rule file contains a rule that would generate "password" or a variation of it that matches the hash. For this example, we will assume the hash is for the original "password" word. If you had a hash for "Password0", your ca[0-9] rule would be useful.
For this demonstration, we will use the original wordlist.txt and your my_rules.rule to try and crack the hash.
Execute John the Ripper with your hash file, wordlist, and custom rules:
john ~/project/hashes.txt --wordlist=~/project/wordlist.txt --rules=file:~/project/my_rules.rule
John the Ripper will start processing the wordlist, applying your rules, and comparing the generated words against the hash. If it finds a match, it will display the cracked password.
You should see output similar to this, indicating that the password has been cracked:
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ [MD5 SSSP])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password (user1)
1g 0:00:00:00 DONE (2023-10-27 10:30) 100% (ETA: 00:00:00)
Session completed.
To view the cracked password again, you can use the --show option:
john --show ~/project/hashes.txt
This command will display any passwords that JtR has successfully cracked and stored in its pot file.
user1:password
1 password hash cracked, 0 left
This final step demonstrates the practical application of custom rules in password cracking. By intelligently crafting rules, you can significantly enhance the effectiveness of your dictionary attacks against various password patterns.
Summary
In this lab, you have successfully learned how to leverage John the Ripper's powerful rule engine for advanced password cracking. You started by understanding the basic syntax of JtR rules, including commands for capitalization and case toggling. You then created your own custom rule file and added rules for appending numbers, a common password variation. Finally, you combined multiple rule commands to create more complex transformations and applied your custom rules to crack a dummy hash, simulating a real-world scenario. This hands-on experience has equipped you with the knowledge to define and apply sophisticated rule sets, significantly enhancing your ability to crack passwords that are not directly present in a standard wordlist.
