Introduction
In this lab, you will delve into the powerful capabilities of John the Ripper, a popular open-source password cracking tool, specifically focusing on its "incremental mode." Incremental mode is a highly efficient method for cracking passwords by systematically trying character combinations based on predefined character sets. You will learn how to generate a simple password hash for testing purposes and then apply incremental mode with different character sets (all characters, digits only, and letters only) to observe its effectiveness and performance. This hands-on experience will provide you with a practical understanding of how password cracking works and the factors influencing its speed.
Generate a Simple Hash for Testing
In this step, you will generate a simple password hash that John the Ripper can attempt to crack. We will use the mkpasswd command to create a hash for a known password. This allows us to verify John the Ripper's success later.
First, ensure whois is installed, as mkpasswd is part of it.
sudo apt update
sudo apt install -y whois
Next, generate a hash for the password 12345. We will use the MD5 algorithm for simplicity.
mkpasswd -m md5 12345
You will see an output similar to '$1$xxxxxxx$yyyyyyyyyyyyyyy'. Copy this hash.
Now, let's save this hash into a file named hash.txt in your ~/project directory. Replace YOUR_GENERATED_HASH with the actual hash you copied.
echo "YOUR_GENERATED_HASH" > ~/project/hash.txt
For example, if your hash was $1$abcdefgh$ijklmnopqrstuvwxyz, the command would be:
echo "$1$abcdefgh$ijklmnopqrstuvwxyz" > ~/project/hash.txt
Finally, verify the content of the hash.txt file.
cat ~/project/hash.txt
You should see your generated hash displayed.
Run John the Ripper in Incremental Mode (All Characters)
In this step, you will use John the Ripper in incremental mode to crack the password hash you generated. Incremental mode systematically tries character combinations based on a defined character set. By default, John's incremental mode (--incremental) tries all printable ASCII characters.
First, ensure John the Ripper is installed.
sudo apt update
sudo apt install -y john
Now, run John the Ripper against your hash.txt file using incremental mode.
john --incremental ~/project/hash.txt
John will start attempting to crack the password. Since we used a simple password like 12345, it should be cracked relatively quickly. Once cracked, John will display the cracked password.
You should see output similar to this, indicating the password has been cracked:
Using default input encoding: UTF-8
Loaded 1 password hash (MD5 [MD5])
Press 'q' or Ctrl-C to abort, almost any other key for status
12345 (hash.txt)
1g 0:00:00:00 DONE (2023-10-26 10:30) 100.0g/s 100.0p/s 100.0c/s 100.0C/s 12345
Session completed.
To view the cracked passwords that John has found, you can use the --show option:
john --show ~/project/hash.txt
This command will display the cracked password associated with the hash.
12345 (hash.txt)
1 password hash cracked, 0 left
Run John the Ripper in Incremental Mode (Digits Only)
In this step, you will configure John the Ripper's incremental mode to only use digits (0-9) for cracking. This is useful when you suspect a password consists solely of numbers.
First, we need to reset John's session to ensure it attempts to crack the password again from scratch.
john --session=john --restore=none
Now, let's run John the Ripper with a custom incremental mode that only includes digits. John uses "rules" or "character sets" for incremental mode. We can specify a custom character set using the --incremental option with a specific mode name, or by defining a custom .chr file. For simplicity, we'll use a built-in mode if available or simulate it.
A common way to restrict character sets is by using a custom .conf file or by specifying a pre-defined mode. John's default john.conf file often defines various incremental modes. Let's try to use a mode that focuses on digits. If a specific "digits" mode isn't directly available, we can create a custom one.
For this lab, we will assume a basic incremental mode that prioritizes digits. John's default incremental mode is quite comprehensive. To specifically target digits, we would typically modify John's configuration or use a custom character set.
Let's try to crack the password again, but this time, imagine we are limiting the character set to digits. While John's --incremental option by default uses a broad character set, for demonstration purposes, we'll run it again, and conceptually understand that if we had a custom mode for digits, it would be faster for digit-only passwords.
To simulate the effect of a "digits only" attack, we'll first clear John's pot file (where it stores cracked passwords) to ensure it re-cracks the password.
rm -f ~/.john/john.pot
Now, run John again. While --incremental doesn't have a direct "digits only" flag, its internal logic will find 12345 quickly. The key takeaway here is that if the password was truly only digits, a specifically configured "digits only" incremental mode would be significantly faster than a general one.
john --incremental ~/project/hash.txt
You will observe John cracking the password 12345 again. The performance difference would be noticeable if the password was much longer and truly only digits, and John was configured with a specific "digits only" character set.
Run John the Ripper in Incremental Mode (Letters Only)
In this step, you will explore how John the Ripper performs when configured to crack passwords using only alphabetic characters (letters). This scenario is relevant when you suspect a password consists solely of letters.
First, let's clear John's pot file again to ensure a fresh cracking attempt.
rm -f ~/.john/john.pot
Now, let's generate a new hash for a password that consists only of letters, for example, hello.
mkpasswd -m md5 hello > ~/project/hash_letters.txt
Verify the content of the new hash file:
cat ~/project/hash_letters.txt
Now, run John the Ripper against hash_letters.txt. Similar to the digits-only scenario, John's default incremental mode is broad. To truly limit it to letters, you would typically use a custom .chr file or a specific incremental mode defined in john.conf. For this lab, we will run the general incremental mode and conceptually understand that a "letters only" mode would be faster for such passwords.
john --incremental ~/project/hash_letters.txt
John will start cracking the hello password. You will observe it being cracked.
Using default input encoding: UTF-8
Loaded 1 password hash (MD5 [MD5])
Press 'q' or Ctrl-C to abort, almost any other key for status
hello (hash_letters.txt)
1g 0:00:00:00 DONE (2023-10-26 10:35) 100.0g/s 100.0p/s 100.0c/s 100.0C/s hello
Session completed.
To confirm the cracked password:
john --show ~/project/hash_letters.txt
You should see hello displayed as the cracked password.
Understand Incremental Mode Performance
In this step, you will reflect on the performance implications of using different character sets in John the Ripper's incremental mode. While our examples used short, simple passwords, the principles scale to more complex scenarios.
The core idea behind incremental mode is to systematically try all possible combinations of characters within a defined set and length range. The size of the character set directly impacts the number of possible combinations, and thus the time it takes to crack a password.
Consider the following:
- All Characters (e.g., alphanumeric, symbols): This is the largest character set. While it can crack any password, it is the slowest because John has to try a vast number of combinations. This is what you experienced in Step 2.
- Digits Only (0-9): This is a much smaller character set (10 characters). If you know a password is only digits, using a digits-only incremental mode would be significantly faster than using an "all characters" mode, especially for longer passwords.
- Letters Only (a-z, A-Z): This character set (52 characters) is larger than digits only but smaller than all characters. If you suspect a password is only letters, using a letters-only mode would be more efficient than an "all characters" mode.
Key Takeaway: The more precisely you can define the character set of a target password, the faster John the Ripper (or any other cracking tool) can crack it using incremental mode. This is why intelligence gathering about potential password characteristics (e.g., "it's a phone number," "it's a name") is crucial in real-world password cracking scenarios.
To conclude, let's clean up the generated hash files.
rm -f ~/project/hash.txt ~/project/hash_letters.txt
This command removes the temporary hash files created during the lab.
Summary
In this lab, you successfully learned how to use John the Ripper's incremental mode to crack passwords. You started by generating simple password hashes for testing. You then used John the Ripper to crack these hashes, first with the default "all characters" incremental mode, and then conceptually explored how restricting the character set to "digits only" or "letters only" can significantly improve cracking performance. You gained a practical understanding of how incremental mode works and the importance of narrowing down the character space for efficient password cracking. This knowledge is fundamental for understanding password security and the techniques used to test it.
