LabEx
Log InJoin Free

Use Rules to Enhance a Dictionary Attack

Kali LinuxBeginner
Practice Now

Introduction

A dictionary attack is a method of breaking into a password-protected system by systematically entering every word in a list (a dictionary) as a password. However, this basic approach often fails because users rarely use simple dictionary words as passwords. They often add numbers, symbols, or change the capitalization to meet complexity requirements.

This is where "mangling rules" become incredibly powerful. Mangling rules are a set of instructions that transform the words in your dictionary before they are tested. For example, a rule can append a number, capitalize the first letter, or substitute letters with symbols (like 'a' to '@').

In this lab, you will use the popular password cracking tool, John the Ripper (JtR), to see this in action. You will first attempt a standard dictionary attack and see it fail. Then, you will apply a set of mangling rules to enhance the attack and successfully crack a more complex password.

Understand the Power of Mangling Rules

In this step, you will first perform a standard dictionary attack to see its limitations. We have prepared a file named shadow.txt which contains a user's hashed password, and a wordlist.txt file containing a potential base word for the password.

Let's run John the Ripper with our wordlist against the hash file. This command tells john to try every word from wordlist.txt as a password.

john --wordlist=wordlist.txt shadow.txt

You will see output similar to this, indicating that the attack is running.

Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2])
Cost 1 (algorithm [1:descrypt]...[3:DES]) is 50400 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2023-10-27 10:30) 0g/s 1845Kp/s 1845Kc/s 1845KC/s secdec..secret
Session completed

Notice the final message: "Session completed". John the Ripper tried the word "secret" and its common variations but failed to crack the password. This is because the actual password is more complex than a simple dictionary word. This demonstrates the need for a more advanced technique.

Locate the Built-in Rule Files in the /rules/ Directory

In this step, we'll explore where John the Ripper stores its powerful mangling rules. On most Linux systems, including this one, the rules are not in a separate /rules/ directory but are defined within the main configuration file, john.conf.

Let's list the contents of the /etc/john/ directory to find this configuration file.

ls -l /etc/john/

You should see the john.conf file in the output.

total 148
-rw-r--r-- 1 root root 148233 Jan 20  2022 john.conf

This john.conf file contains numerous pre-defined rule sets, such as KoreLogic, best64, and all. These rule sets are collections of individual mangling instructions that can be applied to a dictionary attack. In the next step, we will examine one of these rule sets more closely.

Select a Common Rule File like best64.rule

In this step, you will examine a specific set of rules. For your convenience, we have already extracted a popular and effective rule set, best64, from john.conf and saved it as best64.rule in your current project directory (~/project).

Let's inspect the first 10 lines of this file to get an idea of what rules look like. Use the head command:

head -n 10 best64.rule

You will see output similar to this:

#
## best64.rule, a selection of the best 64 rules from the over 14,000
## rules in all.rule.
#
## Rule syntax:
## http://www.openwall.com/john/doc/RULES.shtml
#
## The following rules are commented out because they are slow.
#
:
l
u

The lines starting with # are comments. The single-character lines like :, l, and u are actual rules.

  • : is a no-op rule, which means "try the word as-is".
  • l converts the word to lowercase.
  • u converts the word to uppercase.

Further down in the file, you would find more complex rules like c (capitalize first letter) and $1 (append the digit '1'). These simple transformations dramatically increase the number of password candidates.

Apply a Rule File to a Dictionary Attack with the -r Flag

Now it's time to unleash the power of mangling rules. In this step, you will run the dictionary attack again, but this time you'll instruct John the Ripper to use the best64.rule file.

You can do this by adding the -r flag (short for --rules) to the command. This tells john to apply every rule in the specified file to every word in the wordlist.txt.

Execute the following command in your terminal:

john --wordlist=wordlist.txt -r=./best64.rule shadow.txt

This time, the attack should be successful very quickly. The output will look different.

Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2])
Cost 1 (algorithm [1:descrypt]...[3:DES]) is 50400 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Secret123        (testuser)
1g 0:00:00:00 DONE (2023-10-27 10:35) 10.00g/s 61538p/s 61538c/s 61538C/s Secret12..Secret123
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Success! The line Secret123 (testuser) indicates that the password has been cracked. John the Ripper found the correct password by applying rules from best64.rule to the word "secret".

Compare Attack Results With and Without Rules

In this final step, you will formally view the cracked password and reflect on the difference the rules made.

Although the password was displayed in the previous step's output, the standard way to view all cracked passwords for a given hash file is with the --show flag.

Run the following command:

john --show shadow.txt

This command will display all the passwords that John has successfully cracked for the shadow.txt file.

testuser:Secret123:17119:0:99999:7:::

1 password hash cracked, 0 left

The output clearly shows testuser:Secret123. This confirms the cracked password.

By comparing the results, the conclusion is clear:

  • Without Rules (Step 1): The attack failed because "secret" was not the password.
  • With Rules (Step 4): The attack succeeded. John took the word "secret", applied a capitalization rule to get "Secret", and then an append-number rule to get "Secret123", which was a match.

This demonstrates that mangling rules are not just a helpful feature; they are essential for making dictionary attacks effective against real-world password habits.

Summary

In this lab, you experienced the practical difference between a simple dictionary attack and a rule-enhanced one.

You learned how to:

  • Run a basic dictionary attack with John the Ripper and see its limitations.
  • Understand the concept of mangling rules and locate where they are stored.
  • Examine the structure of a rule file.
  • Apply a rule set to a dictionary attack using the -r flag to greatly improve its effectiveness.
  • View the cracked passwords and confirm the success of the rule-based attack.

By transforming simple dictionary words into thousands of potential variations, mangling rules are a fundamental tool in any password auditor's or security professional's toolkit.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux