Skip to content

john-chacho

John-the-Ripper & Hashcat: Password-Cracking 101

Is your password policy truly as strong as you think? There's only one sure way to find out—by testing it! In the world of penetration testing, password cracking is an essential skill for uncovering weak credentials and assessing overall security. This walkthrough will guide you through the use of two powerful password-cracking tools, John the Ripper and Hashcat, and how to leverage them with wordlists generated by CeWL, a tool that scrapes websites for likely passwords. We'll explore how to gather targeted wordlists, feed them into cracking tools, and ultimately test the strength of your password policies.

John the Ripper

A versatile password cracking tool for identifying weak passwords in various encrypted formats.

Hashcat

A powerful, GPU-accelerated password cracker that supports a wide range of hashing algorithms. Where the rubber meets the road (but mostly if you have the GPU to harness the power).

CeWL

A web scraper tool that generates custom wordlists by crawling websites for potential password phrases.

Setting Up

Kali or Parrot

If you are running Kali Linux or Parrot Sec OS, you may not need to install much, but check to ensure you're running the latest versions.

Installing John the Ripper

sudo apt install john

Installing Hashcat

sudo apt install hashcat

Installing CeWL

sudo apt install cewl

Generating Wordlists with CeWL

CeWL can be used to scrape specific websites to generate wordlists tailored to the target environment. This is especially useful in scenarios where passwords are based on a particular context, such as company names, locations, or terminology found on their website.

A Wordlist from a Website

cewl https://example.com -w custom_wordlist.txt
Explanation
  • https://example.com: The target website.
  • -w custom_wordlist.txt: Specifies the output file for the wordlist.

You can extend the functionality with deeper scrapes or by collecting email addresses: 

cewl -d 2 --email https://example.com -w custom_wordlist.txt

Explanation
  • -d 2: Scrapes two layers deep into the site.
  • --email: Also gathers email addresses, which could be useful for targeted attacks like phishing.

Cracking Passwords with John-the-Ripper

John the Ripper is versatile and has several useful options for expanding password cracking techniques. A great feature is the use of --rules, which modifies wordlist entries to test different variations of words, making password cracking more efficient without needing huge wordlists.

Identifying the Hash Type

  1. DES crypt: $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/

    • Hash type: DES crypt
    • Hash encoding: rEK1ecacw.7.c
    • Plaintext: password
    • Supported in JtR: yes

  2. BSDI crypt: _J9..K0AyUubDrfOgO4s Hash type: BSDI crypt Hash encoding: N/A Plaintext: password Supported in JtR: yes

  3. bigcrypt: qiyh4XPJGsOZ2MEAyLkfWqeQ Hash type: bigcrypt Hash encoding: N/A Plaintext: passphrase Supported in JtR: yes
  4. MD5 crypt: $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ Hash type: MD5 crypt Hash encoding: $1$... Plaintext: password Supported in JtR: yes
  5. SHA-256 crypt: $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 Hash type: SHA-256 crypt Hash encoding: $5$... Plaintext: password rasmuslerdorf Supported in JtR: yes
  6. bcrypt: $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe Hash type: bcrypt Hash encoding: $2a$... Plaintext: password Supported in JtR: yes
  7. LM: 855c3697d9979e78ac404c4ba2c66533 Hash type: LM Hash encoding: N/A Plaintext: passphrase Supported in JtR: yes
  8. NTLM: $NT$7f8fe03093cc84b267b109625f6bbf4b Hash type: NTLM Hash encoding: $NT$... Plaintext: passphrase Supported in JtR: Pro or jumbo patch
  9. Mac OS X salted SHA-1: 0E6A48F765D0FFFFF6247FA80D748E615F91DD0C7431E4D9 Hash type: Mac OS X salted SHA-1 Hash encoding: N/A Plaintext: macintosh Supported in JtR: Pro or jumbo patch
  10. Oracle: 000EA4D72A142E29 EB026A76F0650F7B Hash type: Oracle Hash encoding: N/A Plaintext: #95LWEIGHTS CIAO2010 Supported in JtR: Jumbo patch needed
  11. SAP: (Username$HASHCODE) See File SAP-pw-test-for-user-DDIC.zip Hash type: SAP Hash encoding: N/A Plaintext: DDIC Supported in JtR: Jumbo patch needed

Selecting the Right Rule

Rule Set Intensity Unique Features Types of Transformations Best For
Best64.rule Low Minimal, high-success transformations Basic mutations, end/beginning numbers Quick initial cracks; good first pass for basic passwords.
d3ad0ne.rule Moderate Focus on leet speak and keyboard pattern mutations Leet substitutions, end/beginning numbers Targeting passwords with leet speak or simple patterns (e.g., password123).
KoreLogic.rule Moderate Layered complexity; starts simple, progresses deeper Basic to moderate mutations, growing complexity Step-by-step approach, covering a range from simple to complex transformations progressively.
Dive.rule High Adds numbers to middle, supports deep insertions Advanced placements, diverse modifications Passwords with complex, unconventional formats or obscure symbol/number placements.
OneRuleToRuleThemAll Very High Covers nearly all possible character transformations Comprehensive: numbers, symbols, extensive substitutions Exhaustive exploration for highly resistant passwords; ideal when all else fails.
Jumbo.rule Extreme Most exhaustive; attempts nearly every mutation Full brute-force transformations across all elements Last-resort rule set, covering every transformation combination; very time-intensive.

Example: Cracking with Rules and a Wordlist

john --wordlist=/usr/share/wordlists/rockyou.txt --rules hashfile.txt
Explanation
  • --wordlist: Specifies the wordlist.
  • --rules: Applies the default password mutation rules (e.g., appending numbers or capitalizing the first letter).
  • hashfile.txt: The file containing the password hashes.

Using Custom Rules

John comes with several pre-defined rulesets that expand on basic rules: 

john --wordlist=custom_wordlist.txt --rules=Jumbo hashfile.txt

Explanation
  • --rules=Jumbo: Uses the Jumbo ruleset, which applies more aggressive modifications to words (e.g., replacing letters with numbers).
  • You can define custom rules based on what you know about a target's password policy.

Example: Cracking SHA-512 Crypt Passwords

This is commonly used in modern Linux systems: 

john --format=sha512crypt --wordlist=custom_wordlist.txt hashfile.txt

Explanation
  • --format=sha512crypt: Specifies that the password hash format is SHA-512 crypt.

Using Hashcat for the Heavy-lifting

Hashcat is highly effective for GPU-accelerated cracking and is particularly useful when dealing with larger datasets or more complex password policies. It supports advanced attacks like mask attacks, which allow you to define password patterns based on known policies.

Helpful in Finding Formats

Say you know the format of the hash is lesser-known - in this command, we're viewing all of the example hashes, but then pulling out the ones that include PDF with some lines before and after those hits for context. 

hashcat --example-hashes | grep -i 'pdf' -B 8 -A 7

Cracking SHA-512 Crypt Passwords with Hashcat

hashcat -m 1800 -a 0 hashfile.txt /usr/share/wordlists/rockyou.txt
Explanation
  • -m 1800: Specifies the SHA-512 crypt hash type (modern Linux systems).
  • -a 0: Dictionary attack mode.
  • hashfile.txt: File containing password hashes.
  • /usr/share/wordlists/rockyou.txt: The wordlist used for the attack.

Using Masks Based on a Known Password Policy

Standard Password Policy Example

  • Minimum length: 8 characters
  • Maximum length: 16 characters
  • Character requirements: - At least one uppercase letter - At least one lowercase letter - At least one digit - At least one special character While in this example we cannot guarantee each type of character is present, including only the necessary character types will help speed up the process.
    hashcat -m 1800 -a 3 hashfile.txt -1 ?u -2 ?l -3 ?d -4 ?s -5 ?u?l?d?s ?5?5?5?5?5?5?5?5?5?5?5?5?5?5?5?5 --increment --increment-min=8 --increment-max=16
Explanation
  • ?5?5?5?5?5?5?5?5?5?5?5?5?5?5?5?5: This defines a mask of up to 16 positions, where each position uses the combined character set ?5, which includes all uppercase, lowercase, digits, and special characters.
  • Length Control:
    • --increment: Ensures that the password lengths start from 8 characters and go up incrementally.
    • --increment-min=8: Starts testing with 8 characters.
    • --increment-max=16: Tests passwords up to 16 characters long.

Using Wordlists and Masks Together

If a password policy requires passwords to include both common words and patterns, you can combine a dictionary attack with a mask: 

hashcat -m 1800 -a 6 hashfile.txt /usr/share/wordlists/rockyou.txt ?d?s

Explanation
  • -a 6: Hybrid attack mode, combining dictionary words and mask patterns.
  • ?d?s: The mask that requires a digit and special character to be appended to each word.

Using Charsets with Hashcat

What are charsets in Hashcat?

Hashcat has something called charsets, custom sets of characters that you define. Instead of relying on just a standard set of characters (like all letters and digits), you can specify exactly which characters should be used in a brute-force attack, giving you fine control over the cracking process and saving computing time/resources.

Basic Concept of Charset:

In a mask attack, you specify a pattern (?u?l?l?l20?2?3?1) to tell Hashcat what types of characters to try in each position (uppercase, lowercase, digits, symbols, etc.). But you can also define your own custom character sets for each part of the pattern.

1. Default Character Sets in Hashcat

Hashcat provides pre-defined character sets, which can be used directly in the mask patterns. These include:

Mask Description Character Set Example
?u Uppercase letters A-Z
?l Lowercase letters a-z
?d Digits 0-9
?s Special characters (symbols) !"#$%&'()*+,-./:;<=>?@[\\]^_{
?a All printable ASCII characters a-zA-Z0-9!"#$%&'()*+,-./:;<=>?@[\\]^_{
?b Binary (0 or 1) 0,1

You can combine these directly in a mask attack. For example: 

hashcat -m 1000 -a 3 example.hash ?u?l?d?d?l
This would try passwords like Abc1d, Xyz2w, etc., using the ?u?l?d?d?l mask, which is: - One uppercase letter (?u), - One lowercase letter (?l), - Two digits (?d), - One lowercase letter (?l).

2. Custom Character Sets

In Hashcat, you can define custom charsets to use specific sets of characters for different parts of the mask. This allows you to target specific types of passwords more efficiently, like trying only specific symbols or custom characters.

Defining Custom Charsets

Custom charsets are defined using the -1, -2, -3, etc., options in the Hashcat command. You can define up to 15 custom charsets.

Syntax

hashcat -a 3 -m 1000 -1 '!@#' -2 '012345' -3 'ABCDE' hash.txt ?1?2?3?3
  • -1 '!@#': Defines charset 1 as !, @, and #.
  • -2 '012345': Defines charset 2 as the digits 012345.
  • -3 'ABCDE': Defines charset 3 as the letters A, B, C, D, E.

Then, the mask ?1?2?3?3 will try passwords like: - !012A - @345B - #234C ...and so on.

Common Charset Examples

  1. Symbols You can define custom charsets for only certain symbols. 
    hashcat -a 3 -m 1000 -1 '!@#$%^&*()' example.hash ?1?1?1?1
    This command tries passwords made up of combinations of symbols, such as:
    • !@#$
    • %&*(
    • ()@#
  1. Lowercase and Uppercase Letters Only You can restrict cracking to only lowercase or uppercase letters. 
    hashcat -a 3 -m 1000 -1 'abcdefghijklmnopqrstuvwxyz' -2 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' example.hash ?1?2?1
    This would try passwords where the first character is a lowercase letter, the second is uppercase, and the third is a lowercase letter.

  1. Using Custom Charsets in Mask Attack With custom charsets, you can use more complex patterns. Let’s look at an example:

    hashcat -a 3 -m 1000 -1 'abcdefghijklmnopqrstuvwxyz' -2 '0123456789' -3 '!@#$' example.hash ?1?2?3?2

    Here’s the breakdown: - -1 'abcdefghijklmnopqrstuvwxyz': charset 1 contains lowercase letters (a-z). - -2 '0123456789': charset 2 contains digits (0-9). - -3 '!@#$': charset 3 contains special symbols (!@#$).

    The mask ?1?2?3?2 would try passwords like: - a0!5 - z9@8 - m1#4

  1. Using Multiple Custom Charsets You can define multiple custom charsets to handle more complex combinations:

    hashcat -a 3 -m 1000 -1 'abcdefghijklmnopqrstuvwxyz' -2 '0123456789' -3 '!@#^' -4 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' example.hash ?1?2?3?4

    In this case: - -1 is lowercase letters, - -2 is digits, - -3 is symbols, - -4 is uppercase letters.

    The mask ?1?2?3?4 would try combinations like: - a0!A - z9#B - m1^C

  1. Charset Examples in Different Contexts #### Common Use Cases for Custom Charsets

    • Alphanumeric + Symbols: Let’s say you want to try all alphanumeric characters and a few symbols. 
      hashcat -a 3 -m 1000 -1 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' -2 '!@#^' example.hash ?1?2?1?2
      This will try combinations of letters, digits, and symbols like:
    • a1!a
    • Z9#A

    • m0^B

    • Alphanumeric Passwords with Common Suffixes: If you know the password follows a common suffix, you can define a charset for the suffix and combine it with alphanumeric characters: 

      hashcat -a 3 -m 1000 -1 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' -2 '2024!' example.hash ?1?1?1?2
      This will try:

    • abc2024!
    • XYZ2024!
    • 1232024!
  1. Performance Tips with Custom Charsets

When using custom charsets, it’s important to keep performance in mind. Larger custom charsets will increase the search space exponentially, making attacks slower.

Best practices:

  1. Limit the size of your charsets: Only include characters that are relevant to your attack.
  2. Use narrow masks: Keep the mask length smaller to limit the number of combinations.
  3. Experiment with different charset combinations: Start with simple charsets, then add complexity gradually to see which yields the best results.

Summary

  • Pre-defined charsets: ?u, ?l, ?d, ?s, ?a, ?b, etc.
  • Custom charsets: Use -1, -2, -3, etc., to define specific sets of characters.
  • Mixing charsets: You can use multiple custom charsets in a mask pattern, allowing for very flexible cracking attempts.
  • Mask patterns: The mask defines the structure (e.g., ?u?l?l?d?2?3) and each position can use a predefined or custom charset.