cracking unix password files for beginners.html

1000 HOWTOs for various needs [WINDOWS]

<p>where:</p>
<p> comb - number of possible combinations<br>
  nrch - number of chars<br>
  let - number of letters used</p>
<p>In case you're dealing with john's default -i 95 character set and, presume, 
  a 6 letter password you have possible 735091890625 combinations! OUCH!!<br>
  Sure, this is useful for passwords like 2405v7, but still... with the computational 
  powers of today's modern PC, I'd just give up, unless I had access to some University's 
  supercomputer, which I'd bet noone would ever give me (well, at least not for 
  free, and certainly not to run a password cracker on it).<br>
  As you can see it can take a looooong time until you crack a single one pass, 
  do a little math and try to calculate how many possible combinations there are 
  for 10, 12 and 16 chars.<br>
  I don't think you'll like the answer :)<br>
  Of course, sometimes dictionary attacks are not enough, but john has very powerful 
  'thinking'. In 'incremental' mode john will do all possible combinations from 
  0 to 8 characters (by zero password length is considered a hashed empty string, 
  this sometimes happens). So incremental mode is one sort of brute-force attack 
  in some way...</p>
<p>If you want to fire all weapons at one then you use</p>
<p> john password.file</p>
<p>this will do first basic dictionary attack, then -rules, then -i</p>
<font size="4"><b>5) What if...</b></font><br>
<hr width="250" align="left">
<p>Ok, you have to turn off your box from time to time, don't you? If you're doing 
  that haaard password that will take more than 20 hours of cracking you can set 
  john with ctrl+c and then resume with</p>
<p> john -restore</p>
<p>If your box crashes or if there's a power failure, you won't be able to restore 
  your cracking sessions (sometimes)... well that's just too bad. Hell, it happened<br>
  to me once :-(</p>
<p>John is modular, and that is the most powerful thing about john the ripper, 
  and that is what makes john the most advanced password cracker. John is very, 
  very modular. John uses modes that are described in john.ini (do you still remember 
  that incremental cracking i was talking about? Modes for rules and incremental 
  are described in john.ini).<br>
  If you're some inventive guy then you may change the parameters in john.ini.</p>
<p>Here is example how some default parameters for -i look like:</p>
<p> # Incremental modes<br>
  [Incremental:All]<br>
  File = ~/all.chr<br>
  MinLen = 0<br>
  MaxLen = 8<br>
  CharCount = 95</p>
<p>Ok... what do we have here?</p>
<p> [Incremental:All] - this stands for the beginning of the definition for the 
  -i:all switch<br>
  File - filename of file that has characters used in mode -i:all (whole character<br>
  set)<br>
  MinLen - logically, minimum length of password that john -i:all would try<br>
  MaxLen - even more logical, maximum length of password that will john -i:all 
  try<br>
  CharCount - number of chars used by john when you 'turn on' this switch</p>
<p>So, there are some more switches... heh<br>
  Yes there are and down there are all default modes pasted from john the ripper's 
  documents:</p>
<b><font size="4">John the Ripper's Command Line Options</font></b><br>
<hr width="250" align="left">
<p>You can list any number of password files on John's command line, and also<br>
  specify some of the following options (all of them are case sensitive, but<br>
  can be abbreviated; you can also use the GNU-style long options syntax):</p>
<ul>
  <li>single &quot;single crack&quot; mode Enables the &quot;single crack&quot; 
    mode, using rules from [List.Rules:Single].</li>
  <li>wordfile:FILE wordlist mode, read words from FILE,</li>
  <li>stdin or from stdin These are used to enable the wordlist mode.</li>
  <li>rules enable rules for wordlist mode Enables wordlist rules, that are read 
    from [List.Rules:Wordlist].</li>
  <li>incremental[:MODE] incremental mode [using section MODE] Enables the incremental 
    mode, using the specified ~/john.ini definition (section [Incremental:MODE], 
    or [Incremental:All] by default).</li>
  <li>external:MODE external mode or word filter Enables an external mode, using 
    external functions defined in ~/john.ini's [List.External:MODE] section.</li>
  <li>stdout[:LENGTH] no cracking, write words to stdout When used with a cracking 
    mode, except for &quot;single crack&quot;, makes John print the words it generates 
    to stdout instead of cracking. While applying<br>
    wordlist rules, the significant password length is assumed to be LENGTH, or 
    unlimited by default.</li>
  <li>restore[:FILE] restore an interrupted session Continues an interrupted cracking 
    session, reading point information from the specified file (~/restore by default).</li>
  <li>session:FILE set session file name to FILE Allows you to specify another 
    point information file's name to use for this cracking session. This is useful 
    for running multiple instances of John in parallel, or just to be able to 
    recover an older session later, not always continue the latest one.</li>
  <li>status[:FILE] print status of a session [from FILE] Prints status of an 
    interrupted or running session. To get an up to date status information of 
    a detached running session, send that copy of John a SIGHUP before using this 
    option.</li>
  <li>makechars:FILE make a charset, overwriting FILE Generates a charset file, 
    based on character frequencies from ~/john.pot, for use with the incremental 
    mode. The entire ~/john.pot will be used for<br>
    the charset file unless you specify some password files. You can also use 
    an external filter() routine with this option.</li>
  <li>show show cracked passwords Shows the cracked passwords in a convenient 
    form. You should also specify the password files. You can use this option 
    while another John is cracking, to see what it did so far.</li>
  <li>test perform a benchmark Benchmarks all the enabled ciphertext format crackers, 
    and tests them for<br>
    correct operation at the same time.</li>
  <li>users:[-]LOGIN|UID[,..] load this (these) user(s) only Allows you to filter 
    a few accounts for cracking, etc. A dash before the list can be used to invert 
    the check (that is, load all the users that aren't listed).</li>
  <li>groups:[-]GID[,..] load this (these) group(s) only Tells John to load users 
    of the specified group(s) only.</li>
  <li>shells:[-]SHELL[,..] load this (these) shell(s) only This option is useful 
    to load accounts with a valid shell only, or not to load accounts with a bad 
    shell. You can omit the path before a shell name, so '-shells:csh' will match 
    both '/bin/csh' and '/usr/bin/csh', while '-shells:/bin/csh' will only match 
    '/bin/csh'.</li>
  <li>salts:[-]COUNT set a passwords per salt limit This feature sometimes allows 
    to achieve better performance. For example you can crack only some salts using 
    '-salts:2' faster, and then crack the<br>
    rest using '-salts:-2'. Total cracking time will be about the same, but you 
    will get some passwords cracked earlier.</li>
  <li>format:NAME force ciphertext format NAME<br>
    Allows you to override the ciphertext format detection. Currently, valid<br>
    format names are DES, BSDI, MD5, BF, AFS, LM. You can use this option when<br>
    cracking or with '-test'. Note that John can't crack password files with<br>
    different ciphertext formats at the same time.</li>
  <li>savemem:LEVEL enable memory saving, at LEVEL 1..3<br>
    You might need this option if you don't have enough memory, or don't want<br>
    John to affect other processes too much. Level 1 tells John not to waste<br>
    memory on login names, so you won't see them while cracking. Higher levels<br>
    have a performance impact: you should probably avoid using them unless John<br>
    doesn't work or gets into swap otherwise.</li>
</ul>

<font size="4"><b>6) Tips</b></font><br>
<hr width="250" align="left">
<p>I) A good schedule to do your cracking job is</p>
<p> john -w:words.lst password.file<br>
  <br>
  john -w:words.lst -rules password.file<br>
  <br>
  john -w:words.lst password.file<br>
  <br>
  john -i:digits password.file<br>
  <br>
  john -i:all password.file</p>
<p>II) If you have a file that has only passes that look like</p>
<p> owner:*:510:102:His name:/home/subdir/owner:/bin/bash<br>
  <br>
  you have a shadowed passwords file.<br>
  Go to the Byte-Me page at blacksun.box.sk and try to find out more about<br>
  password files (I'll leave it up to you to do this. It's important that you'll<br>
  learn how to find things by yourself).</p>
<p>III) You have some little tools that you get with john, they are all<br>
  listed below (from john's docs)</p>
<p><br>
  unshadow PASSWORD-FILE SHADOW-FILE<br>
  Combines the passwd and shadow files (when you already have access to<br>
  both) for use with John. You might need this since if you only used your<br>
  shadow file, the GECOS information wouldn't be used by the &quot;single crack&quot;<br>
  mode, and also you wouldn't be able to use the '-shells' option. You'll<br>
  usually want to redirect the output of 'unshadow' to a file.</p>
<p> unafs DATABASE-FILE CELL-NAME<br>
  Gets password hashes out of the binary AFS database, and produces a file<br>
  usable by John (again, you should redirect the output yourself).</p>
<p> unique OUTPUT-FILE<br>
  Removes duplicates from a wordlist (read from stdin), without changing<br>
  the order. You might want to use this with John's '-stdout' option, if<br>
  you got a lot of disk space to trade for the reduced cracking time.</p>
<p> mailer PASSWORD-FILE<br>
  A shell script to send mail to all the users who got weak passwords. You<br>
  should edit the message inside before using.</p>
<hr>
<br>
So, that was about it... hope you've got something from this text.<br>
Further readings: try reading ALL the documentation you get with john in the docs<br>
directory. Maybe it's a little bit chaotic, but.... man those are the docs :)
<p><br>
  Ohh, wait, wait!!<br>
  Remember, not all password files can be cracked! Smart admins alter the<br>
  encryption that they are using, especially when it comes to root passwords.<br>
  But there are always other ways to get passwords. These are covered in other<br>
  BSRF tutorials. Collect them all (lol) at http://blacksun.box.sk.</p>
</body>
</html>