How It Works

John works great with other programs, since it does many things well, and each of those capabilities are valuable on their own and can be combined with other programs. For an example, see Aircrack and John the Ripper

Password Generation

First, John has a powerful password generation mechanism. It does not simply take wordlists. It can generate many, many more passwords from those wordlists. For example, starting with a list of the 10,000 most common passwords, John can create additional lists with 400,000 or 8 million additional password variations to try. You can carefully control how those variations are generated to target your password search as you go.

Password Testing and Encryption

Second, John has support for many encryption mechanisms built-in, so it can handle a wide variety of password files. If you have a Unix password file with a list of users and encrypted passwords, John can brute force it.

Using John as a Password Generator

My introduction and main experience with John is feeding it wordlists and using it to generate passwords to test from that wordlist.

See John the Ripper/Password Generation

Using John to Crack WPA

You can convert airodump-ng pcap files into a format that John can understand using the following steps [1]:

cap2hccap

First, you'll need to convert the pcap to a hashcat pcap (hccap) file, using cap2hccap tool: http://sourceforge.net/projects/cap2hccap/files/

Download it, and unzip it to a directory. Run make and it will make a tool called cap2hccap.bin, which you will then run as an executable.

Call the bin file, pass it your cap file, then tell it where to output the hccap file:

$ ./cap2hccap.bin /path/to/my.cap my.hccap

hccap2john

Now you'll need to use hccap2john, a tool that comes with John the Ripper. if you don't have it (if you're using John the Ripper as part of a package manager, that doesn't build it), it's ok, you can just make a local build of John and use the tool from there.

Download John the Ripper, and make it.

$ tar xzf john-1.7.9-jumbo-7.tar.gz
$ cd john*
$ cd src
$ make linux-x86-64

Make sure you have LibSSL headers installed:

$ apt-get install libssl-dev

Now that you've finished building everything, all your binary tools will be in the run directory:

$ ls -l john-1.7.9-jumbo-7/run/
total 2880
-rw------- 1 root root  341064 Jul 10  2012 all.chr
-rw------- 1 root root  232158 Jul 10  2012 alnum.chr
-rw------- 1 root root  131549 Jul 10  2012 alpha.chr
-rwx------ 1 root root    3908 Jul 10  2012 benchmark-unify
-rwxr-xr-x 1 root root    8736 Aug 16 17:00 calc_stat
-rwx------ 1 root root     579 Jul 10  2012 cracf2john.py
-rw------- 1 root root    4099 Jul 10  2012 dictionary.rfc2865
-rw------- 1 root root   40391 Jul 10  2012 digits.chr
-rw------- 1 root root   42268 Sep 19  2012 dumb16.conf
-rw------- 1 root root   57177 Sep 19  2012 dumb32.conf
-rw------- 1 root root   11230 Sep 17  2012 dynamic.conf
-rwx------ 1 root root    1868 Jul 10  2012 genincstats.rb
-rwxr-xr-x 1 root root   23408 Aug 16 17:00 genmkvpwd
lrwxrwxrwx 1 root root       4 Aug 16 17:00 hccap2john -> john
-rwxr-xr-x 1 root root 1381216 Aug 16 17:00 john
-rw------- 1 root root   25902 Sep 17  2012 john.bash_completion
-rw------- 1 root root   41299 Sep 17  2012 john.conf
-rw-r--r-- 1 root root       0 Aug 16 17:00 john.local.conf
lrwxrwxrwx 1 root root       4 Aug 16 17:00 keepass2john -> john
lrwxrwxrwx 1 root root       4 Aug 16 17:00 keychain2john -> john
-rw------- 1 root root  215982 Jul 10  2012 lanman.chr
-rwx------ 1 root root     453 Jul 10  2012 ldif2john.pl
-rwx------ 1 root root     860 Jul 10  2012 lion2john-alt.pl
-rwx------ 1 root root     979 Jul 10  2012 lion2john.pl
-rwx------ 1 root root    1289 Jul 10  2012 mailer
-rwxr-xr-x 1 root root    7736 Aug 16 17:00 mkvcalcproba
-rwx------ 1 root root    9658 Jul 10  2012 netntlm.pl
-rwx------ 1 root root    5190 Jul 10  2012 netscreen.py
-rwx------ 1 root root    4078 Jul 10  2012 odf2john.py
-rwx------ 1 root root   94733 Sep 20  2012 pass_gen.pl
-rw------- 1 root root   26215 Jul 10  2012 password.lst
lrwxrwxrwx 1 root root       4 Aug 16 17:00 pdf2john -> john
lrwxrwxrwx 1 root root       4 Aug 16 17:00 pwsafe2john -> john
lrwxrwxrwx 1 root root       4 Aug 16 17:00 racf2john -> john
-rwx------ 1 root root    6660 Sep 17  2012 radius2john.pl
lrwxrwxrwx 1 root root       4 Aug 16 17:00 rar2john -> john
-rwxr-xr-x 1 root root    7576 Aug 16 17:00 raw2dyna
-rwx------ 1 root root    5943 Jul 10  2012 relbench
-rwx------ 1 root root    9032 Sep 17  2012 sap2john.pl
-rwx------ 1 root root     526 Jul 10  2012 sha-dump.pl
-rwx------ 1 root root     491 Jul 10  2012 sha-test.pl
-rwx------ 1 root root     633 Jul 10  2012 sipdump2john.py
lrwxrwxrwx 1 root root       4 Aug 16 17:00 ssh2john -> john
-rw------- 1 root root  107571 Jul 10  2012 stats
-rwxr-xr-x 1 root root    9080 Aug 16 17:00 tgtsnarf
lrwxrwxrwx 1 root root       4 Aug 16 17:00 unafs -> john
lrwxrwxrwx 1 root root       4 Aug 16 17:00 undrop -> john
lrwxrwxrwx 1 root root       4 Aug 16 17:00 unique -> john
lrwxrwxrwx 1 root root       4 Aug 16 17:00 unshadow -> john
lrwxrwxrwx 1 root root       4 Aug 16 17:00 zip2john -> john

We're interested in the hccap2john tool.

Call it as follows:

$ ./hccap2john ./my.hccap

$WPAPSK$Walrus#k1xC0LKY57WA9vVgdLZS3uQhnqJsGeDNJX9BLVGPpRxBT.EG7gBNwlspasqW5AwOy03m5MkoPkJjbO9EBqITgJJoeXJdqLPAYkvN1k61.8w02wc.2..........0cWnD4jUVQVqAB4w3PtqWo1RZ5v3JR89pORZqn7ACqEwrNFylJLGeBKbNRgmH1hZEx7cS........................................I/huMokkg.aNsr/qbBolaxbAWal9ZvEBLiiR3vONMyyMB2NkH11csbvLqGIPBMWFjZ8K9XyZddJYVmQQhQ/K7T15qgPrH3N4T8CvvYHf3WUa......................................................................................................0w.....U...6OaRKi13gXzk8c2z29pCqc

Or, to dump it to a password file and then call John on it:

$ ./hccap2john ./my.hccap > crackme

Crack with John

Now we have a password file that we can crack with John and a wordlist:

john --wordlist=rockyou-10.txt --format=wpapsk crackme

Using Rules with John

Download an excellent set of John the Ripper rules from KoreLogic security here: http://openwall.info/wiki/_media/john/korelogic-rules-20100801.txt

Based on the 2010 Defcon Crack Me If You Can contest.

Install the Rules

To install the rules, download that text file. Now run this command to add those rules to John's configure file:

$ cat korelogic-rules-20100801.txt >> /etc/john/john.conf

Using Rules

Now you can use any of the rules that are listed here (http://contest-2010.korelogic.com/rules.html) or that you see in the form of [List.Rules:KoreLogicRulesPrependSeason] in the rules file (just get rid of the List.Rules: part.)

$ john --wordlist=rockyou-10.txt --format=wpapsk --rules=KoreLogicRulesPrependYears crackme

List All the Rules

for ruleset in `grep KoreLogicRules /etc/john/john.conf | cut -d: -f 2 | cut -d\] -f 1`; do echo ${ruleset}; done
KoreLogicRulesPrependSeason
KoreLogicRulesAppendSeason
KoreLogicRulesPrependHello
KoreLogicRulesPrependYears
KoreLogicRulesAppendYears
KoreLogicRulesAppendCurrentYearSpecial
KoreLogicRulesAppend4Num
KoreLogicRulesAppend5Num
KoreLogicRulesAppend6Num
KoreLogicRulesAppendSpecial3num
KoreLogicRulesAppendSpecial4num
KoreLogicRulesPrependCAPCAPAppendSpecial
KoreLogicRulesPrependNumNumAppendSpecial
KoreLogicRulesPrependNumNum
KoreLogicRulesPrependNumNumNum
KoreLogicRulesPrependNumNumNumNum
KoreLogicRulesPrependNumNumSpecial
KoreLogicRulesPrepend2NumbersAppend2Numbers
KoreLogicRulesPrependSpecialSpecial
KoreLogicRulesAppendSpecialNumberNumber
KoreLogicRulesAppendSpecialNumberNumberNumber
KoreLogicRulesPrependSpecialSpecialAppendNumber
KoreLogicRulesPrependSpecialSpecialAppendNumbersNumber
KoreLogicRulesPrependSpecialSpecialAppendNumbersNumberNumber
KoreLogicRulesAppend2Letters
KoreLogicRulesPrepend4NumAppendSpecial
KoreLogicRulesAppend4NumSpecial
KoreLogicRulesAppend3NumSpecial
KoreLogicRulesAppend2NumSpecial
KoreLogicRulesAddJustNumbersLimit8
KoreLogicRulesDevProdTestUAT
KoreLogicRulesPrependAndAppendSpecial
KoreLogicRulesAppendJustNumbers
KoreLogicRulesAppendNumbers_and_Specials_Simple
KoreLogicRulesAppendJustSpecials
KoreLogicRulesMonthsFullPreface
KoreLogicRulesAddShortMonthsEverywhere
KoreLogicRulesPrepend4LetterMonths
KoreLogicRulesAdd2010Everywhere
KoreLogicRulesPrependDaysWeek
KoreLogicRulesAdd1234_Everywhere
KoreLogicRulesAppendMonthDay
KoreLogicRulesAppendMonthCurrentYear
KoreLogicRulesReplaceNumbers2Special
KoreLogicRulesReplaceNumbers
KoreLogicRulesReplaceLettersCaps
KoreLogicRulesAddDotCom
KoreLogicRulesAppendCap-Num_or_Special-Twice
KoreLogicRulesAppendSpecialLowerLower
KoreLogicRulesAppendJustSpecials3Times
KoreLogicRulesPrependJustSpecials
KoreLogicRulesAppend1_AddSpecialEverywhere
KoreLogicRulesPrependNumNum_AppendNumSpecial
KoreLogicRulesAppendNum_AddSpecialEverywhere
KoreLogicRulesAppendNumNum_AddSpecialEverywhere
KoreLogicRulesAppendNumNumNum_AddSpecialEverywhere
KoreLogicRulesAppendYears_AddSpecialEverywhere
KoreLogicRulesL33t
KoreLogicRulesReplaceSpecial2Special
KoreLogicRulesReplaceLetters

Use All the Rules

This is overkill, but it extracts every rule from the KoreLogic rule list and runs john with every one of those rules. From the full list here http://contest-2010.korelogic.com/rules.html you can see that'll take a loooooooong time. But this would be handy to use with grep to filter out some of the rule names.

$ for ruleset in `grep KoreLogicRules /etc/john/john.conf | cut -d: -f 2 | cut -d\] -f 1`; do john --wordlist=rockyou-10.txt --format=wpapsk --rules=${ruleset} crackme; done

A nice subset:

$ grep KoreLogicRules /etc/john/john.conf | cut -d: -f 2 | cut -d\] -f 1 | grep Year | grep -v Special
KoreLogicRulesPrependYears
KoreLogicRulesAppendYears
KoreLogicRulesAppendMonthCurrentYear

Put into use:

$ for ruleset in `grep KoreLogicRules /etc/john/john.conf | cut -d: -f 2 | cut -d\] -f 1 | grep Year | grep -v Special`; do john --wordlist=rockyou-10.txt --format=wpapsk --rules=${ruleset} crackme; done