John The Ripper Cheatsheet

kirbi2john 1password2john 7z2john DPAPImk2john adxcsouf2john aem2john aix2john andotp2john androidbackup2john androidfde2john ansible2john apex2john applenotes2john aruba2john atmail2john axcrypt2john bestcrypt2john bitcoin2john bitshares2john bitwarden2john bks2john blockchain2john ccache2john cisco2john cracf2john dashlane2john deepsound2john diskcryptor2john dmg2john ecryptfs2john ejabberd2john electrum2john encfs2john enpass2john ethereum2john filezilla2john geli2john hccapx2john htdigest2john ibmiscanner2john ikescan2john itunes_backup2john iwork2john kdcdump2john keychain2john keyring2john keystore2john kirbi2john known_hosts2john krb2john kwallet2john lastpass2john ldif2john libreoffice2john lion2john lotus2john luks2john mac2john mcafee_epo2john monero2john money2john mosquitto2john mozilla2john multibit2john neo2john office2john openbsd_softraid2john openssl2john padlock2john pcap2john pdf2john pem2john pfx2john pgpdisk2john pgpsda2john

pgpwde2john prosody2john ps_token2john pse2john pwsafe2john radius2john restic2john sap2john sense2john signal2john sipdump2john ssh2john sspr2john staroffice2john strip2john telegram2john tezos2john truecrypt2john vdi2john vmx2john zed2john bitlocker2john dmg2john gpg2john hccap2john keepass2john putty2john racf2john rar2john uaf2john vncpcap2john wpapcap2john zip2john doc/README.7z2john.md doc/pcap2john.readme.gz 1password2john 7z2john.pl DPAPImk2john adxcsouf2john aem2john aix2john.pl aix2john andotp2john androidbackup2john androidfde2john ansible2john apex2john applenotes2john aruba2john atmail2john.pl axcrypt2john bestcrypt2john bestcryptve2john bitcoin2john bitshares2john bitwarden2john bks2john blockchain2john ccache2john cisco2john.pl cracf2john dashlane2john deepsound2john diskcryptor2john dmg2john ecryptfs2john ejabberd2john electrum2john encfs2john enpass2john ethereum2john filezilla2john geli2john hccapx2john htdigest2john

ibmiscanner2john ikescan2john itunes_backup2john.pl iwork2john kdcdump2john keychain2john keyring2john keystore2john kirbi2john known_hosts2john krb2john kwallet2john lastpass2john ldif2john.pl libreoffice2john lion2john-alt.pl lion2john.pl lotus2john luks2john mac2john-alt mac2john mcafee_epo2john monero2john money2john mosquitto2john mozilla2john multibit2john neo2john office2john openbsd_softraid2john openssl2john padlock2john pcap2john pdf2john.pl pem2john pfx2john pgpdisk2john pgpsda2john pgpwde2john prosody2john ps_token2john pse2john pwsafe2john radius2john.pl radius2john restic2john sap2john.pl sense2john signal2john sipdump2john ssh2john sspr2john staroffice2john strip2john telegram2john test_tezos2john tezos2john truecrypt2john vdi2john.pl vmx2john zed2john 1password2john DPAPImk2john adxcsouf2john aem2john aix2john andotp2john androidbackup2john androidfde2john ansible2john apex2john applenotes2john aruba2john axcrypt2john bestcrypt2john

bestcryptve2john bitcoin2john bitshares2john bitwarden2john bks2john blockchain2john ccache2john cracf2john dashlane2john deepsound2john diskcryptor2john dmg2john ecryptfs2john ejabberd2john electrum2john encfs2john enpass2john ethereum2john filezilla2john geli2john hccapx2john htdigest2john ibmiscanner2john ikescan2john iwork2john kdcdump2john keychain2john keyring2john keystore2john kirbi2john known_hosts2john krb2john kwallet2john lastpass2john libreoffice2john lotus2john luks2john mac2john-alt mac2john mcafee_epo2john monero2john money2john mosquitto2john mozilla2john multibit2john neo2john office2john openbsd_softraid2john openssl2john padlock2john pcap2john pem2john pfx2john pgpdisk2john pgpsda2john pgpwde2john prosody2john ps_token2john pse2john pwsafe2john radius2john restic2john sense2john signal2john sipdump2john ssh2john sspr2john staroffice2john strip2john telegram2john test_tezos2john tezos2john truecrypt2john vmx2john zed2john

Cracking Modes

# Dictionnary attack
./john --wordlist=password.lst hashFile

 # Dictionnary attack using default or specific rules
./john --wordlist=password.lst --rules=rulename hashFile
./john --wordlist=password.lst --rules mypasswd

# Incremental mode
./john --incremental hashFile

# Loopback attack (password are taken from the potfile)
./john --loopback hashFile

# Mask bruteforce attack
./john --mask=?1?1?1?1?1?1 --1=[A-Z] hashFile --min-len=8

# Dictionnary attack using masks
./john --wordlist=password.lst -mask='?l?l?w?l' hashFile

MISC & Tricks

# Show hidden options
./john --list=hidden-options

# Using session and restoring them
./john hashes --session=name
./john --restore=name
./john --session=allrules --wordlist=all.lst --rules mypasswd &
./john status

# Show the potfile
./john hashes --pot=potFile --show

# Search if a root/uid0 have been cracked
john --show --users=0 mypasswdFile
john --show --users=root mypasswdFile

# List OpenCL devices and get their id
./john --list=opencl-devices

# List format supported by OpenCL
./john --list=formats --format=opencl

# Using multiples GPU
./john hashes --format:openclformat --wordlist:wordlist --rules:rules --dev=0,1 --fork=2

# Using multiple CPU (eg. 4 cores)
./john hashes --wordlist:wordlist --rules:rules --dev=2 --fork=4

Wordlists & Incremental

# Sort a wordlist for the wordlist mode
tr A-Z a-z < SOURCE | sort -u > TARGET

# Use a potfile to generate a new wordlist
cut -d ':' -f 2 john.pot | sort -u pot.dic

# Generate candidate password for slow hashes
./john --wordlist=password.lst --stdout --rules:Jumbo | ./unique -mem=25 wordlist.uniq

--incremental:Lower # 26 char
--incremental:Alpha # 52 char
--incremental:Digits # 10 char
--incremental:Alnum # 62 char

# Create a new charset
./john --make-charset=charset.chr

# Then set the following in the John.conf
# Incremental modes
[Incremental:charset]
File = $JOHN/charset.chr
MinLen = 0
MaxLen = 31
CharCount = 95

# Using a specific charset
./john --incremental:charset hashFile

Rules

# Predefined rules
--rules:Single
--rules:Wordlist
--rules:Extra
--rules:Jumbo # All the above
--rules:KoreLogic
--rules:All # All the above

# Create a new rule in John.conf
[List.Rules:Tryout]
l
u
...

| Rule          | Description                                               |
|------------   |-------------------------------------------------------    |
| l             | Convert to lowercase                                      |
| u             | Convert to uppercase                                      |
| c             | Capitalize                                                |
| l r           | Lowercase the word and reverse it                         |
| l Az"2015"    | Lowercase the word and append "2015" at the end           |
| d             | Duplicate                                                 |
| l A0"2015"    | Lowercase the word and append "2015" at the beginning     |
| A0"#"Az"#"    | Add "#" at the beginning and the end of the word          |
| C             |  Lowercase the first char and uppercase the rest          |
| t             | Toggle case of all char                                   |
| TN            | Toggle the case of the char in position N                 |
| r             | Reverse the word                                          |
| f             | Reflect (Fred --> Fredderf)                               |
| {             | Rotate the word left                                      |
| }             | Rotate the word right                                     |
| $x            | Append char X to the word                                 |
| ^x            | Prefix the word with X char                               |
| [             | Remove the first char from the word                       |
| ]             | Remove the last char from the word                        |
| DN            | Delete the char in position N                             |
| xNM           | Extract substring from position N for M char              |
| iNX           | Insert char X in position N and shift the rest right      |
| oNX           | Overstrike char in position N with X                      |
| S             | Shift case                                                |
| V             | Lowercase vowels and uppercase consonants                 |
| R             | Shift each char right on the keyboard                     |
| L             | Shift each char left on the keyboard                      |
| <N            | Reject the word unless it is less than N char long        |
| >N            | Reject the word unless it is greater than N char long     |
| \'N           | Truncate the word at length N                             |

Example For Mangling Passwords with John

Looking at the source code, we are able to get two usernames:

[email protected]

Trying to use the user magnus, the boss of the company, who was mentioned in the room description, we get an error message that the user is invalid.

Next, we try to log in with a random password with the two found usernames and the wild guess of [email protected]. All three logins seem to be valid, like the error message states, the given password is invalid.

With the found information, it's possible to craft a users.txt,and a password base.txt, which will then be used to generate wordlists, to brute force the login page.

users.txt

[email protected]
[email protected]
[email protected]

base.txt

anders
devops
securesolacoders
ssc
sr
senior
developer

For convenience, a hostname is used for the IP of the machine in the /etc/hosts file.

Add 10.10.211.106 securesolacoders.no to /etc/hosts

To mangle the passwords, a simple John rule is configured. Appending some numbers to the possible passwords and having a combination of a password with a number and a special character.

[List.Rules:TryHackMe-Intranet]
Az"[0-9]"
Az"[0-9][0-9]"
Az"[0-9][0-9][0-9]"
Az"[0-9][0-9][0-9][0-9]"
Az"[0-9]" $[!$§$%/()=?*@]

With the created rule, generate a wordlist from base.txt

┌──(0xb0b㉿kali)-[~/Documents/tryhackme/intranet]
└─$ john -wordlist:base.txt -rules:TryHackMe-Intranet -stdout > wordlist.txt

Running Hydra to brute force the login page.

┌──(0xb0b㉿kali)-[~/Documents/tryhackme/intranet]
└─$ hydra -L users.txt -P wordlist.txt securesolacoders.no -s 8080 http-post-form "/login:username=^USER^&password=^PASS^:Error"

After several minutes, we are able to retrieve a password.

To generate a wordlist, that takes less time, the results of this gen

PreviousHashcat-Cheatsheet NextMimikatz Cheatsheet

Last updated 2 years ago