Password Recovery & Cryptography

Password Recovery & Cryptography

Dictionary-Based Password Cracking with John the Ripper

Problem

Security assessments and forensic investigations often require recovering passwords from hash files to access encrypted systems, validate password policies, or understand security postures. Manual password guessing is impractical for strong passwords. Brute force attacks take exponential time as password complexity increases.

Solution

Use John the Ripper with dictionary-based attacks leveraging wordlists like rockyou.txt to efficiently test millions of common passwords against hash files. Dictionary attacks prioritize likely passwords based on real-world usage patterns, dramatically reducing time compared to brute force.

Implementation

# Basic dictionary attack
john --wordlist=/usr/share/wordlists/rockyou.txt hash_file.txt

# Specify hash format
john --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-MD5 hash_file.txt

# Common formats: Raw-MD5, Raw-SHA1, Raw-SHA256, Raw-SHA512, NT, bcrypt, descrypt

# View cracked passwords
john --show hash_file.txt
john --show --format=Raw-MD5 hash_file.txt

Performance & Sessions:

# Multiple cores
john --wordlist=/usr/share/wordlists/rockyou.txt --fork=4 hash_file.txt

# Session management (long-running cracks)
john --wordlist=/usr/share/wordlists/rockyou.txt --session=my_session hash_file.txt
john --restore=my_session

# Rules for password variations
john --wordlist=/usr/share/wordlists/rockyou.txt --rules hash_file.txt

# Incremental (brute force)
john --incremental hash_file.txt
john --incremental=Digits hash_file.txt

Common Hash File Formats:

# Unix /etc/shadow
username:$6$salt$hash:18000:0:99999:7:::

# Simple hash list
5f4dcc3b5aa765d61d8327deb882cf99

# Username:hash pairs
admin:5f4dcc3b5aa765d61d8327deb882cf99

# NTLM (Windows)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Wordlist location (Kali/Debian): /usr/share/wordlists/rockyou.txt — extract with gunzip if compressed. Check ~/.john/john.pot for previously cracked passwords before re-running.