Thursday, December 16, 2010

Passwordlists with John the Ripper

Creating Passwordlists with John the Ripper

Whilst bringing hashcrack.com back up to work i had to create passwordlists for checking the scripts and the database. For those that don't know: John the Ripper does quite a good Job creating passwordlists out of the blue or mangling existing lists. The --stdout-parameters are somewhat tricky:

john --i --stdout

creates passwords up to the length configured in MaxLen (and MinLen) in john.conf.

john --i --stdout:2

creates password up to the length of 2 chars.

If it comes to working with existing password-lists according to the defined rules, you can use

john --stdout --wordlist=file.txt

to echo the plain wordlist.

To mangle the list according to john's rules, you might use

john --stdout --wordlist=file.txt --rules

With a plain john-config this increases your amount of passwords by a factor of approximately 7, mangling "password" to stuff like Password, Password1, 1password etc.

tom