Objective
To configure John the Ripper to brute force 8 character case sensitive passwords that contain alphabet and numeric characters.
By default John is not capable of brute forcing case sensitive alpha-numeric passwords. John uses character sets contained in .chr files. These .chr files not only contain the characters that John will use when attempting to brute force a password, but also the frequency that a character will be in a password. Since John does not contain a character set that contains lowercase alphabet, uppercase alphabet, and numeric characters we will have to create one on our own. In order to create a new .chr file for John we will use John to determine the frequency that characters are used based on a word-list.
By default John is not capable of brute forcing case sensitive alpha-numeric passwords. John uses character sets contained in .chr files. These .chr files not only contain the characters that John will use when attempting to brute force a password, but also the frequency that a character will be in a password. Since John does not contain a character set that contains lowercase alphabet, uppercase alphabet, and numeric characters we will have to create one on our own. In order to create a new .chr file for John we will use John to determine the frequency that characters are used based on a word-list.
External Filters
Before we can begin creating a new character set for John we'll need to configure an external filter to remove any characters that are not alphabet or numbers. External filters are defined in john.conf located in /etc/john under the comment "# Some pre-defined word filters." Several filters are included in the configuration file, but we'll need to create a new one to suit our needs. All external mode definitions, including external filters, are written in C. However, we won't have to write any C from scratch to create our filter. It's simplest to copy the existing filter "Filter_Alnum" and add uppercase alphabet characters to the "if" statement.
Creating A New Character Set
John provides us with a few options for creating new character sets, although none of them are as simple as saying “use these 62 characters.” All of the methods for creating new character sets require that you have a cracked password file or a large john.pot file. The john.pot file contains every password that you have successfully cracked with John and its hash. By keeping this information in john.pot John never has to crack the same hash more than once.
If you, like me, do not have a cracked password file that you want to use or a large john.pot you'll still able to generate a new character set. Since we're working without an existing john.pot file we will create a custom .pot file from a large word-list, this will also allow us to ensure that the characters we need make it into the .chr file. I chose to work with the rockyou word-list since it's included in Kali Linux. The following command will create a .pot file from the rockyou word-list.
cat rockyou.txt | sed 's/^/:/' > custom.pot
Now that we've created our custom .pot file we can use John to generate a character using it. The following command tells John to use the custom .pot file we created to make a new character set named "AllAlphaNum.chr." We use the external filter we created earlier to ensure that only lowercase alphabet, uppercase alphabet, and numeric characters are included in the .chr file.
john --pot=custom.pot --make-charset=AllAlphaNum.chr --external=Filter_AllAlphaNum
When John is finished making the new .chr file, you'll have to move the file into /usr/share/john before John can use it.
Incremental Mode (-i)
Incremental mode attempts to crack passwords using every
combination of characters within a character set. When using the incremental mode switch we choose a definition for the mode’s parameters using an "equals" sign following "-i". Definitions for incremental mode are located in
john.conf under the comment “#Incremental modes.” The parameters determine the
character set to be used, the minimum/maximum password length, character count,
and extra characters. By default john.conf contains 10 incremental mode
definitions.
File: Determines which character set will be used by John.
Character sets are located in /usr/share/john.
MinLen: The minimum number of characters that the password
contains.
MaxLen: The maximum number of characters that the password
contains.
CharCount: Character count should reflect the number of
characters available in the character set, you don’t gain anything by setting this
number to a higher value.
Extra: Extra allows you to add characters that are not
included in the chosen character set.
We can create a new definition that will use the character set we created earlier and specify that the password must be exactly 8 characters long. The definition can be added to john.conf in the same way that we added our external filter.
Waaaaiiit for it....
Now that we've created an incremental mode definition that will use our limited character set and restrict all attempted to crack the password to eight characters, it's time to run John.
