Hi,
Thank you for helping answer the question, Rich!
Post by Rich RumblePost by Powen ChengExample: I know the password begins with "Password" but is 12 characters
long.
So, I would need to brute force the last 4 char using thecustom.chr that I
created.
A custom.chr file might be faster, but depending on the hash type (fast or
slow) you could bruteforce 4 remaining chars very quickly with a mask,
In cases like this, mask mode is typically the way to go.
Post by Rich Rumbleor even the external-mode "knownforce".
The KnownForce external mode pre-dates the introduction of mask mode and
is now pretty useless except as an example and a template for its
revisions like the DateTime mode.
Post by Rich Rumble./john -format=nt hash.txt -session=mask -mask=Password?a?a?a?a
(Assumes your hash type is NTLM aka -format=nt)
Right. Explicit specification of "--format" isn't always necessary -
JtR will generally auto-detect the hash type if it's of a specific
enough format.
Post by Rich RumbleThat will try all characters appended to the end of the word "Password", if
the real password contains "?'s" escape them -mask=asdf\?lkjh?a?a?a?a
https://github.com/magnumripper/JohnTheRipper/blob/bleeding-jumbo/doc/MASK
There are two kinds of escaping that might be required: for the shell
that JtR is invoked from, and for JtR itself. In Rich's example, the
backslash may end up being eaten by the shell, leaving the question mark
unescaped when it reaches JtR. I recommend putting the entire mask in
single quotes for the shell, and then using JtR mask's escapes inside
the mask as necessary. For question marks, I recommend escaping them by
doubling (which is also the syntax that works for character classes in
wordlist rules), although a backslash also works (when not eaten by the
shell). For example:
--mask='asdf??lkjh?a?a?a?a'
Post by Rich RumbleIf you have more than one thread/CPU you may consider using Fork as well
./john -format=nt hash.txt -session=mask -mask=Password?a?a?a?a -fork=4
That will spit the load out to 4 threads
Actually, 4 processes.
Post by Rich Rumblejust in case your hash type is not benefiting from OMP
Use of processes (with "--fork") generally results in higher cumulative
c/s rate than use of threads (with OpenMP) even for hash types that are
benefitting from OpenMP.
Post by Rich Rumblehttps://openwall.info/wiki/john/parallelization
This wiki page is currently badly out of date. I wouldn't refer to it.
(And we should probably update it.)
Post by Rich RumbleI think you can use your charset by adding a new rule like this to john.conf
[wordlist:append]
:Az
I guess you meant something like:
Az"[a-z][a-z][a-z][a-z]"
Post by Rich Rumbleand running a command like
./john -stdout -i=thecustom.chr | ./john -pipe -format=nt
-session=custom-in -rules=append -w=word.txt hash.txt
This will output your characters from your custom charset and pipe them
into the next instance of john, and that instance is set to format NTLM,
use the rule in john.conf, a wordlist containing the known part of the
password, and then agains the hash you have in hash.txt.
This is erroneous (can't use both "-pipe" and "-w" at once - what would
this even mean if it were supported?) and overly complicated.
Instead of the above mix, something like this can be used:
./john --incremental=custom --mask='Password?w' hash.txt
It's that simple. The ?w in the mask refers to whatever "word" comes
from another cracking mode, in this case incremental. If the password
length is known, it can be specified as:
./john -inc=custom -mask='Password?w' -min-len=12 -max-len=12 hash.txt
In fact, for only 4 characters to find the default incremental mode
might work well enough, leaving us with:
./john -inc -mask='Password?w' -min-len=12 -max-len=12 hash.txt
Post by Rich RumbleCheck out some of the older questions on John's mailing list too
This is always a good suggestion.
Alexander