Finding the right wordlist – and building your own – is a hefty topic in its own right. Thankfully, Kali has some wordlists built in. For our demonstration, we'll work with the rockyou wordlist – it's popular and it's quite large. I recommend that you always consider it a general purpose wordlist, however. Carrying around rockyou by itself and expecting to be a password cracker is like carrying around a single screwdriver and expecting to be a repairman. Sure, you'll encounter the occasional job where it works fine. But you'll come across screws of different sizes and you'll need the right tool for the job. When I was working with clients, I had many lists and it wasn't unusual for me to build new ones on the road. When I was working with businesses in Ohio, I made sure buckeyes was in my wordlist; when I was working with businesses in Michigan, I made sure spartans was in my wordlist. These words are the names of sports teams – Midwestern Americans love their football, and while policy won't let them get away with just those words by themselves, cracking on those two words and then hybridizing the attack with a rule set yielded me a lot of passwords. Of course, rockyou and any other wordlist is nothing more than a glorified text file. So add stuff whenever it occurs to you!

Kali keeps wordlists in /usr/share/wordlists, so let's head over there and unzip rockyou:

Now that we have a wordlist, it's time to check out where all the magic is defined for John:  in his configuration file. Run this command to open it up in nano, keeping in mind that it's a very large file:

# nano /etc/john/john.conf

There's a lot going on here, and I encourage you to read the fine manual – but the juicy stuff is near the bottom, where the rule sets are defined. The convention is [list.rules:NAME], where NAME is the rule set name you'd define at the command line. You can even nest rule sets inside other rule sets with .include; this will save you time when you want to define custom rules but need the basics included as well: 

Let's be honest: the rules syntax looks like Martian when you first encounter it. Expertise in John rules syntax is out of scope for this discussion, but I recommend checking out the comments in the configuration file and experimenting with some basics. The Single rule set does some useful modifications for us and doesn't take too long to run on a fast CPU, so let's give it a shot with the hashes we nabbed from the network:

• --wordlist defines the dictionary file, rockyou in our demonstration
• --rules defines the rule set, which is itself defined in john.conf
• --format is the hash type that's being imported; in our case, it's NetNTLM

Cracked passwords appear on the left and their corresponding usernames are in parentheses to the right. You can tap any key (except for q, which will quit) to see a cracking status, complete with the percentage and estimated local time of completion.