Once we have a list of hashes to crack and a dictionary, let's proceed:
- Although John the Ripper is very flexible with regards to how it receives input, to prevent misinterpretations, we first need to set usernames and password hashes in a specific format. Create a text file called hashes_6_7.txt, containing one name and hash per line, separated by a colon (username:hash), as illustrated:
- Once we have the file, we can go to a Terminal and execute the john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 hashes_6_7.txt command:
There are five out of six passwords in the word list. We can also see that john checked 2,607,000 comparisons per second (2,607 KC/s).
- john also has the option to apply modifier rules, add prefixes or suffixes, change the case of letters, and use leet speak on every password. Let's try the following command on the still-uncracked password:
john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 hashes_6_7.txt --rules
We can see that the rules worked and we found the last password:
