• Email info@cyberry.co.uk
  • Password mutating with John the Ripper

  • John the Ripper is an incredible tool for cracking passwords. It was developed by Alexander Peslyak who is behind the Openwall project. I won’t be covering everything on John on this page, as I’d like to focus specifically on password mutating, following on from a previous page written on “spidering” webpages to extract unique words to be used for password cracking.

    So at this stage you should have a word list text file using something like cewl, and are now ready to mutate the word list. What exactly do I mean by mutate? Well for a start, a lot of people using a combination of numbers and letters to form their password. Some secure systems actually insist upon this.

    In 2006, a password phishing scam was conducted on Myspace users. Somewhere in the region of 34,000 Myspace users had their passwords and usernames stolen. Deeper analysis of this particular attack provided insight on the characteristics of common passwords used today. Out of the 34,000 users who were hacked:

    1.3% of passwords consisted of numbers only
    9.6% consisted of lower-case letters only
    8.3% of passwords contained “non-alphanumeric” symbols or characters (e.g. $) including upper-case and lower-case letters
    81% of password were pure lowercase alphanumeric

    If you didn’t already know, it’s a very bad idea to use a password that is purely consistent of letters or numbers as they can very quickly be brute-forced owing to the relatively small number of combinations involved.

    For example, an 8-character numeric password (consisting of values 0-9) has over 111 million (111,111,110 to be precise) password combinations. That might sound like a lot, but it would typically take John the Ripper around 12 seconds to crack on a reasonably fast 3.4GHz Intel Core i7-2600 home computer.

    The same 8-character password consisting of lowercase letters (a-z) is slightly more time-consuming, as there are 26 characters to use, and 217 billion (217,180,147,158) combinations….but it would still be cracked by the same computer in under 7 hours.

    As you can see, these password types are very insecure, hence the reason that most companies will prevent usage of these password types nowadays.

    The most common password type used is pure alphanumeric lowercase. Whilst this isn’t the most secure password type, it’s still a lot more secure than the previous two types. If we look at every possible combination of 8-character password using alphanumeric lowercase, then we have potentially 26 letters + 10 numbers for every character, which is a total of over 2 Trillion combinations (2,901,713,047,668), which would now take the same computer a little over 3 days and 19 hours to crack. OK it’s not bullet-proof, but we’re now in the realms of a process that’s fairly time-consuming, so the average hacker would ask themselves, “how valuable really is this this information that I’m trying to access?”

    For completeness, the most secure password type also includes symbols and uppercase letters, which unfortunately still remains uncommon. There are in fact 94 possible “printable” ASCII characters (excludes DEL) that you could use as part of a password. So the same 8-character password now suddenly has over 6 Quadrillion (6,161,234,432,565,770) combinations, and would take the same computer over 22 years to brute force!

    Complete list of 94 ASCII characters for reference:

    Now just as a quick disclaimer, GPU processing speed and power has progressed massively over the last 5 years or so, and continues to do so. Distributed GPU server “farms” could brute-force passwords far quicker than this. That same 8-character password I mentioned with 6 quadrillion combinations has reportedly been brute-forced by a super-cracking cluster server consisting of 25 AMD Radeon GPU cards (which is capable of making 350 billion guesses per second) in just under 6 hours, which is a huge improvement over the estimated 22 years of a standard home desktop computer!

    I won’t go into password security too deeply here, but it’s also worth mentioning that password length is equally important. Turning that 8-character password into a 9-character password suddenly increases the number of combinations to a whopping 579,156,036,661,182,500 combinations, and the 3.4GHz Intel Core i7-2600 home computer would take over TWO THOUSAND YEARS to brute force! Based on my calculations, that would still take the super-cracking cluster server somewhere around 24 days to crack – Pretty secure.

    OK so putting that aside for now, lets re-focus on John the Ripper and password mutation, and what I’d like to do is mutate the password list I generated from cewl in a previous example (mustangwords.txt) to make all the words in my word list lowercase, and then append three numbers to the end of it. This should give me a total of 1,110 combinations for each and every word in my list.

    For example




    My word already list had 1751 words in it, so I would expect the password list to eventually end up with 1,751 x 1,110 = 1,943,610 combinations of passwords.

    To do this, we first need to create a Rule Set, which is added to the John the Ripper configuration file (john.conf)

    We begin by accessing the configuration file. I personally prefer to use Nano in Linux to edit text files, so my command would be as follows:

    root@kali:~# nano /etc/john/john.conf

    Once the text file is opened, I now want to add my own custom Rule Set which will be to convert each word to lowercase and add three numbers. I need to give my rule set a name to reference, so I will call it convtolowerplus000

    In order to add a rule set to the configuration file, it needs to be in the following format:


    Therefore in this instance it will be:


    directly below this I will add a quick comment to remind myself exactly what this rule set is doing. Comments begin with the # sign.

    Finally I will add my rules, which is to take each word, convert it to lowercase, and then append three numbers to it.

    My compete rule set will look like this:

    # This will convert the words in my word list to lowercase, and then append three digits to the end

    To explain that last line, the l at the beginning tells John to convert each word to lowercase, followed by $[0-9] three times, where the $ means “append” and the range of numbers I wish to use are in the square brackets. So basically I want John to give me three digits of every combination on the end of each word.

    We now save the configuration file, and it’s time to try the rule set out!

    so we issue the following command:

    root@kali:~# john –wordlist=mustangwords.txt –stdout –rules:convtolowerplus000 > newmustangwords.txt

    Basically this is broken up as follows:

    john self-explanitory, start John the Ripper
    –wordlist= specifying the word list we want to mutate
    –stdout output the words generated
    –rules: this is the rule set we generated in the configuration file
    > output the results to a new text file

    With any luck you will now have a new text file with all of the words in lowercase, with three digit values appended to the end.

    You can check the number of new words in the file with the simple command:

    root@kali:~# wc -w < newmustangwords.txt


    I should state that the John config file already has a ton of rule sets that you can try out and there are even more complex ones that can be found on the internet. This is just a simple example of creating your own customized word list from your own rule set, but there are tons of other ways of customizing the tool. It’s down to the individual pen tester to decide on the best way to do this.