NenaVolswiem

A Strategy for Targeted Password Craking.

This article proposes a strategy to crack a password when you have some information or hints about which word(s) it might contain.

Disclaimer: The techniques and solutions proposed here should only be used for educational purpose or ethical hacking.

Disclaimer number 2: I’m not claiming that these techniques and solutions are the only ones or that they cannot be improved. I would be very happy to read your opinions in the comments!

I had the idea of writing this article while doing a CTF in which I had to crack a password for a support account. I had the hash of the password so I used John The Ripper to try to find it. I first tried different wordlists and rules, but had no match. I had a hint that the password might contain the word “support”, as it’s often the case in CTFs (or admin accounts’ passwords containing “admin”). I created a wordlist containing only “support” and applied all the rules provided with John The Ripper (which produce more than 7 million variations of the word). I finally found the right password, which was something like Support2025@.

I then had the intuition that many account owners use, in their passwords, a word that is meaninful to them. It can be the name of the city they live in, of their cat or of the department they work in. Since they know it’s not very safe, they append a number to it (say, the current year or a birthdate) and sometimes, a special character. We can think of passwords like 2020$admin or Paris1987!.

I therefore thought of a strategy to conduct what I call a “targeted” password cracking: not brute force, but first gathering information about potential words contained in the password, then trying as many variations of those as possible.

A Few Words on John The Ripper

John The Ripper is a powerful password craking tool. I won’t describe it in depth here, there are plenty of tutorials available, and you can find the documentation here.

The most basic command is:

john password-file
With no option, John will try to find the password using three modes in order:
  1. “Single crack” mode: it tires to find the password using the username and applying mangling rules to it. Mangling rules are defined in a file and are applied to all potential passwords to produce variations. For example, capitalizing letters, duplicating characters, replacing “a” with “@”, etc.
  2. “Wordlist” mode: John uses an existing list of potential passwords. By default, John uses password.lst (usually found in John’s directory, e.g. /usr/share/john/password.lst), but you can specify a list to use with the "-- wordlist=FILE" option. Mangling rules can also be applied to the words in the list.
  3. “Incremental” mode: John tries every possible character combination as a potential password . Depending on the password length, it can take a (very very) long time, so a password length limit and the charset can be specified.

Second Step: Guess Potential Words Composing the Password

Now use your imagination or OSINT to gather information about the target and deduct potential words composing the password (department name, city etc.). Do not omit to put words that were present in the list of words you already tried. We will indeed apply more rules to it than we did at first step. For instance, “admin” should be included for an administration account even if it is in password.lst.

Choose only a few words carefully; too many will make processing too time-consuming. It’s better to select two well-chosen words than ten random ones.

Put that words in a simple text file (we’ll call it potential-words.lst), one per line, without special characters or formatting.

Third Step: Combine the Potential Words

Users can combine words to create passwords. For example, an IT service administrator in a Paris branch might use "admin_Paris2025".

Before passing your wordlist to John, add combinations of words to it. I created a small Python program for that (https://github.com/nena-v/combos). It generates every possible combinations of two words from a list of words and keeps the original words as well.

It can be used like that:

python3 combos.py [options]

The available options are:

With the text file we created, we can launch:

python3 combos.py -w potential-words.lst -o potential_words_combos.lst

If the list contained “admin” and “paris”, the output will contain “admin”, “paris”, “adminadmin”, “adminparis”, “parisparis” and “parisadmin”.

At this step, don’t add separators or produce variations; these are handled by rules in step four.

Fourth Step: Apply “All” John’s Rules

As mentioned, “ — rules=RULES” can be used to apply mangling rules. The argument “All” applies every list of rules provided with John.

The configuration file (jonh.conf) warns the user about the “All” argument : “Only for very fast hashes and/or Single mode. Some of [the] rules are of ridiculous quality and lack optimizations — you have been warned.”

As our list is small, we can apply it. It will produce more than seven million variations of each word. If you want an idea of the huge variety of passwords that will be tried by John, you can use:

john --wordlist=potential_words_combos.lst --rules=All --stdout

It allows to preview variations without cracking. Use “grep” on the result with something you think of, for instance:

john --wordlist=potential_words_combos.lst --rules=All --stdout | grep -i admin_paris

This command alone produces 2397 results.

You could also find results as “adm2025in”, “9782adminparis~”, “Admin}&!” or “Adminadm#in454”.

This highlights the need for not being too generous on the number of words at step three. But if you guessed right, you’ll likely find the password this way.

A Lesson for Your Own Passwords

Avoid guessable words in your passwords. Even if you think no one knows your dog’s name, a password leak revealing Barky2025 for one account may help attackers guess variations on other accounts.

Use long, random passwords and a password manager.