Main Content

Heya - HollyGraceful here, I make all of this content in my spare time, like it? Please support me :)
You can donate via Bitcoin or Patreon!

Custom Rules for John the Ripper

Whilst Hashcat is often provable faster than John the Ripper, John is still my favourite. I find it simple to use, fast and the jumbo community patch (which I recommend highly) comes packed with hash types making it a versatile tool.

One of the features of these tools, which is often unknown or at least under appreciated is the ability to create custom “rules” for teaching the tool how to dynamically generate potential passwords. Since Microsoft implemented “Password Complexity” and this was enforced around the globe, user have made the jump from a password of: password, to the [sarcasm]much more secure[/sarcasm]: Password1.

This has the annoying effect of making our basic wordlists ineffective and we need to have it so that it includes modifications of this nature – a capital letter at the beginning and a number (or less commonly a symbol) at the end. Rules to the rescue.

With jumbo John there are out-of-the-box rules that are pretty effective, instead of running the following command:

john 127.0.0.1.pwdump --wordlist=dictionary.txt

try something like this:

john 127.0.0.1.pwdump --wordlist=dictionary.txt --rules
john 127.0.0.1.pwdump --wordlist=dictionary.txt --rules=Jumbo

You’ll see that John takes passwords from the supplied wordlist and modifies or mangles them in interesting ways. These rule sets are good, but I dug a little deeper and wrote some of my own, specifically designed to combat Microsoft’s Complexity tactics. I’ve had great success!

Rule sets get placed in the bottom of your john.conf file (usually found in /etc/john.conf if you’ve chosen to make install) and are prefixed with a name so that you can specify them (like above how I’ve added the named rule set “Jumbo”). They look something like this:

[List.Rules:Example]
cAz"[0-9]"

This particular rule should definitely be included within your rule set, but what does it mean? Simply it means capitalize the first letter and add a number suffix. So password input becomes Password1 output. It can be called with ‐‐rules=Example. Easy!

The characters at the beginning are where the additions should be made, so either at the beginning or end with the following two: To take the root word and affix something to the end use: Az, or to take the root word and prefix something to the end use: A0
Additionally we can get john to caps that first character for us – so to take the root word and capitalize the first character and then affix something use: cAz.
The “something” here are characters from a charset, so as before [0-9] is numbers, A-z is both upper and lowercase letters and symbols can be added in like this: [£!$@#]

So a simple example rule set could be:

cAz"[0-9]"
cAz"[0-9][0-9]"
cAz"[£!$]"
cAz"[0-9][£!$]"

Note: some symbols have the be “slashed-out” such as [ and ] must be added to the rules in the slashed form like: cAz”[[]]”

Have some fun, play around and maybe take a look at what I’ve come up with here.