How To Crack Passwords with John The Ripper Single Crack Mode

As we stated before in single crack mode [List.Rules:Single] method of configuration file is used. In this mode login:password are cracked by using default password-list. Single Mode is much faster than Wordlist Mode.

Linux Example

We will crack linux passwords with Single Mode. First we need the create one file by unshadowing /etc/passwd and /etc/shadow like below

$ unshadow /etc/passwd /etc/shadow > unshadowed

After this operation we will get a file named unshadowed like below

root:$6$sRjaayov$u8sCzbiIxzunjyvPgRJurl24RMLfWgCKhuzGU/V0ZOWmH/JeeNMnaPOASdFN898/AEhmdTzNE7I6xDqDxeWbf.:0:0:root:/root:/bin/bash
ismail:$6$osz4Q6Ka$txKB/fjtuZhnFThDJEVKrJ8.E1LbojZYcWPuE6GGLxob.AWDoL3UXZtZ0FH98HR86ebZhGO.bZpl/qrJ2nzOP/:1000:1001::/home/ismail:/bin
/sh

Now john can help us very easily just giving file to john.

$ john unshadowed                                                                                                           
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"                                                
Use the "--format=crypt" option to force loading these as that type instead                                                            
Using default input encoding: UTF-8                                                                                                    
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])                                   
Press 'q' or Ctrl-C to abort, almost any other key for status                                                                          
123456           (ismail)

Show All Ready Cracked Password

If we run john again the password of user ismail will not listed. John provides info about this like below

$ john unshadowed                                                                                                           
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"                                                
Use the "--format=crypt" option to force loading these as that type instead                                                            
Using default input encoding: UTF-8                                                                                                    
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x]) 
Remaining 1 password hash

Because john has all ready cracked the password of ismail so it will resume from other password hash. If we want to see cracked password. We can use –show

$ john --show unshadowed  
ismail:123456:1000:1001::/home/ismail:/bin/sh 
 
1 password hash cracked, 1 left

Skipping Disabled Accounts/Shell

As a linux system there are a lot of service account without shell which means no access. We can filter them from john report wirh –shells options.

$ john --show --shells="/bin/false" unshadowed

• –shells provides disabled shell path here /bin/false is disabled shell for accounts

$ john --show --shells="-false" unshadowed

• -false means a file ends with false like /bin/false it it a shortcut

$ john --show --shells="-false,nouser" unshadowed

• -false,nouser is used for multiple user shells

Check If An Account Cracked

We can check if an account is all ready cracked.

$ john --show --users=0 unshadowed

• –user means we want a user password
• 0  is the user id where it is root

$ john --show --users=root unshadowed

• root  we have provieded user with its account name