Skip main navigation

New offer! Get 30% off one whole year of Unlimited learning. Subscribe for just £249.99 £174.99. New subscribers only T&Cs apply

Find out more

Brute Forcing your First Real Password

In this video, Zanidd will demonstrate how to crack a real password using John the Ripper and a custom brute force mode.
Hello, world. I’m Zanidd. And welcome back to the Hands On Password Cracking and Security course. In this lesson, you will crack your first real password using john and a custom brute-force mode. What are some common passwords that we will find in the wild? The more advanced users will have a password manager and generate a random password. Those are the ones that are impossible to crack with dictionary attacks if they haven’t been dumped or leaked. A more common password is usually one or multiple words from a language, like “banana,” “pineapple” or “don’t hack me”.
But the most common type will be a password consisting of one or more words, and the minimum requirements for the web page, like one number and one uppercase letter. Some examples are Jesus123, password0, and W3r3w0lf written in leetspeak. We will take our passwords for this exercise from the rockyou word list. The rockyou word list is a list of the most commonly used passwords taken from dumps. We will try to crack some of the most commonly used passwords.
Okay, you can find the files for this exercise in the repository in the directory, brute force real life.
There are four passwords for you to crack, but eight files. There’s always one version of the file where you have the information about the password and one where you don’t have the information. For example, if we look at password three, password three has a version without information and one that tells us it has four to eight lowercase letters. Also, we are trying to crack different hashing algorithms. One is MD5, which would be pretty easy, and the other is SHA2. Each password file has the hashing function in the name, so you don’t have to guess it.
To set the hashing algorithm in john, just add the format option. For SHA2, add format raw dash SHA256. And for MD5, and for MD5, add the format raw-MD5.
After that, you can add your […]
After that, you can add the incremental mode and follow it with the filename.
Try making custom modes and comparing how the performance is between the version with information and the one without. And for cracking the passwords in the next section, we will look at a faster method for such passwords, dictionary attacks.

This video demonstrates how to crack a real password using John the Ripper and a custom brute force mode.

Passwords are typically randomly generated with a password generator or a password manager. Some are words from a language, and most commonly, passwords are words from a language, with added symbols, as per the minimum requirements of the company in question. We will look at a list of commonly used passwords from a word list, and start there.

Over to you: Crack your first real password using John the Ripper and a custom brute force mode. Report back on the experience in the Comments section below.

This article is from the free online

Advanced Cyber Security Training: Hands-On Password Attacks

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now