Skip main navigation

Brute Forcing your First Real Password

In this video, Zanidd will demonstrate how to crack a real password using John the Ripper and a custom brute force mode.
6.2
Hello, world. I’m Zanidd. And welcome back to the Hands On Password Cracking and Security course. In this lesson, you will crack your first real password using john and a custom brute-force mode. What are some common passwords that we will find in the wild? The more advanced users will have a password manager and generate a random password. Those are the ones that are impossible to crack with dictionary attacks if they haven’t been dumped or leaked. A more common password is usually one or multiple words from a language, like “banana,” “pineapple” or “don’t hack me”.
44.8
But the most common type will be a password consisting of one or more words, and the minimum requirements for the web page, like one number and one uppercase letter. Some examples are Jesus123, password0, and W3r3w0lf written in leetspeak. We will take our passwords for this exercise from the rockyou word list. The rockyou word list is a list of the most commonly used passwords taken from dumps. We will try to crack some of the most commonly used passwords.
89.2
Okay, you can find the files for this exercise in the repository in the directory, brute force real life.
106.9
There are four passwords for you to crack, but eight files. There’s always one version of the file where you have the information about the password and one where you don’t have the information. For example, if we look at password three, password three has a version without information and one that tells us it has four to eight lowercase letters. Also, we are trying to crack different hashing algorithms. One is MD5, which would be pretty easy, and the other is SHA2. Each password file has the hashing function in the name, so you don’t have to guess it.
183.2
To set the hashing algorithm in john, just add the format option. For SHA2, add format raw dash SHA256. And for MD5, and for MD5, add the format raw-MD5.
209.9
After that, you can add your […]
230.3
After that, you can add the incremental mode and follow it with the filename.
243.9
Try making custom modes and comparing how the performance is between the version with information and the one without. And for cracking the passwords in the next section, we will look at a faster method for such passwords, dictionary attacks.

This video demonstrates how to crack a real password using John the Ripper and a custom brute force mode.

Passwords are typically randomly generated with a password generator or a password manager. Some are words from a language, and most commonly, passwords are words from a language, with added symbols, as per the minimum requirements of the company in question. We will look at a list of commonly used passwords from a word list, and start there.

Over to you: Crack your first real password using John the Ripper and a custom brute force mode. Report back on the experience in the Comments section below.

This article is from the free online

Advanced Cyber Security Training: Hands-On Password Attacks

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education