Skip main navigation

Using Rules in a Dictionary Attack

This video will show how to use rules to apply transformations and filters to word lists, rules in existing word lists, and creating custom sections.
Hello, world. I’m Zanidd and welcome back to the Hands On Password Cracking and Security Course on Code Red. In this section, we are going to take a look at dictionary attacks. In this video, we’re going to take a look how to further use rules to crack passwords using dictionary attacks. We’ve learned from previous lessons that different rules can be used to apply transformations and filter to our word list. So how can we do this?
You just need to open the /etc/john/john.conf file in your favorite editor.
Then you can search for the according section, namely List.Rules, Wordlist.
And you can see that there are already a couple of rules in this file. Now, you can still use these rules or you can create your own section like this and add your rules beneath it.
One important thing is, you might want to open this file as a root user. So just type in sudo, the name of your favorite editor, and the path to the john.conf file.
You might need a root user privilege to edit this file. So just enter sudo, the name of your favorite editor, the path to the file, hit Enter, and you have opened the file as root user.
One little hint, if you’re unfamiliar with Vim, you can also use Nano or a console editor.
Or you can use Mousepad or a standard editor with a GUI.
So what passwords will you encounter in this exercise, just to prepare you for the rules you will be writing? These are some examples. These are not the actual passwords that you’re going to break. But these are the classification of the passwords. So one is like football, a lowercase letters only password. And the second type will be like terces, which is just secret reversed. So you will have to reverse the words. Then we have something like jordan23, which is a lowercase word with two numbers. We also have something like !slegna777, which is basically a special symbol in front of a reversed word, in this case, it’s angels, and then three numbers at the end.
Then we have something like flowers, where you’ll have to replace O’s with zero’s. And also something like Amanda, which is to capitalize the first letter and add a number suffix.
If you go into the repository, you will find a directory called dictionary rules.
In this directory, you’ll have a couple of files which contain MD5 hashes of passwords.
Now, every file is basically an explanation of the rule you’ll have to write to correct this file efficiently. For example, you can see lower case add two numbers will have a word that’s lower case and contains two numbers at the end. And capitalize and add number will be a word that starts with an uppercase letter, the rest will be lowercase. And at the end of the word will be a number, like Amanda9 in our example.
So, your exercise for this video is to create rules for the passwords shown before. But be cautious. The exercise passwords are just similar types, not the exact same passwords. Let’s see how efficient rules you can write and how fast you can crack the passwords. Thank you for watching this section about dictionary attacks. In the next section, we’re going to save computing time by using Rainbow tables.

This video will demonstrate how to use rules to apply transformations and filters to word lists.

You can use rules in existing word lists, or create your own custom sections, and add new rules beneath them.

Over to you: Write rules for the passwords mentioned in the video. Using these rules, crack the passwords using a dictionary attack. Share your experience with your fellow learners in the Comments section below.

This article is from the free online

Advanced Cyber Security Training: Hands-On Password Attacks

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education