3

I am practicing reversing md5 hashed passwords using John the Riper and was curious about some behaviour. I added the md5 hash of zaa to the top of the file with the hashes and when I ran john passwordFile.txt it reversed the hash to find zaa very quickly, but when I set it to incremental mode...well it's still running. How does incremental mode work? It has sucesffuly reversed other passwords like

cilldara
5487175a
wcjzfm

but no zaa so it doesn't appear to be going in alphabetical order?

UPDATE: I have observed what I believe is the fact that john never outputs the same password more than once, even between successive invocations (unless --show option is specified). For example if a wordlist is used and cracked a password myname123 then running john again in incremental mode, won't in fact print myname123 again; you need to do john samefile.txt --show to get it to output (I think it caches the cracked passwords). My reasoning is from what I observed, another part is the statement answering why no passwords may be hashed:

All of the password hashes found in the file (that are of the same type as the very first recognized hash in the file unless you're using the "--format=..." option) might be already cracked by previous invocations of John

Here is one example of trying to run the command in incremental mode

[dev@localhost ~]$ john --format=raw-md5  'passwords.md5 (copy).raw' --incremental
Loaded 2 password hashes with no different salts (Raw MD5 [SSE2i 10x4x3])
No password hashes left to crack (see FAQ)

Then if I go into passwords.md5 and add a new hash at the top and rerun the results are different

[dev@localhost ~]$ john --format=raw-md5  'passwords.md5 (copy).raw' --incremental
Loaded 1002 password hashes with no different salts (Raw MD5 [SSE2i 10x4x3])
Remaining 942 password hashes with no different salts
hi               (?)

The new (crappy) password was 'hi'

schroeder
  • 123,438
  • 55
  • 284
  • 319
Celeritas
  • 10,039
  • 22
  • 77
  • 144

3 Answers3

1

Incremental mode is not meant to be used with a wordlist. Incremental mode allows you to bruteforce a character space such as lowercase letters. For the example of the lowercase character space the bruteforce would start at one character, try all the combinations, move to two characters, and repeat until the password is cracked.

alxjsn
  • 79
  • 2
1

As noted here, incremental mode uses trigraph frequencies to prioritize the order of attempted passwords. It comes with a set of pre-generated "charsets" that define a cracking order based on statistics from cracked passwords.

The charsets are generated by the code here based on the character combinations and character positions in passwords that have already been cracked, then some additional sorting is done here to prioritize the "most likely" passwords.

As an example, I generated a charset with john --make-charset=test.chr based on only 2 passwords ("123" and "abc"), and configured it with:

[Incremental:test]
File = $JOHN/test.chr
MinLen = 0
MaxLen = 6
CharCount = 7

When using that charset (john --format=raw-md5 --incremental:test passwords.md5) the first 20 passwords it tried are:

1 2 3 a b c 123 abc 1bc a23 12c 1b3 ab3 a2c 11 21 1111 2111 11111 21111

As you can see it skips back and forth between different lengths, trying what is "most likely" first based on the statistics of the passwords used to generate the charset (obviously with only 2 passwords it doesn't have much to go on).

Adding "1234" to the cracked passwords and regenerating the charset, the first 20 passwords tried are:

1234 1 2 3 4 a b c 123 abc 1bc a23 12c 1b3 ab3 a2c 11 21 2234 11111
AndrolGenhald
  • 15,436
  • 5
  • 45
  • 50
1

Because John the Ripper (JtR) had found/cracked your hash already and saved in the file john.pot so that you don't see the password cracked again when you ran John in the incremental mode. You could empty the file john.pot (make the file empty) so that you could see John the Ripper crack your hash in the incremental mode.

Minh-Triet Pham Tran
  • 500
  • 3
  • 7