Cracking password hashes with John the Ripper by using a dictionary
In the previous recipe and in Chapter 6, Exploitation – Low Hanging Fruits, we extracted password hashes from databases. Sometimes, this is the only way of finding password information when performing penetration tests. In order to find the real password, we need to decipher them and as hashes are generated through irreversible algorithms we have no way of decrypting the password directly, hence it is necessary to use slower methods like brute force and dictionary cracking.
In this recipe, we will use John the Ripper (JTR or simply John), the most popular password cracker, to recover passwords from the hashes extracted in the Step by step basic SQL Injection recipe in Chapter 6, Exploitation – Low Hanging Fruits.
How to do it...
Although JTR is very flexible with respect to how it receives input, to prevent misinterpretations, we first need to set usernames and password hashes in a specific format. Create a text file called...
