██╗ ██████╗ ██╗ ██╗███╗ ██╗ ██║██╔═══██╗██║ ██║████╗ ██║ ██║██║ ██║███████║██╔██╗ ██║ ██ ██║██║ ██║██╔══██║██║╚██╗██║ ╚█████╔╝╚██████╔╝██║ ██║██║ ╚████║ ╚════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═══╝
JOHN THE RIPPER
PASSWORD HASH CRACKING TRAINING LAB
MODULE 03 — SHADOW · MD5 · RULES · BCRYPT · WORDLISTS
Loading wordlist: rockyou.txt (14,344,391 words)...

OBJECTIVES

Identify hash types
Crack /etc/shadow hashes
Crack MD5 database hashes
Use --rules for complex passwords
Display cracked passwords (--show)
Attempt to crack bcrypt hash
Submit the pentest report
💻
Terminal
🔐
Hash Viewer
📖
Reference
📝
Notepad
📋
Report
JTR LAB
Terminal
Hash Viewer
Reference
Notepad
Report
--:--:--
PHASE 1 — HASH IDENTIFICATION
MISSION BRIEF
PENTEST ENGAGEMENT — POST-EXPLOITATION

JOHN THE RIPPER

HASH CRACKING — RECOVERED CREDENTIALS

SCENARIO

During the web server compromise you obtained read access to /etc/shadow and exfiltrated a database dump containing password hashes. Use John the Ripper to crack as many as possible and document the recovered credentials.

RECOVERED FILES

FileContents
shadow.txt/etc/shadow — 4 Linux users
db_hashes.txtDatabase dump — 4 MD5 hashes
bcrypt.txtSingle bcrypt hash — admin account

PHASES

  • Phase 1 — Identify hash types
  • Phase 2 — Crack shadow file (sha512crypt)
  • Phase 3 — Crack MD5 database hashes
  • Phase 4 — Use rules for complex passwords
  • Phase 5 — Show all cracked passwords
  • Phase 6 — Test bcrypt limits

WORDLIST

The standard /usr/share/wordlists/rockyou.txt is available. John auto-detects hash formats — you can also specify with --format= if needed.

Display Mode
TERMINAL — attacker@kali:~$
┌──(attacker㉿kali)-[~/loot]
└─$ # Hash files available: shadow.txt db_hashes.txt bcrypt.txt
└─$ # Type "help" for commands
└─$
HASH VIEWER — RECOVERED FILES
shadow.txt
db_hashes.txt
bcrypt.txt
REFERENCE — JOHN THE RIPPER
BASIC SYNTAX
john [options] [hashfile]
COMMON FLAGS
FlagDescription
--wordlist=FILEUse a wordlist for dictionary attack
--format=TYPEForce a specific hash format
--rulesApply mangling rules to wordlist
--showShow previously cracked passwords
--list=formatsList all supported formats
--incrementalBrute force all combinations
--singleSingle crack mode (uses username info)
HASH FORMATS
FormatExample prefix
sha512crypt$6$...
sha256crypt$5$...
md5crypt$1$...
bcrypt$2b$... or $2a$...
md532 hex chars
ntlm32 hex chars (Windows)
IDENTIFYING HASHES
hash-identifier
john --list=formats | grep -i md5
COMMON EXAMPLES
Crack shadow file
john --wordlist=/usr/share/wordlists/rockyou.txt shadow.txt
Crack MD5 hashes
john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt db_hashes.txt
Use rules
john --wordlist=/usr/share/wordlists/rockyou.txt --rules shadow.txt
Show cracked
john --show shadow.txt
Identify hash type
john --list=formats
WHY BCRYPT IS HARD
bcrypt uses a cost factor (work factor) that makes each hash attempt orders of magnitude slower than MD5. A cost factor of $2b$12$ means 2^12 = 4096 rounds of hashing per attempt. Where MD5 can be tested at billions/second, bcrypt might only allow hundreds per second.
NOTEPAD — CRACKING NOTES
PENTEST REPORT — HASH CRACKING
SHADOW FILE — sha512crypt ($6$)
Enter the cracked password for each user. Leave blank if not cracked.
DATABASE HASHES — Raw-MD5
Enter the cracked password for each user.
BCRYPT — $2b$12$
Score: 0 / 8