Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 28 Oct 2018 08:43:52 -0400
From: Rich Rumble <>
Subject: Re: brute force unknown chars

On Sun, Oct 28, 2018 at 7:39 AM Powen Cheng <> wrote:

> Hello,
> Can anyone please help me as I can't figure out if this is even possible?
> Example: I know the password begins with "Password" but is 12 characters
> long.
> So, I would need to brute force the last 4 char using thecustom.chr that I
> created.
> Can someone please help me with this?
A custom.chr file might be faster, but depending on the hash type (fast or
slow) you could bruteforce 4 remaining chars very quickly with a mask, or
even the external-mode "knownforce".
I'd do the following:
./john -format=nt hash.txt -session=mask -mask=Password?a?a?a?a
 (Assumes your hash type is NTLM aka -format=nt)
That will try all characters appended to the end of the word "Password", if
the real password contains "?'s" escape them -mask=asdf\?lkjh?a?a?a?a
If you have more than one thread/CPU you may consider using Fork as well
 ./john -format=nt hash.txt -session=mask -mask=Password?a?a?a?a -fork=4
That will spit the load out to 4 threads just in case your hash type is not
benefiting from OMP

I think you can use your charset by adding a new rule like this to john.conf
 and running a command like
./john -stdout -i=thecustom.chr | ./john -pipe -format=nt
-session=custom-in -rules=append -w=word.txt hash.txt
This will output your characters from your custom charset and pipe them
into the next instance of john, and that instance is set to format NTLM,
use the rule in john.conf, a wordlist containing the known part of the
password, and then agains the hash you have in hash.txt.
Check out some of the older questions on John's mailing list too

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.