/usr/share/wordlists
. Both fasttrack
and rockyou
are good for testing weak passwords. Many applications and services are installed with default passwords, so always check for those before attempting to crack them.format
option is not always necessary as john does a decent job of guessing. Here's a list of supported formats.S=
instead of failure parameter, verbose output:"
and :
in the JSON messages:m
is the hash format (e.g. m 13100 is Kerberos 5)a 0
is a dictionary attacko cracked.txt
is the output file for the cracked passwordtarget_hashes.txt
is the hash to be cracked/usr/share/wordlists/rockyou.txt
is the absolute path to the wordlist--force
is something I always have to add (think it's GPU-related)cpassword
and use gpp-decrypt:set username
or run a custom list with set user_file
. You can also run a longer password list with set pass_file
. Depending on how fast the server responds, you could use a big wordlist but otherwise stick to fasttrack.txt
.-m
is the minimum word length for words to save to the wordlist.-d
is the maximum depth the spider is allowed to scrape.-o
is offsite, used to allow the spider to leave the current website to another website.-w
is write to output file, specify the output file here.