Brute Force Attacks

Learn how to perform brute force attacks with John the Ripper using incremental mode

Brute force attacks try every possible combination of characters until the correct password is found. John the Ripper implements brute force attacks through its "incremental mode," which is more sophisticated than a simple character-by-character approach.

Understanding Incremental Mode

John's incremental mode is a smart brute force attack that:

Tries character combinations in order of decreasing probability
Uses statistical models to prioritize more likely passwords
Can be customized for different character sets and password patterns

Basic Incremental Mode Usage

Simple Incremental Mode Command

john --incremental hash.txt

This command uses the default "Incremental" mode, which tries all possible character combinations based on built-in character frequency tables.

Specifying Character Sets

John comes with several predefined character sets:

# All ASCII printable characters
john --incremental=All hash.txt

# Only lowercase letters
john --incremental=Lower hash.txt

# Only digits
john --incremental=Digits hash.txt

# Lowercase letters and digits
john --incremental=LowerNum hash.txt

# Lowercase and uppercase letters
john --incremental=Alpha hash.txt

# Lowercase, uppercase, and digits
john --incremental=AlphaNum hash.txt

Advanced Incremental Mode Options

Limiting Password Length

You can limit the maximum password length to try:

john --incremental=All --max-length=6 hash.txt

This restricts the attack to passwords of 6 characters or less, which can significantly reduce the search space.

Custom Character Sets

You can define custom character sets in the john.conf file:

[Incremental:Custom]
File = $JOHN/custom.chr
MinLen = 1
MaxLen = 8
CharCount = 36

Then generate the .chr file:

john --make-charset=custom.chr

And use it:

john --incremental=Custom hash.txt

Mask-Based Brute Force

John also supports mask-based attacks, which are a more targeted form of brute force:

john --mask='?l?l?l?l?d?d' hash.txt

This tries all combinations where:

?l represents lowercase letters
?d represents digits

The example would try all 6-character passwords with 4 lowercase letters followed by 2 digits.

Available Mask Characters

Placeholder	Meaning	Characters
`?l`	Lowercase	abcdefghijklmnopqrstuvwxyz
`?u`	Uppercase	ABCDEFGHIJKLMNOPQRSTUVWXYZ
`?d`	Digits	0123456789
`?s`	Special	!@#$%^&*-_+=~`[]
`?a`	All ASCII	All printable ASCII characters
`?b`	Binary	All 256 possible byte values

Custom Character Sets in Masks

You can define custom character sets within a mask:

john --mask='?l?l?l?l[0123456789abc]' hash.txt

This tries all combinations where the last character is one of the specified characters.

Markov-Chain Brute Force

John supports Markov-chain-based brute force, which uses statistical models to prioritize more likely character combinations:

john --markov=100 hash.txt

The number after --markov= represents the threshold level from 0 to 100. Lower values try fewer but more likely passwords.

Markov Mode Options

# Specify a level and starting/ending password lengths
john --markov=150:3:10 hash.txt

# Use a specific stats file
john --markov-stats=stats.file hash.txt

Performance Considerations

Time Complexity

Brute force attacks grow exponentially with password length:

Character Set	Size	6 chars	8 chars	10 chars
Lowercase	26	308 million	208 billion	141 trillion
Alphanumeric	62	56 billion	218 trillion	839 quadrillion
All ASCII	95	735 billion	6.6 quadrillion	59 quintillion

Optimization Strategies

Use GPU acceleration when available:

john --incremental=All --format=md5crypt-opencl hash.txt

Distribute the workload across multiple cores:

john --incremental=All --fork=4 hash.txt

Split the workload across multiple machines:

# Machine 1
john --incremental=All --node=1/3 hash.txt

# Machine 2
john --incremental=All --node=2/3 hash.txt

# Machine 3
john --incremental=All --node=3/3 hash.txt

When to Use Brute Force

Brute force attacks are most effective when:

Passwords are short - 8 characters or less
The character set is limited, such as only digits
Other methods (dictionary, rules) have failed
You have significant computational resources

Practical Examples

Cracking a 4-Digit PIN

john --incremental=Digits --max-length=4 pin.hash

Cracking Short Passwords

john --incremental=AlphaNum --max-length=6 hash.txt

Targeted Brute Force with Mask

# For passwords like "admin123", "user456", etc.
john --mask='?l?l?l?l?l?d?d?d' hash.txt

Best Practices

Start with other methods before resorting to brute force
Use targeted approaches like masks and character set restrictions when possible
Monitor progress to estimate completion time
Save session state for long-running attacks
Use GPU acceleration for significant performance improvements

Next Steps

After learning about brute force attacks, explore:

Dictionary Attacks — Learn how to use wordlists for more efficient password cracking
Rule-Based Attacks — Discover how to apply transformation rules to wordlists

PreviousRule-Based Attacks

NextAdvanced Techniques

Penetration Testing Guide

Hashcat Guide

Hydra Guide

Nikto Guide

OWASP ZAP Guide

Burp Suite Guide

XSS Guide

SQLMap Guide

Reverse Shells Guide

John the Ripper Guide

Nmap Guide