Brute-force cracking with John the Ripper is done with incremental mode. Incremental mode is not just trying out the full key space, it follows an order based on trigraph frequencies to recover passwords asap.
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --incremental --pot=john-bruteforce-lm.pot lm.john.out
Working through the complete LM hash key space will take many days:
Warning: detected hash type "LM", but the string is also recognized as "HAVAL-128-4" Use the "--format=HAVAL-128-4" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "lotus5" Use the "--format=lotus5" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "MD2" Use the "--format=MD2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "mdc2" Use the "--format=mdc2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "mscash" Use the "--format=mscash" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "mscash2" Use the "--format=mscash2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "NT" Use the "--format=NT" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "nt2" Use the "--format=nt2" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Raw-MD4" Use the "--format=Raw-MD4" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5" Use the "--format=Raw-MD5" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Raw-MD5u" Use the "--format=Raw-MD5u" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "ripemd-128" Use the "--format=ripemd-128" option to force loading these as that type instead Warning: detected hash type "LM", but the string is also recognized as "Snefru-128" Use the "--format=Snefru-128" option to force loading these as that type instead Loaded 47 password hashes with no different salts (LM [DES 128/128 SSE2]) Warning: poor OpenMP scalability for this hash type Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (user01) 1 (user09:2) 2020 (user06:2) AS (user22) F (user29:2) R (user28:2) LM11819 (user16:1) V (user21) EANNE (user03:2) T1 (user10:2) CUNINGO (user17) AMOROSA (user07:1) 12g 0:00:00:14 0.00% (ETA: 2016-08-17 08:26) 0.8329g/s 2887Kp/s 2887Kc/s 104518KC/s HSV29S..HS3A18 Warning: passwords printed above might be partial Use the "--show" option to display all of the cracked passwords reliably Session aborted
You use option –show to display recovered passwords:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --show --pot=john-bruteforce-lm.pot lm.john.out user01:123456:S-1-5-21-3188177830-2933342842-421106997-1106:: user03:???????EANNE:S-1-5-21-3188177830-2933342842-421106997-1108:: user06:???????2020:S-1-5-21-3188177830-2933342842-421106997-1111:: user07:AMOROSA???????:S-1-5-21-3188177830-2933342842-421106997-1112:: user09:???????1:S-1-5-21-3188177830-2933342842-421106997-1114:: user10:???????T1:S-1-5-21-3188177830-2933342842-421106997-1115:: user16:LM11819???????:S-1-5-21-3188177830-2933342842-421106997-1121:: user17:CUNINGO:S-1-5-21-3188177830-2933342842-421106997-1122:: user21:V:S-1-5-21-3188177830-2933342842-421106997-1126:: user22:AS:S-1-5-21-3188177830-2933342842-421106997-1127:: user28:???????R:S-1-5-21-3188177830-2933342842-421106997-1133:: user29:???????F:S-1-5-21-3188177830-2933342842-421106997-1134::
The command for NT hashes is almost the same:
John-the-Ripper-v1.8.0-jumbo-1-Win-32\run\john.exe --incremental --pot=john-bruteforce-nt.pot nt.john.out
This will never end (unless all passwords are recovered), because the password length is not limited like for LM hashes:
Warning: detected hash type "NT", but the string is also recognized as "nt2" Use the "--format=nt2" option to force loading these as that type instead Loaded 43 password hashes with no different salts (NT [MD4 128/128 SSE2 + 32/32]) Warning: no OpenMP support for this hash type Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (user01) 1g 0:00:00:11 0.08373g/s 13795p/s 13795c/s 579415C/s melace1..meremia V (user21) cuningo (user17) aS (user22) 4g 0:00:01:17 0.05132g/s 3317Kp/s 3317Kc/s 132700KC/s ihxhl..ihxfg Use the "--show" option to display all of the cracked passwords reliably Session aborted
Didier Stevens 
You can use the Loopback feature as well… but you want to use -rules=split to redo the cracked LM. After it’s done with that, then you would run incremental..
john.exe -format=nt –pot=john-bruteforce-lm.pot -loop=john-bruteforce-lm.pot lm.john.out -rules=split
john.exe -format=nt lm.john.out –pot=john-bruteforce-lm.pot -incremental
Comment by Frick-n-frack — Thursday 21 July 2016 @ 10:47
[…] Part 7 covers bruteforcing the extracted hashes using John the Ripper. Practice ntds.dit File Part 7: Password Cracking With John the Ripper – Brute-force […]
Pingback by Week 29 – 2016 – This Week In 4n6 — Sunday 24 July 2016 @ 13:14
[…] Practice ntds.dit File Part 7: Password Cracking With John the Ripper – Brute-force […]
Pingback by Practice ntds.dit File Overview | Didier Stevens — Monday 25 July 2016 @ 9:15
[…] Practice ntds.dit File Part 7: Password Cracking With John the Ripper – Brute-force […]
Pingback by Overview of Content Published In July | Didier Stevens — Monday 1 August 2016 @ 0:01