John the Ripper vs LinkedIn 2012 Dump

When profiling an organisation you should at least check for their email domain within that data set. If any staff have used their work email address when they signed up to LinkedIn pre-2012, then you may have a quick win.

On several tests this year we have used this to authenticate to external corporate services such as: VPNs, or Outlook Web Access. Showing a) that password reuse is alive and well in 2017, and b) that our target users have not updated their work credentials in years!

You must obtain the raw data from the dump to do this. Google it, torrent it, beg or borrow it. It is widely obtainable, but I am not about to host the file myself.

Getting prepared

I downloaded the most recent Kali VM:

Which had a version of John the Ripper installed that supported the correct hashing format.

Finding Targets

Your first challenge is to find targets at your clients domain. A simple grep:

grep linkedin.txt >> targets.txt

Converting to Crackable File Format

The version of “linkedin.txt” that I have access to is formatted using colons to separate columns. The format seems to be:


For JTR to work for us here we need to match this format:


We can use the email address as the username so basically we need to get rid of the “id” portion. Which we can do simply using “cut”:

cat targets.txt | cut -d ":" -f 2-3 >> hashes.txt

Syntax for Wordlist based attack

To use a wordlist attack I used the command shown below:

john --wordlist=/path/to/wordfile --format=Raw-SHA1 hashes.txt

The key reason I am writing this down is I keep forgetting the “–format” part and it seems a little harder to Google for it than I hope each time!

Much Success!

Here is a picture of how effective even the rockyou.txt file can be. For one of the domains in the LinkedIn leak we cracked a whole load of passwords in seconds:


For people with slightly better passwords we have had success profiling that individual and making custom wordlists.

Hope that is of use to someone. It certainly will help me remember


Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.