Как пользоваться john the ripper для windows

If you are a pen-tester, cracking passwords is something you will be doing on a daily basis. This can include login passwords, file passwords, and almost anything that is protected using a password.

John the Ripper (JtR) is a popular password-cracking tool. John supports many encryption technologies for Windows and Unix systems (Mac included).

One remarkable feature of John is that it can autodetect the encryption for common formats. This will save you a lot of time in researching the hash formats and finding the correct tool to crack them.

John is also a dictionary-based tool. This means that it works with a dictionary of common passwords to compare it with the hash in hand. Here is a common password list called rockyou.txt.

While you can use popular wordlists like RockYou, John also has its own set of wordlists with thousands of common passwords. This makes John very effective when cracking systems with weak passwords.

This is how John works by default:

• recognize the hash type of the current hash
• generate hashes on the fly for all the passwords in the dictionary
• stop when a generated hash matches the current hash.

This is not the only way John finds a password. You can also customize John based on your requirements. For example, you can specify the password format using the — — format flag.

In this article, we will first install John followed by a walkthrough of the different modes you can use. We will then use John to crack passwords for three different use cases — a Windows password, a Linux password, and a zip file password.

A quick disclaimer before we get started: do not use this tool for nefarious purposes. This is meant to be an educational tutorial to help you protect yourself and your clients or team from password attacks. Use this information responsibly and safely!

Let’s get cracking.

If you are using Kali Linux, John is pre-installed. You can use John by typing the following command:

$ john

For Ubuntu/Debian, you can get John from the apt source. Here is the command to install John in Ubuntu:

$ apt install John

In Mac, you can find John in Homebrew:

$ brew install john

For windows and other operating systems, you can find the binaries here.

Once you have installed John, try the help command to make sure your installation is working. The help command can also be used as a reference when working with John.

$ john -h

Here is the output of the help command:

How to Use John the Ripper

Now that we know what John is, let’s look at the three modes it offers you. You will be using one of these three for most of your use cases.

• Single crack mode
• Wordlist mode
• Incremental mode

Let’s look at each one of them in detail.

What is Single Crack Mode?

In single-crack mode, John takes a string and generates variations of that string in order to generate a set of passwords.

For example, if our username is “stealth” and the password is “StEaLtH”, we can use the single mode of John to generate password variations (STEALTH, Stealth, STealth, and so on).

We use the “format” flag to specify the hash type and the “single” flag to let John know we want to use the single crack mode. We will also create a crack.txt file which will contain the username and the hash value of the password.

stealth:d776dd32d662b8efbdf853837269bd725203c579

Now we can use the following command to use John’s single crack mode:

$ john --single --format=raw-sha1 crack.txt

And here is the result. You can see that John has successfully found the correct password “StEaLtH”.

That was fun, wasn’t it? Now let’s look at the dictionary mode to crack more complicated passwords.

What is Dictionary Mode?

In dictionary mode, we will provide John with a list of passwords. John will generate hashes for these on the fly and compare them with our password hash.

For this example, we will use the RockYou wordlist. If you are using Kali, you can find it at /usr/share/wordlists/rockyou.txt. We will also have a crack.txt file with just the password hash.

edba955d0ea15fdef4f61726ef97e5af507430c0

Here is the command to run John in dictionary mode using the wordlist.

$ john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-sha1 crack.txt

And John finds the password pretty quickly.

The weaker the password is, the quicker John can figure it out. This is why it is always recommended to have strong passwords.

What is Incremental Mode?

Incremental mode is the most powerful mode provided by John. It tries all possible character combinations as passwords.

This sounds great, but there is a problem. The cracking can go on for a long time if the password is too long or if it’s a combination of alphanumeric characters and symbols.

You will rarely use this mode unless you have no other option. In typical cases, a combination of Social Engineering attacks and wordlist mode will help you crack most of the hashes.

If you would like to try the incremental mode, here is the syntax.

$ john -i:digits passwordfile.txt

Here, the -i flag tells John that we want to use the increment mode. The “digits” placeholder can be used to set the maximum number of digits in the password.

You can also add the “format” option to make it easier for John to start cracking.

Use Cases for John the Ripper

Now that you understand the different modes of John, let’s look at a few use cases.

We will use John to crack three types of hashes: a windows NTLM password, a Linux shadow password, and the password for a zip file.

How to Crack a Windows Password

Let’s start with Windows. In Windows, the password hashes are stored in the SAM database. SAM uses the LM/NTLM hash format for passwords, so we will be using John to crack one.

Getting passwords from the SAM database is out of scope for this article, but let’s assume you have acquired a password hash for a Windows user.

Here is the command to crack it:

$ john --format=lm crack.txt

The crack.txt will contain the password hash. If John is unable to crack the password using its default wordlist, you can use the RockYou wordlist using the — — wordlist flag.

How to Crack a Linux Password

Now, let’s crack a Linux password. In Linux, there are two important files saved in the /etc folder: passwd and shadow.

• /etc/passwd -> stores information like username, user id, login shell, and so on.
• /etc/shadow -> contains password hash, password expiry, and so on.

In addition to the “john” command, John comes with a few other utilities. One of them is called “unshadow”.

The unshadow command combines the passwd and shadow files together into a single file. This can then be used by John to crack passwords.

Here is how we use the unshadow command:

$ unshadow /etc/passwd /etc/shadow > output.db

This command will combine the files together and create an output.db file. We can now crack the output.db file using John.

$ john output.db

John tries to find the password for all the users in the passwd file and generates the output with the list of cracked passwords. Again, you can use custom wordlists via the  — — wordlist flag.

How to Crack a Zip File Password

Finally, let’s crack a zip file password. To do that, we first have to get the hash of the zip file’s password.

Like unshadow, John has another utility called zip2john. zip2john helps us to get the hash from zip files. If you are cracking a .rar file, you can use the rar2john utility.

Here is the syntax to get the password hash of a zip file:

$ zip2john file.zip > zip.hashes

The above command will get the hash from the zip file and store it in the zip.hashes file. You can then use John to crack the hash.

$john zip.hashes

John also has several other functionalities that will help you crack a variety of passwords. You can find the complete documentation for John here.

How to Defend Against Password Attacks

So far we have seen how to crack passwords with John the Ripper. But how do we defend against these types of brute-force attacks?

The simplest way to defend against password attacks is to set a strong password. The stronger the password is, the harder it is to crack.

The second step is to stop using the same passwords for multiple sites. If one site gets hacked, your password will be exposed to the internet. A hacker can then use the email/password combination to test your credentials across other sites. You can check if your password is on the internet here.

The final step would be to generate random passwords and use a password manager. There are a variety of options including the Chrome built-in Google password manager. If you use a strong password for each site you use, it becomes extremely hard to crack your password.

Summary

John is a popular and powerful password-cracking tool. It is often used by both penetration testers and black hat hackers for its versatility and ease of use.

From automated hash discovery to dictionary-based attacks, John is a great tool to have in your pentesting toolkit.

Hope this article helped you to understand John the Ripper in detail. You can connect with me here or visit my blog here.

---

---

Learn to code for free. freeCodeCamp’s open source curriculum has helped more than 40,000 people get jobs as developers. Get started

Are you looking for a secure and reliable way to protect your Windows 10 system from malicious attacks? John the Ripper is a powerful tool used to detect weak passwords and make it more difficult for hackers to gain access to your system. In this guide, we’ll take you through how to correctly install and use John the Ripper on Windows 10 to secure your system and keep your data safe.

What Is John The Ripper?

John The Ripper is a free and open-source software program used for password cracking. It is designed to identify weak passwords that can be easily guessed or cracked with the help of a dictionary attack. It is a cross-platform tool that can be used on different operating systems, including Windows 10.

John The Ripper is a powerful tool for recovering lost passwords, as well as for testing password strength. It is a popular choice among security professionals and ethical hackers for its simplicity and ability to identify weak passwords quickly.

Downloading and Installing John The Ripper

The first step in using John The Ripper on Windows 10 is to download and install the latest version of the software. The latest version can be found on the official John The Ripper website. Once the download is complete, double-click on the downloaded file to begin the installation process.

The installation process is straightforward and will guide you through each step. Once the installation is complete, you will be able to launch John The Ripper and start using it to crack passwords.

Using John The Ripper

John The Ripper can be used in a variety of ways to crack passwords. The most common use is a dictionary attack, which is a method of cracking a password by trying thousands of common words and phrases. This type of attack is useful for cracking simple passwords that are easy to guess.

John The Ripper can also be used for brute-force attacks, which involve trying all possible combinations of characters to crack a password. This type of attack is more time-consuming but can be used to crack complex passwords.

Creating a Password List

Before using John The Ripper, you need to create a password list that contains all of the words and phrases that you want to use in your attack. It is important to include as many words and phrases as possible in the list to ensure that the attack is successful.

The password list can be created in a text editor, such as Notepad, or using a dedicated password list generator. Once the list is complete, save it in a text file and make sure to store it in a secure location.

Performing the Attack

Once the password list is ready, you can begin the attack. To do this, open John The Ripper and select the type of attack you want to perform. If you are performing a dictionary attack, you will need to select the dictionary option and then enter the path to the password list you created.

For a brute-force attack, you will need to enter the character set and the length of the passwords you want to crack. Once all of the options have been entered, click “Start” to begin the attack.

Analyzing the Results

When the attack is complete, John The Ripper will display the results. If the attack was successful, the passwords that were cracked will be displayed in the results. It is important to analyze the results carefully and make sure that the passwords are secure.

It is also important to note that John The Ripper is not guaranteed to crack every password. If the attack was unsuccessful, you may need to try a different type of attack or increase the length of the character set.

Security Considerations

John The Ripper is a powerful tool for recovering lost passwords, but it can also be used for malicious purposes. It is important to use the software responsibly and never attempt to crack passwords without the owner’s consent.

It is also important to keep in mind that John The Ripper is not a substitute for strong passwords. It is still important to use strong passwords and to change them regularly to ensure the security of your accounts.

Conclusion

John The Ripper is a powerful and popular tool for password cracking. It can be used to identify weak passwords and recover lost passwords, but it is important to use the software responsibly and to remember that strong passwords are still the best defense against malicious attacks.

Related FAQ

What is John the Ripper?

John the Ripper is a free, open-source password cracking tool that can be used to recover lost or forgotten passwords. It can be used to crack passwords on Windows, Linux, and OS X systems. The tool is written in the C programming language and utilizes a variety of password cracking algorithms. It is highly effective and can be used to crack passwords quickly and efficiently.

How does John the Ripper work?

John the Ripper works by taking a list of passwords and running a series of algorithms to try and match each password with an existing hash. If a match is found, the password is then revealed. John the Ripper also includes a number of built-in rules that can be used to optimize the process of guessing passwords, such as replacing certain characters with other characters or appending characters to the end of passwords.

What are the benefits of using John the Ripper?

John the Ripper has a number of benefits over other password cracking tools, such as its speed and efficiency. It is also highly configurable, allowing users to customize the tool to their needs. Additionally, John the Ripper is a free and open source tool, which makes it accessible to anyone.

How do I use John the Ripper on Windows 10?

In order to use John the Ripper on Windows 10, you will first need to download the John the Ripper software and install it on your system. Once it is installed, you can then create a text file containing the list of passwords that you wish to crack. You can then run John the Ripper, providing the path to the text file containing the passwords, and it will attempt to crack each password.

Are there any risks associated with using John the Ripper?

Yes, there are some risks associated with using John the Ripper, particularly if the passwords being cracked are associated with sensitive information. Therefore, it is important to ensure that only authorized personnel have access to the tool and that the passwords being cracked are not associated with any sensitive information.

Is John the Ripper easy to use?

Yes, John the Ripper is relatively easy to use. The tool includes a user-friendly graphical user interface (GUI) which makes it easy to select the passwords that you wish to crack and configure the settings. Additionally, the tool includes a number of built-in rules and settings which can be used to optimize the process of guessing passwords.

How to install John The Ripper tool in Windows 10 || Easy To use || Environment Variable

John the Ripper is a powerful and useful tool for those who need to secure their Windows 10 system from malicious attackers. It is easy to use and provides comprehensive protection against various threats. With its advanced features, John the Ripper is a great choice for Windows 10 users who want to protect their system from any potential harm. By following the steps outlined in this article, you can easily and quickly use John the Ripper to secure your system against malicious attacks.

Время на прочтение
6 мин

Количество просмотров 33K

На данный момент хэш можно вскрыть пятью способами: грубый перебор (брутфорс), подбор по словарю, по словарю с правилами (гибридная атака), rainbow таблицы (радужные таблицы) и криптоатака. Сами хэши можно разделить на обычные хэши, и хэши с солью (salt, «затравка»). Эта статья посвящена программам john и mdcrack. На их примере, также рассмотрим основные методы для реализации брутфорса.

john

John the Ripper password cracker предназначен для вскрытия различных типов хэшей, которые применяются во множестве ПО и ОС, от MySQL до OpenBSD. В программе реализованы возможности: брутфорс пароля, подбор пароля по словарю и гибридная атака. А также signle и external способы подбора пароля, специфичные для этой программы. О всех способах будет рассказано ниже.

В программе имеется возможность восстанавливать процесс подбора после его прерывания.

Одной из особенностей программы является тот факт, что при вскрытии большого количества паролей «за раз», велика возможность того, что они вскроются быстрее, чем бы вскрылись по отдельности. А также инкремент пароля производится «интеллектуально», о чём будет сказано ниже.

В программе имеются два ограничения: john может вскрывать хэши только с солью — для вскрытия обычных хэшей вам потребуется соответствующий патч или готовая спец. сборка программы; можно брутфорсить пароль длиной не более 8-ми символов (но при атаке по словарю такого лимита нет).

Salt (соль, «затравка») — это метод усложнения вычисления хэша. К примеру, во FreeBSD, при вычислении хэша от пароля, сначала генерируются два случайных символа, которые конкатенируются к паролю, от полученной строки вычисляется хэш, и к полученному хэшу прибавляются эти два символа, давая результирующий хэш.

Для тестирования скорости программы на вашем компьютере, запустите её с флагом ‘—test’. Результат будет выдан в c/s, т.е. в символах в секунду, а не в h/s (хэш в секунду), как это принято в других программах этого типа. Но каждый следующий символ образует новый пароль. А значит, перебирая, к примеру, 3500 символов в секунду, мы генерируем 3500 новых паролей в секунду. Следовательно, цифры, которые даёт команда john —test — это и есть хэши в секунду.

Для начала работы программы, запишите вскрываемый хэш в файл: user:hash, где user — это любая строка, и hash — вскрываемый вами хэш. Если вам требуется вскрыть сразу несколько хэшей, то нужно записать их всех в один файл. Как сказано выше, велика вероятность того, что так все хэши вскроются быстрее, чем если бы они были записаны в разные файлы по отдельности. Например, создадим файл bla.pass такого содержания:

user1:$1$yHJlM1Y9$lzO5yVj6Drepbz6xje0wq0
user2:$1$RDBUtZMr$z8acZKa5XzY0vQuUwG6Un1
user3:$1$EP5lm7ex$poOrQvYoH78Bc63nhXx1p1
user4:$1$ths1/RY5$CUR32fPoOr/UcjeBpD4fx0

Что бы начать перебор, дайте команду john bla.pass. Программа скажет о количестве загруженных хэшей, о количестве различных salt-ов (в старых unix-системах salt был фиксированным, т.е. одинаковым у всех паролей) и о типе хэшей. Тип хэша может определится не верно. Так, если попытаться вскрыть обычный md5_128bit (без salt), то рассматриваемая в этой статье версия john-а определит этот хэш как NT LM DES, и начнёт подбор пароля, заведомо безрезультатно.

После начала перебора, может пройти вечность до того, как пароль вскроется. Что бы попытаться вскрыть пароль в разумные сроки, у john-а есть целый арсенал различных типов подбора (режимов работы), правил, фильтров и гибкий файл конфигурации. Далее будут коротко рассмотрены режимы работы john-а. Дополнительную информацию читайте в документации к программе.

Итого, john имеет 4 режима работы, т.е. 4 способа вскрытия пароля: single crack, wordlist, incremental и external.

Single crack mode

— поиск пароля по косвенным уликам. Первыми кандидатами в пароли становятся имя пользователя, «GECOS», «Full Name» — поля его учётной записи и название домашней директории пользователя. А также используются правила (гибридная атака) для полученных данных, и возможных паролей становиться больше. Но не так много как в прилагаемом к программе словаре. Поэтому это самый быстрый способ. Он завершает свою работу (перебирает все возможные этим способы варианты паролей) за несколько секунд.

В GECOS-поле пользователь может записать дополнительные данные о себе, такие как номер телефона, дату рождения и т.п.

Wordlist

— подбор пароля по словарю. Основной словарь весит более чем 600 Mb, распространяется на двух дисках. В нём собраны наиболее употребляемые пароли более чем на 20 языках. Стоит этот сборник паролей 28.25$. Также доступен малый сборник паролей размером 11 Mb. Эффективность этого сборника сомнительна, поскольку он также содержит пароли на более чем 20 языках. У режима wordlist есть «подрежим»: wordlist с правилами (rulets). Это гибридный вид подбора пароля. Набор применяемых правил можно изменять и дополнять своими. Правила описаны в файле конфигурации спецсимволами и специальными флагами, которые читает и обрабатывает john-овский препроцессор правил.

Вы можете скачать некоторые очень полезные словари с сайта passwords.ru

Incremental — грубый перебор, т.е. брутфорс. Настройки перебора хранятся в файле конфигурации. При переборе, программа равномерно распределяет частоту инкремента по длине пароля и набору символов (That’s one reason why this mode deals with trigraph frequencies, separately for each character position and for each password length, to crack as many passwords as possible within a limited time). Есть пять подрежимов инкрементного режима: «All», «Alnum», «Alpha», «Digits» и «LanMan». К примеру «Digits» будет перебирать лишь цифры, «Alpha» — лишь строчные латинские буквы. Также есть возможность создания своего подрежима инкрементного режима. Подробнее — в документации.

External — этот режим даёт возможность применять «фильтры», описанные в файле конфигурации на языке Си с использованием четырёх callback-функций. С помощью этого можно написать свой алгоритм перебора. Но несколько основных уже написаны в файле конфигурации, и ими можно пользоваться.

Все режимы можно совмещать. По дефолту (если не указывать режим и ничего не менять в конфигах) программа сначала отработает single-режим, затем попытается подобрать пароль по словарю, прилагаемому к программе (всего лишь 3108 паролей), затем начнёт перебор паролей (перейдёт в инкрементный режим) длиной от 0 до 8 с азбукой в 96 символов (латинские строчные, латинские заглавные, цифры и символы).

Практический совет: пробуйте сначала те режимы и подрежимы, которые заканчивают свою работу (в случае неудачи) быстрее всех. После завершения работы в режимах single, wordlist и wordlist with rulets, вы, вероятно, начнёте брутфорсить пароль в подрежиме «All». Это может оказаться вашей большой ошибкой, которая отнимет у вас слишком много времени. Вместо этого, сначала попробуйте более быстрые подрежимы в порядке возрастания количества символов: «Digits» (10 цифр), «Alpha» (26 латинских строчных букв), «Alnum» (36 символов — буквы + цифры) и т.п. Поскольку пользователи часто используют простые пароли, сперва следует попробовать более быстрые подрежимы инкрементного перебора. Это может значительно сэкономить вам время.

mdcrack

Программа нацелена на достижение максимальной скорости перебора пароля. Версия программы 1.2 имеет открытый исходный код, но поддерживает всего лишь три вида хэшей: MD4, MD5 и NTLM1. Программа версии 1.5 и 1.7 поддерживает большее число хэшей, в том числе и md5_freebsd, но исходный код в открытом виде не предоставляется. Программу mdcrack удобно использовать для брутфорса, когда стандартная сборка программы john вам не подошла, т.е. когда вам необходимо вскрыть хэш без соли (без salt).

Пример вызова программы mdcrack:

mdcrack -s qwertyuiopasdfghjklzxcvbnm -S 7 c8e5b031cee3fe69955e63f8c5e11509.

После этой команды создастся «сессия», и если вы прервёте перебор, дайте команду mdcrack (без параметров) для возврата к прерванной сессии. Для удаления сессии, дайте команду mdcrack -d.

По завершению или после прерывания работы программы, она выдаёт информацию о производительности компьютера (среднее количество хэшей в секунду).

Флаг -W используется для создания файла предварительно рассчитанных пар pass:hash. Для чтения такого файла используется флаг -R. Для более быстрой работы чтения/записи используется флаг -F.

Флаги -b и -e используются для указания challegne-значения. В некоторых протоколах передачи данных, передаваемый хэш пароля шифруется (вычисляется хэш от передаваемого хэша). Пароль, на который он шифруется в данном контексте называется challegne.

Стоит отметить, что программа mdcrack ищет в хэше коллизии. Дело в том, что одному хэшу может соответствовать несколько паролей (но вероятность этого очень мала), причём разной длины. Если пользователь задал пароль из 9 символов, при подборе такого пароля может выясниться, что другой, более короткий пароль, к примеру из двух символом, имеет точно такой же хэш. И если его ввести атакуемой системе — он будет воспринят как правильный.

Тематические ссылки

• Статья «Заметки: какой брутер выбрать?»: forum.antichat.ru/showthread.php?t=37651
• Словари для вскрытия хэша, и не только: www.passwords.ru

На чтение 2 мин Опубликовано 12.08.2017

Приложение John the Ripper или Джон Потрашитель мы уже рассматривали в статье, в составе Kali Linux.

1. Извлечем хэш из Windows

Диспетчер учетных записей (SAM) – файл базы данных в Windows 10/8/7/XP, который хранит пользовательские пароли в зашифрованном виде, который в свою очередб расположен в следующем каталоге:

C:\Windows\system32\config

Первая вещь, которую мы должны сделать – заполучить хэши пароля от файла SAM.

Просто загрузите бесплатное программное обеспечение PwDump7 и разархивируйте его на вашем локальном PC.

Откройте командную строку.

Переместитесь в папку, где вы извлекли приложение PwDump7, и затем вводите следующую команду:

# PwDump7.exe > d:\hash.txt

Как только вы нажмете [ Enter ] PwDump7 получит хэши паролей системы и сохранит их в файл d:\hash.txt.

2. Взлом пароля с John the Ripper

Поскольку вы видите, что хэши пароля все еще нечитабельны – мы должны взломать их используя John the Ripper.

John the Ripper – один из самых популярных инструментов взламывания пароля, который может работать на Windows, Linux и Mac OS x.

Просто загрузите бинарники для Windows John the Ripper и распакуйте содержимое.

Откройте командную строку и смените каталог, куда распаковали John the Ripper и затем выполните:

# john --format=LM d:\hash.txt

Теперь мы можем увидеть связки пароль + логин для пользователей Windows.

Примечание: Информация для исследования, обучения или проведения аудита. Применение в корыстных целях карается законодательством РФ.

Пожалуйста, не спамьте и никого не оскорбляйте.

Это поле для комментариев, а не спамбокс.

Рекламные ссылки не индексируются!

Perhaps you need a quick overview on how to use the password-cracking tool John the Ripper, or you may be a beginner and wondering why you haven’t been able to get it to work. If that’s you, you’ve come to the right place. We’ve prepared a straightforward tutorial on how to use John the Ripper for you.

A must-have in the pentester’s toolkit, John the Ripper cracks passwords using a rainbow table approach: comparing them with an inbuilt table of hashes. We’ll review John the Ripper’s three major password-cracking modes and several usage examples, with short exercises for those new to this ruthless tool.

But be warned: We don’t condone using John the Ripper for malicious purposes. With great power comes great responsibility.

Without further ado, let’s get cracking.

What Is John the Ripper?

Jack the Ripper was a murderer in 1888 in London, England. Just as people exposed to Jack the Ripper died, passwords exposed to John the Ripper are no longer secret.

You can deploy John the Ripper inside Kali Linux with the following terminal command instantly:

john

Hence, for simplicity, we’ll call John the Ripper “John” from this point onward. John’s various options help you customize your experience uncovering passwords:

john -h

Modes for Cracking Passwords

John the Ripper offers three main password-cracking modes: Single, Wordlist, and Incremental.

Single Crack Mode

Our example here is a username-password pair based on the 1986 Tom Cruise movie, which released its sequel in 2022.

In Single Crack Mode, John takes a string and generates variations of that string to generate a set of passwords. For example, you can use this Mode to generate password variations of the username “topgun” with the corresponding password “Topgun” (or TopGun, ToPgUn, tOpGuN, and so on).

Use the --format flag to specify the hash type and the --single (-si) flag to let John know we want to use the Single Crack Mode.

Afterward, we’ll crack more complex passwords with John’s Wordlist Mode.

Wordlist Mode

In Wordlist Mode, we’ll provide John with a list of passwords. John will generate hashes for them in real-time and compare them with our password hash. In this example, we will use the well-known RockYou wordlist, which you can preview at

cat /usr/share/wordlists/rockyou.txt | less

Feel free to copy it to your current working directory to simplify the commands using the --wordlist (-w) flag:

cp /usr/share/wordlists/rockyou.txt rockyou

Now let’s pass text files containing password hashes through John:

Let’s move on to John’s final Incremental Mode.

Incremental Mode

In Incremental Mode, John tries all possible character combinations as passwords. This process can be time-consuming if the password is too long or if alphanumeric characters and symbols comprise the password.

You won’t use this Mode unless you don’t have any other options. Typically, a combination of social engineering attacks and Wordlist Mode will help you uncover most passwords.

The syntax for Incremental Mode is:

Let’s break down each flag:

Now that we know how to use John the Ripper, we shall move on to specific use cases.

Cracking Passwords With John the Ripper

Now that we know the different modes, let’s examine some real-world examples of when and how to crack passwords with John.

Choosing a Wordlist

John’s default Wordlist is a file located in /usr/share/john/password.lst in Kali Linux, but its power is finite compared with custom wordlists such as those found by John’s developer OpenWall https://www.openwall.com/wordlists/. 

Apart from RockYou, the Wordlists all.lst (downloadable as all.gz) and huge.lst are good candidates for the --wordlist flag.

Edit the Wordlist by amending the following line in /usr/share/john/john.conf:

Wordlist = $JOHN/password.lst

To make John work more efficiently, remove duplicate entries from and sort the contents of your chosen Wordlist file.

Cracking ZIP files

John has a utility called zip2john. zip2john helps us to get the hash from zip files. Other “2john” utilities exist, such as the rar2john utility for cracking a RAR file.

To crack a password-protected ZIP file, we first get the hash of the ZIP file’s password:

zip2john file.zip > zip.hashes

This command gets the hash from the ZIP file and stores it in the zip.hashes file.

Now you can crack the hash with John:

Cracking SSH Keys

The ssh2john utility creates a hash from your private key file. If your private key file path is /home/kali/.ssh/id_rsa, and you want to store the hash as myHash.txt, the syntax is:

ssh2john /home/kali/.ssh/id_rsa > myHash.txt

Cracking Linux Passwords

Linux stores password data in two files:

• /etc/passwd stores information such as username, user id, and login shell;
• /etc/shadow is the password file containing data such as hash and expiry date.

A utility bundled with John the Ripper called unshadow can combine both files for cracking. Here, we’ll name the combined file lin.txt:

unshadow /etc/passwd /etc/shadow > lin.txt

Cracking Linux hashes is tricky; Kali Linux’s John the Ripper doesn’t readily detect the hash type of Linux (crypt), where the --wordlist flag is optional. If you omit the --format flag below, John won’t crack anything at all:

Once John has uncovered the passwords, you may view them using the command below:

john --show --format=crypt lin.txt

Cracking Windows Passwords

Windows stores hashed passwords in the SAM database. SAM uses the LM/NTLM hash format for passwords. As getting passwords from the SAM database is beyond the scope of this article, we suggest generating your own LM/NTLM hashes to test out this functionality and echo them to a text file, say win.txt, as shown in the demonstration:

The syntax for cracking this file containing the LM/NTLM hashes is the following, where the --wordlist flag is optional:

john --format=LM [--wordlist=rockyou] win.txt

Once John has uncovered the passwords, you may view them using the command below:

john --show --format=LM win.txt

Choosing Specific Hashes to Crack

If you want to override John’s behavior of discovering the hash independently, you may tell John which hash type you’re looking for using the --format=HASH_TYPE flag. Choices for HASH_TYPE include Raw-MD (MD5), Raw-SHA1 (SHA-1), Raw-SHA256 (SHA-256), SSH, RADIUS, TACACS-Plus (TACACS+), ZIP, and RAR.

You can find all hash formats John supports using the following commands:

Other Useful Commands

Here is a brief cheat sheet of John the Ripper commands:

Flag	Description
--show FILE	Show cracked passwords based on hashes from FILE
--rules, -ru	Enable word-mangling rules to teach John the Ripper how to generate passwords
--status	Print the status of an interrupted or running session
--session=NAME	Give a new John the Ripper session a NAME, to which John will form the session file name NAME.rec; useful for running multiple instances of John in parallel or to be able to recover later a session other than the last one you interrupt
--restore[=NAME]	Continue an interrupted cracking session, reading state information from the specified session file or the default session at the file path $JOHN/john.rec
--save-memory=LEVEL	Enable memory saving at LEVEL 1, 2, or 3. Level 1 tells John not to waste memory on login names, and may speed things up. Levels 2 and 3 reduce John’s use of performance optimizations involving large lookup tables and thus may impact performance negatively.
--test[=TIME]	Run tests (and benchmarks, unless TIME is explicitly 0), each spanning TIME seconds
&	This symbol only applies to Kali Linux and other Unix-based operating systems. When you put this symbol at the end of a John the Ripper command, you run it in the background.
--format=NAME	Specify the hash type for John the Ripper to detect
--list=formats, --list=subformats	Reveal the hash types John the Ripper supports
--single, -si	Enable Single Crack Mode
--wordlist=FILE, -w=FILE	Enable Wordlist Mode, specifying a Wordlist (dictionary attack)
--incremental, -inc	Enable Incremental Mode

Find the complete official documentation for John the Ripper here.

Conclusion

We hope learning how to use John the Ripper helps you, whether you’re exploring cyber security or aiming to become a professional hacker or penetration tester. For more resources, read our blog posts on hacking and check out our courses below:

Frequently Asked Questions