Tuesday, April 11, 2023

How to Use John the Ripper: A Quick and Easy Guide

Perhaps you need a quick overview on how to use the password-cracking tool John the Ripper, or you may be a beginner and wondering why you haven’t been able to get it to work. If that’s you, you’ve come to the right place. We’ve prepared a straightforward tutorial on how to use John the Ripper for you.

A must-have in the pentester’s toolkit, John the Ripper cracks passwords using a rainbow table approach: comparing them with an inbuilt table of hashes. We’ll review John the Ripper’s three major password-cracking modes and several usage examples, with short exercises for those new to this ruthless tool.

But be warned: We don’t condone using John the Ripper for malicious purposes. With great power comes great responsibility.

Without further ado, let’s get cracking.

What Is John the Ripper?

Jack the Ripper was a murderer in 1888 in London, England. Just as people exposed to Jack the Ripper died, passwords exposed to John the Ripper are no longer secret.

You can deploy John the Ripper inside Kali Linux with the following terminal command instantly:

john

Hence, for simplicity, we’ll call John the Ripper “John” from this point onward. John’s various options help you customize your experience uncovering passwords:

john -h

John the Ripper Command Generator

Say goodbye to the hassle of trying to remember the exact syntax for your John the Ripper commands! With our John the Ripper Command Generator, you can simply say what you need John the Ripper to do, and we will generate the command for you.

Modes for Cracking Passwords

John the Ripper offers three main password-cracking modes: Single, Wordlist, and Incremental.

Single Crack Mode

Our example here is a username-password pair based on the 1986 Tom Cruise movie, which released its sequel in 2022.

In Single Crack Mode, John takes a string and generates variations of that string to generate a set of passwords. For example, you can use this Mode to generate password variations of the username “topgun” with the corresponding password “Topgun” (or TopGun, ToPgUn, tOpGuN, and so on).

Use the --format flag to specify the hash type and the --single (-si) flag to let John know we want to use the Single Crack Mode.

Afterward, we’ll crack more complex passwords with John’s Wordlist Mode.

Single Crack Mode

Try this exercise

  1. Designate a short string (topgun) as a username and variations on its capitalization as the password (such as Topgun).
  2. Show the output of the SHA-256-hashed password: echo -n 'Topgun' | sha256sum
  3. Create a new text file (simple.txt) to store the username and the password hash value from prior steps: echo -n 'topgun:4558ce5abe3b1e70bbadc3b95f2ff84f54d0a5c30fb524ceebfd401f8233fda7' > simple.txt
  4. Run simple.txt through John the Ripper’s Single Crack Mode (change the --format argument as you see fit): john --single --format=raw-sha256 simple.txt
  5. Get results.
Try this exercise

A self-contained tutorial on generating a password for Single Crack Mode

Oops: If you hash your desired password with the following wrong command instead, you’ll hash an unintended line break at the end:

echo Topgun | sha256sum # wrong command

Wordlist Mode

In Wordlist Mode, we’ll provide John with a list of passwords. John will generate hashes for them in real-time and compare them with our password hash. In this example, we will use the well-known RockYou wordlist, which you can preview at

cat /usr/share/wordlists/rockyou.txt | less

Feel free to copy it to your current working directory to simplify the commands using the --wordlist (-w) flag:

cp /usr/share/wordlists/rockyou.txt rockyou

Now let’s pass text files containing password hashes through John:

john --wordlist=rockyou --format=raw-sha256 crack.txt

john -w=rockyou --format=raw-sha256 crack.txt

Wordlist Mode

Try this exercise

  1. Pipe a hash based on one or more dictionary words (optionally with numbers) to SHA-256: echo -n 'password1234' | sha256sum
  2. Write your username, a colon (:), and the hash as a single long string into a new text file (crack.txt): echo user01:b9c950640e1b3740e98acb93e669c65766f6670dd1609ba91ff41052ba48c6f3>>crack.txt
  3. Repeat Steps 1 and 2 to generate as many username-password pairs as desired and append them to crack.txt.
  4. Run crack.txt through John the Ripper’s Wordlist Mode: john --wordlist=rockyou --format=raw-sha256 crack.txt
  5. Get results.
Try this exercise

Left: John the Ripper Wordlist Mode in action

Right: Generating hashes for three simple passwords

John finds these three passwords rapidly. The weaker the password is, the faster John cracks them.

Let’s move on to John’s final Incremental Mode.

Incremental Mode

In Incremental Mode, John tries all possible character combinations as passwords. This process can be time-consuming if the password is too long or if alphanumeric characters and symbols comprise the password.

You won’t use this Mode unless you don’t have any other options. Typically, a combination of social engineering attacks and Wordlist Mode will help you uncover most passwords.

The syntax for Incremental Mode is:

john --incremental --incremental-charcount=N --format=FORMAT passwords_to_crack.txt

john -inc --incremental-charcount=N --format=FORMAT passwords_to_crack.txt

Let’s break down each flag:

Incremental Mode flags

  • The --incremental (-inc) flag tells John to use the Incremental Mode.
  • The --incremental-charcount=N  flag, where N is a positive integer, is for setting the maximum number of digits in the password.
  • The --format option tells John the hash type of your passwords.
Incremental Mode flags

Try this exercise

  1. Pipe a hash on a simple alphanumeric password to SHA-256: echo -n 'passw0rd' | sha256sum
  2. Write your username, a colon (:), and the hash as a single long string into a new text file (inc.txt): echo user02:8f0e2f76e22b43e2855189877e7dc1e1e7d98c226c95db247cd1d547928334a9>>inc.txt
  3. Run inc.txt through John the Ripper’s Wordlist Mode: john --incremental --format=raw-sha256 inc.txt
  4. Get results.
Generated password hashes

Generated password hashes

Cracking password hashes in Incremental Mode

Cracking password hashes in Incremental Mode

Now that we know how to use John the Ripper, we shall move on to specific use cases.

Cracking Passwords With John the Ripper

Now that we know the different modes, let’s examine some real-world examples of when and how to crack passwords with John.

Choosing a Wordlist

John’s default Wordlist is a file located in /usr/share/john/password.lst in Kali Linux, but its power is finite compared with custom wordlists such as those found by John’s developer OpenWall https://www.openwall.com/wordlists/

Apart from RockYou, the Wordlists all.lst (downloadable as all.gz) and huge.lst are good candidates for the --wordlist flag.

Edit the Wordlist by amending the following line in /usr/share/john/john.conf:

Wordlist = $JOHN/password.lst

Choosing a Wordlist

To make John work more efficiently, remove duplicate entries from and sort the contents of your chosen Wordlist file.

Cracking ZIP files

John has a utility called zip2john. zip2john helps us to get the hash from zip files. Other “2john” utilities exist, such as the rar2john utility for cracking a RAR file.

To crack a password-protected ZIP file, we first get the hash of the ZIP file’s password:

zip2john file.zip > zip.hashes

This command gets the hash from the ZIP file and stores it in the zip.hashes file.

Now you can crack the hash with John:

john zip.hashes # Single Crack Mode

john --wordlist=rockyou zip.hashes # Using the RockYou wordlist

Cracking ZIP files

Try this exercise

  1. Create a password-protected ZIP archive (classified.zip) on Kali Linux: right click on a file/folder, select “Create Archive…”, choose “ZIP” as the compression method, expand “Other options” to give it a weak password, and click “Create.”
  2. Export the ZIP hash to zip.hashes: zip2john classified.zip > zip.hashes
  3. Run zip.hashes through John the Ripper: john zip.hashes
  4. Get results.

Step 1: Create a password-protected ZIP archive on Kali Linux

Create a password-protected ZIP archive on Kali Linux

Steps 2 to 4: zip2john followed by John the Ripper usage

zip2john followed by John the Ripper usage

Cracking SSH Keys

The ssh2john utility creates a hash from your private key file. If your private key file path is /home/kali/.ssh/id_rsa, and you want to store the hash as myHash.txt, the syntax is:

ssh2john /home/kali/.ssh/id_rsa > myHash.txt

Cracking SSH Keys
Cracking SSH Keys

Try this exercise

  1. Use the following command to generate an RSA key pair with a passphrase: ssh-keygen
  2. Export the hashed private key file to a new file (myHash.txt): ssh2john /home/kali/.ssh/id_rsa > myHash.txt
  3. Run myHash.txt through John the Ripper: john --wordlist=rockyou myHash.txt
  4. Get results

Step 1: Demo of ssh-keygen

Demo of ssh-keygen

Cracking Linux Passwords

Linux stores password data in two files:

  • /etc/passwd stores information such as username, user id, and login shell;
  • /etc/shadow is the password file containing data such as hash and expiry date.

A utility bundled with John the Ripper called unshadow can combine both files for cracking. Here, we’ll name the combined file lin.txt:

unshadow /etc/passwd /etc/shadow > lin.txt

Cracking Linux Passwords

Cracking Linux hashes is tricky; Kali Linux’s John the Ripper doesn’t readily detect the hash type of Linux (crypt), where the --wordlist flag is optional. If you omit the --format flag below, John won’t crack anything at all:

john --format=crypt [--wordlist=rockyou] lin.txt

Once John has uncovered the passwords, you may view them using the command below:

john --show --format=crypt lin.txt

John has uncovered the passwords

Try this exercise

  1. Create a new user on Kali Linux: sudo useradd user1
  2. Give the new user a weak password: sudo passwd user1
  3. Repeat steps 1 and 2 as desired to create two more new user accounts user2 and user3 with weak passwords.
  4. Unshadow the Linux password hashes for all users: unshadow /etc/passwd /etc/shadow > lin.txt
  5. Export only the usernames and passwords of the three new users to a new file (lin3.txt): tail -n -3 lin.txt > lin3.txt
  6. Run it through John the Ripper: john --format=crypt --wordlist=rockyou lin3.txt
  7. Get results.
Try this exercise

Cracking Windows Passwords

Windows stores hashed passwords in the SAM database. SAM uses the LM/NTLM hash format for passwords. As getting passwords from the SAM database is beyond the scope of this article, we suggest generating your own LM/NTLM hashes to test out this functionality and echo them to a text file, say win.txt, as shown in the demonstration:

The syntax for cracking this file containing the LM/NTLM hashes is the following, where the --wordlist flag is optional:

john --format=LM [--wordlist=rockyou] win.txt

Once John has uncovered the passwords, you may view them using the command below:

john --show --format=LM win.txt

Cracking Windows Passwords

Try this exercise

  1. Designate a short string (topgun) as a username and variations on its capitalization as the password (such as Topgun).
  2. Pass the password from step 1 into an LM/NTLM hash function, such as via a website as shown below.
  3. Create a new text file (ntlm.txt) to store the username and the password hash value from prior steps: echo -n 'topgun::0BA224CF1C751F31AAD3B435B51404EE:D66B0428599B168372A76C8AB73A76A2:::' > ntlm.txt
  4. Run ntlm.txt through John the Ripper’s Single Crack Mode (change the --format argument as you see fit): john --format=LM --single ntlm.txt
  5. Get results. The capitalization of the cracked password may differ from what you’ve intended.

Step 2:

Step 2

Step 3 and 4:

Step 3 and 4

Choosing Specific Hashes to Crack

If you want to override John’s behavior of discovering the hash independently, you may tell John which hash type you’re looking for using the --format=HASH_TYPE flag. Choices for HASH_TYPE include Raw-MD (MD5), Raw-SHA1 (SHA-1), Raw-SHA256 (SHA-256), SSH, RADIUS, TACACS-Plus (TACACS+), ZIP, and RAR.

You can find all hash formats John supports using the following commands:

john --list=formats

john --list=subformats

Other Useful Commands

Here is a brief cheat sheet of John the Ripper commands:

Flag Description
--show FILE Show cracked passwords based on hashes from FILE
--rules, -ru Enable word-mangling rules to teach John the Ripper how to generate passwords
--status Print the status of an interrupted or running session
--session=NAME Give a new John the Ripper session a NAME, to which John will form the session file name NAME.rec; useful for running multiple instances of John in parallel or to be able to recover later a session other than the last one you interrupt
--restore[=NAME] Continue an interrupted cracking session, reading state information from the specified session file or the default session at the file path $JOHN/john.rec
--save-memory=LEVEL Enable memory saving at LEVEL 1, 2, or 3.
Level 1 tells John not to waste memory on login names, and may speed things up.
Levels 2 and 3 reduce John’s use of performance optimizations involving large lookup tables and thus may impact performance negatively.
--test[=TIME] Run tests (and benchmarks, unless TIME is explicitly 0), each spanning TIME seconds
& This symbol only applies to Kali Linux and other Unix-based operating systems.
When you put this symbol at the end of a John the Ripper command, you run it in the background.
--format=NAME Specify the hash type for John the Ripper to detect
--list=formats, --list=subformats Reveal the hash types John the Ripper supports
--single, -si Enable Single Crack Mode
--wordlist=FILE, -w=FILE Enable Wordlist Mode, specifying a Wordlist (dictionary attack)
--incremental, -inc Enable Incremental Mode

Find the complete official documentation for John the Ripper here.

Conclusion

We hope learning how to use John the Ripper helps you, whether you’re exploring cyber security or aiming to become a professional hacker or penetration tester. For more resources, read our blog posts on hacking and check out our courses below:

Frequently Asked Questions

What can I crack with John the Ripper?

You can crack popular hash formats such as MD5, SHA-1, several DES variants, and Blowfish. Get the full list using the command john --list=formats on the Linux terminal.

How long should John the Ripper take?

Single Crack Mode usually runs for under a second to about a day, depending on the hash type and password length. The more complex your passwords are, the longer it takes; it may take years to crack certain passwords. You may find a detailed answer to this question in the FAQ on John the Ripper’s official documentation.

How does John the Ripper guess passwords?

John the Ripper uses a rainbow table approach: it hashes the guessed password and compares it to the list of password hashes you feed into it. If the hashes match, John remembers the plaintext password associated with it and can return that to the attacker.

Where can I find John cracked passwords?

Use the --show flag and an additional --format flag denoting the hash type if necessary. Example: john --show --format=raw-sha256 crack.txt

Does John the Ripper cost money?

No. It comes free with Kali Linux or as a standalone downloadable utility.

What are the alternatives to John the Ripper?

Another well-known password cracker is Hashcat.

When should I use John the Ripper vs. Hashcat?

Hashcat can do complex cracking using a GPU, but you must adjust its settings to identify the hash yourself. It also requires OpenCL to work. On the other hand, John the Ripper optimizes CPU usage. It seeks quick wins, detects your hash type, and excels in simpler jobs. Experientially it’s also a better choice for cracking SSH keys.



from StationX https://bit.ly/3o5UY9M
via IFTTT

No comments:

Post a Comment