Using John The Ripper To Crack Password Hashes -
PatchTheNet
Every self-respecting pentester should have a powerful password cracker in their toolkit, and John the
Ripper is simply the best cracker out there.
Initially released in 1996 by Openwall, John the Ripper has grown to become the preferred
password cracker for hackers and pentesters and a reliable tool used by auditors to spot weak
passwords.
In this article, we will learn how to perform basic password cracking using John the Ripper.
Why Use John The Ripper?
John the Ripper is an offline password cracker. In other words, it tries to find passwords from
captured files without having to interact with the target. By doing this, it does not generate suspicious
traffic since the process is generally performed locally, on the attacker’s machine.
Although it’s primarily used to crack password hashes, John can also be used to crack protected
archive files, encrypted private keys, and many more.
How to Download John The Ripper?
John the Ripper is a free open-source project. You can download it for free from the Openwall website
or from its official Github repository. You should make sure to download the correct package for your
OS.
If you have Kali Linux, then john should already be installed. You can find the correct location of the
binary file by running the locate command
�locate john
Getting Started
Once you’ve successfully downloaded and installed John, you can launch it by typing the name of the
binary file on your command prompt followed by a password file.
In the below example, passwordFile is a file that contains a list of password hashes that we want to
crack.
./john passwordFile
This is the most basic command that you can use. Since we have not specified any parameter other
than the password file, John will try to crack this file using the default options.
Although this is the simplest and easiest way to use John, it will not necessarily provide the desired
results. For this, we have to specify additional options.
John’s Cracking Modes
When attempting to crack a password file using John the Ripper, the first thing you need to consider
is how should John go about performing the cracking process.
John has three main cracking modes that you can choose from. Let’s see what each of these modes
does.
Wordlist Mode
This is the most common way to use John the Ripper. In this mode, you can specify a path to a
wordlist file that contains a list of possible passwords. John will test all the words contained in that
wordlist and check if the correct password is present there. This process is what is known as
a Dictionary Attack.
It is important that the wordlist contains one password per line. Otherwise, John the Ripper will not
process it correctly.
In the example below, I am using the ‘–wordlist‘ option to specify the path to the wordlist file, which
is ‘/usr/share/wordlists/rockyou.txt‘. If the correct password is in that file, John will display it.
./john --wordlist=/usr/share/wordlists/rockyou.txt passwordFile
‘passwordFile‘ is the text file that contains the password hashes that we want to crack.
To increase the chances of finding a correct password, you can enable the wordlist mode
with mangling rules. By doing this, John will slightly modify each word in the wordlist. This will
�result in new likely passwords that aren’t necessarily present in the wordlist, and thus it will increase
your chances of finding the correct one.
To enable mangling rules, you can use the ‘–rules‘ option. However, you should note that this will
take a longer time to process the wordlist.
Single Crack Mode
The single crack mode is generally used when trying to crack Unix passwords. It takes advantage of
the GECOS fields present in the passwd file. These GECOS fields normally contain information about
the user, such as their username and their full name.
John will generate a list of candidate passwords from these fields, and by using an extensive set of
mangling rules (which John does by default in the single crack mode), the generated list will be
customized to each user.
To enable Single Crack mode, you can simply use the ‘–single‘ option.
You should note that, when no mode is specified, John by default starts with single crack mode, then
the wordlist mode, before ending with the incremental mode (which we’ll see in the coming section).
To better illustrate this mode, let’s see an example of how you would crack the passwords of a Unix
system.
Example
The classical password file where Unix systems store information about users is ‘/etc/passwd‘.
However, almost all Unix systems store password hashes in a separate file ‘/etc/shadow‘.
Now, in order to have a single file with GECOS fields and password hashes, we can use the
‘unshadow‘ utility that comes with John.
You can do so by running the following command:
unshadow /etc/passwd /etc/shadow > passwordFile
The above command will save the generated file in the current directory under the name
‘passwordFile‘.
Once we have our password file, we can run John with the single crack mode.
./john --single passwordFile
Incremental Mode
This is John’s brute force mode. When enabled, John will try every possible combination of characters
�within the specified charset and password length limit.
To enable the incremental mode, you can use the ‘–incremental‘ option followed by the mode to use.
This mode is what defines the charset to use and the password length limit.
John comes with some predefined incremental modes. To choose the mode that best suits your
purposes, you can check the ‘john.conf‘ file where settings for John the Ripper are stored.
Here is an example of the Alpha mode taken from ‘john.conf‘:
[Incremental:Alpha]
File = $JOHN/alpha.chr
MinLen = 1
MaxLen = 13
CharCount = 52
The Alpha mode, as defined in this config, can crack passwords ranging from 1 to 13 characters in
length, and with a charset of 52 possible characters.
Other predefined modes that you can find in the config file include : ASCII (All printable ASCII
characters), Alnum (All alphanumeric characters), Lower (Only lowercase letters), and Digits (Only
digits).
If you can’t find an incremental mode that fits your needs, you can add it in the config. If you decide
to do so, I invite you to read the official documentation about how to customize John the Ripper.
The following command will try to crack the passwords using the digits incremental mode.
./john --incremental=Digits passwordFile
Hash Formats
By default, John the Ripper detects the hash type and then tries to crack the password based on that
type. However, John can sometimes miss the correct type. In this case, it would be better to bypass
the automatic hash detection and manually specify the type. To do so, you can use the ‘–format‘
option followed by the hash type.
For example, the following command will crack the MD5 hashes contained in passwordFile:
./john --format=Raw-MD5 passwordFile
To get the list of all supported hash formats, you can run the following command:
./john --list=formats
You now have all the basics that you need to start cracking passwords using John the Ripper. Of
�course, John has other features that we haven’t covered here, so if you want a more complete learning
material, I invite you to check the official documentation.
