Using John The Ripper To Crack Password Hashes
Every self-respecting pentester should have a powerful password cracker in their toolkit, and John the Ripper is simply the best cracker out there.
Initially released in 1996 by Openwall, John the Ripper has grown to become the preferred password cracker for hackers and pentesters and a reliable tool used by auditors to spot weak passwords.
In this article, we will learn how to perform basic password cracking using John the Ripper.
Why Use John The Ripper?
John the Ripper is an offline password cracker. In other words, it tries to find passwords from captured files without having to interact with the target. By doing this, it does not generate suspicious traffic since the process is generally performed locally, on the attacker’s machine.
Although it’s primarily used to crack password hashes, John can also be used to crack protected archive files, encrypted private keys, and many more.
How to Download John The Ripper?
John the Ripper is a free open-source project. You can download it for free from the Openwall website or from its official Github repository. You should make sure to download the correct package for your OS.
If you have Kali Linux, then john should already be installed. You can find the correct location of the binary file by running the locate command
Once you’ve successfully downloaded and installed John, you can launch it by typing the name of the binary file on your command prompt followed by a password file.
In the below example, passwordFile is a file that contains a list of password hashes that we want to crack.
This is the most basic command that you can use. Since we have not specified any parameter other than the password file, John will try to crack this file using the default options.
Although this is the simplest and easiest way to use John, it will not necessarily provide the desired results. For this, we have to specify additional options.
John’s Cracking Modes
When attempting to crack a password file using John the Ripper, the first thing you need to consider is how should John go about performing the cracking process.
John has three main cracking modes that you can choose from. Let’s see what each of these modes does.
This is the most common way to use John the Ripper. In this mode, you can specify a path to a wordlist file that contains a list of possible passwords. John will test all the words contained in that wordlist and check if the correct password is present there. This process is what is known as a Dictionary Attack.
It is important that the wordlist contains one password per line. Otherwise, John the Ripper will not process it correctly.
In the example below, I am using the ‘–wordlist‘ option to specify the path to the wordlist file, which is ‘/usr/share/wordlists/rockyou.txt‘. If the correct password is in that file, John will display it.
./john --wordlist=/usr/share/wordlists/rockyou.txt passwordFile
‘passwordFile‘ is the text file that contains the password hashes that we want to crack.
To increase the chances of finding a correct password, you can enable the wordlist mode with mangling rules. By doing this, John will slightly modify each word in the wordlist. This will result in new likely passwords that aren’t necessarily present in the wordlist, and thus it will increase your chances of finding the correct one.
To enable mangling rules, you can use the ‘–rules‘ option. However, you should note that this will take a longer time to process the wordlist.
Single Crack Mode
The single crack mode is generally used when trying to crack Unix passwords. It takes advantage of the GECOS fields present in the passwd file. These GECOS fields normally contain information about the user, such as their username and their full name.
John will generate a list of candidate passwords from these fields, and by using an extensive set of mangling rules (which John does by default in the single crack mode), the generated list will be customized to each user.
To enable Single Crack mode, you can simply use the ‘–single‘ option.
You should note that, when no mode is specified, John by default starts with single crack mode, then the wordlist mode, before ending with the incremental mode (which we’ll see in the coming section).
To better illustrate this mode, let’s see an example of how you would crack the passwords of a Unix system.
The classical password file where Unix systems store information about users is ‘/etc/passwd‘. However, almost all Unix systems store password hashes in a separate file ‘/etc/shadow‘.
Now, in order to have a single file with GECOS fields and password hashes, we can use the ‘unshadow‘ utility that comes with John.
You can do so by running the following command:
unshadow /etc/passwd /etc/shadow > passwordFile
The above command will save the generated file in the current directory under the name ‘passwordFile‘.
Once we have our password file, we can run John with the single crack mode.
./john --single passwordFile
This is John’s brute force mode. When enabled, John will try every possible combination of characters within the specified charset and password length limit.
To enable the incremental mode, you can use the ‘–incremental‘ option followed by the mode to use. This mode is what defines the charset to use and the password length limit.
John comes with some predefined incremental modes. To choose the mode that best suits your purposes, you can check the ‘john.conf‘ file where settings for John the Ripper are stored.
Here is an example of the Alpha mode taken from ‘john.conf‘:
File = $JOHN/alpha.chr
MinLen = 1
MaxLen = 13
CharCount = 52
The Alpha mode, as defined in this config, can crack passwords ranging from 1 to 13 characters in length, and with a charset of 52 possible characters.
Other predefined modes that you can find in the config file include : ASCII (All printable ASCII characters), Alnum (All alphanumeric characters), Lower (Only lowercase letters), and Digits (Only digits).
If you can’t find an incremental mode that fits your needs, you can add it in the config. If you decide to do so, I invite you to read the official documentation about how to customize John the Ripper.
The following command will try to crack the passwords using the digits incremental mode.
./john --incremental=Digits passwordFile
By default, John the Ripper detects the hash type and then tries to crack the password based on that type. However, John can sometimes miss the correct type. In this case, it would be better to bypass the automatic hash detection and manually specify the type. To do so, you can use the ‘–format‘ option followed by the hash type.
For example, the following command will crack the MD5 hashes contained in passwordFile:
./john --format=Raw-MD5 passwordFile
To get the list of all supported hash formats, you can run the following command:
You now have all the basics that you need to start cracking passwords using John the Ripper. Of course, John has other features that we haven’t covered here, so if you want a more complete learning material, I invite you to check the official documentation.