John The Ripper

John The Ripper is a hash cracking tool.

Introduction

John the Ripper is one of the most well-known and versatile hash cracking tools available. It can automatically detect hash types and select appropriate rules and formats for cracking, though its automatic detection isn’t always reliable.
Basic Syntax: john <Options> <File to Crack>
Automatic Hash Detection: john --wordlist=<Wordlist> <File to Crack>
- Example 1: john --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt
- Example 2: john --wordlist=/usr/share/wordlists/rockyou.txt hash2.txt
Since John’s automatic hash detection isn’t always reliable, you can use the hash identifier tool: /usr/share/hash-identifier/hash-id.py
- If it’s not installed, download it with:wget https://gitlab.com/kalilinux/packages/hash-identifier/-/raw/kali/master/hash-id.py
- Run it using Python:python3 /usr/share/hash-identifier/hash-id.py Paste the hash into the tool to identify its type.
After identifying the hash format, run John with the format specified: john --format=<Format> --wordlist=<Wordlist> <File to Crack>
- Example 1: john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt
- Example 2: john --format=whirlpool --wordlist=/usr/share/wordlists/rockyou.txt hash4.txt
- Example 3: john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt ntlm.txt

Cracking the /etc/shadow File

Before cracking the /etc/shadow file, convert it using John’s built-in tool: unshadow <Path-to-passwd> <Path-to-shadow>
- Example 1: sudo unshadow /etc/passwd /etc/shadow > unshadowed.txt
In single crack mode, John uses information from the username to generate password guesses heuristically: john --single --format=<Format> <File-to-Crack>
- Example 1: john --single --format=raw-sha256 hashes.txt
When using single crack mode, ensure that the hash file includes the username followed by a colon and then the hash (e.g., mike:1efee03cdcb96d90ad48ccc7b8666033).
- Example 1: mike:1efee03cdcb96d90ad48ccc7b8666033
- Example 2: Joker:7bf6d9bb82bed1302f331fc6b816aada

Custom Rules

Many organizations enforce password complexity rules, but users are often predictable with where symbols and numbers are placed (for example, a capital letter at the start and a number or symbol at the end).
Custom rules allow you to exploit this predictability. These rules are defined in the john.conf file (usually located in /etc/john/john.conf).
The full syntax of the custom rules language can be found in the Wiki of the tool.
The custom rules language includes syntax such as:
- Az – Append the specified characters to the word.
- A0 – Prepend the specified characters to the word.
- c – Capitalize a character positionally.
To define which characters to use, place the character sets in square brackets ([ ]) after the modifier patterns in double quotes. Examples include:
- [0-9] – Numbers 0 to 9.
- [0] – Only the number 0.
- [A-z] – Uppercase and lowercase letters.
- [A-Z] – Only uppercase letters.
- [a-z] – Only lowercase letters.
- [a] – Only the letter a.
- [!£$%@] – The symbols !£$%@.
Call a custom rule in John using the --rule=<Rule Name> flag.

Other Types of Cracking

John the Ripper can also crack password-protected zip files, rar files, and SSH encrypted keys. For these, you must convert the file into a format that John can understand using specific tools:
For each of these, similarly to the unshadow tool that we used previously, we're going to be using a specific tool to convert the file into a hash format that John is able to understand.
zip2john <Options> <ZIP-File> > <Output-File> - Used to convert the ZIP file into a format the John can understand.
rar2john <RAR-File> > <Output-File> - Used to convert the RAR file into a format that John can understand.
ssh2john <Key-File> > <Output-File> - Used to convert the SSH key file into a format that John can understand.
john --wordlist=<Wordlist> <File-Name> - Used to try and crack any of the mentioned files (after conversion)

PreviousHydra NextWrite Ups

Last updated 3 months ago

Introduction

John the Ripper is one of the most well-known and versatile hash cracking tools available. It can automatically detect hash types and select appropriate rules and formats for cracking, though its automatic detection isn’t always reliable.

Basic Syntax: john <Options> <File to Crack>

Automatic Hash Detection: john --wordlist=<Wordlist> <File to Crack>

Example 1: john --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt
Example 2: john --wordlist=/usr/share/wordlists/rockyou.txt hash2.txt

Since John’s automatic hash detection isn’t always reliable, you can use the hash identifier tool: /usr/share/hash-identifier/hash-id.py

If it’s not installed, download it with:wget https://gitlab.com/kalilinux/packages/hash-identifier/-/raw/kali/master/hash-id.py
Run it using Python:python3 /usr/share/hash-identifier/hash-id.py Paste the hash into the tool to identify its type.

After identifying the hash format, run John with the format specified: john --format=<Format> --wordlist=<Wordlist> <File to Crack>

Example 1: john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt
Example 2: john --format=whirlpool --wordlist=/usr/share/wordlists/rockyou.txt hash4.txt
Example 3: john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt ntlm.txt

Cracking the /etc/shadow File

Before cracking the /etc/shadow file, convert it using John’s built-in tool: unshadow <Path-to-passwd> <Path-to-shadow>

Example 1: sudo unshadow /etc/passwd /etc/shadow > unshadowed.txt

In single crack mode, John uses information from the username to generate password guesses heuristically: john --single --format=<Format> <File-to-Crack>

Example 1: john --single --format=raw-sha256 hashes.txt

When using single crack mode, ensure that the hash file includes the username followed by a colon and then the hash (e.g., mike:1efee03cdcb96d90ad48ccc7b8666033).

Example 1: mike:1efee03cdcb96d90ad48ccc7b8666033
Example 2: Joker:7bf6d9bb82bed1302f331fc6b816aada

Custom Rules

Many organizations enforce password complexity rules, but users are often predictable with where symbols and numbers are placed (for example, a capital letter at the start and a number or symbol at the end).

Custom rules allow you to exploit this predictability. These rules are defined in the john.conf file (usually located in /etc/john/john.conf).

The full syntax of the custom rules language can be found in the Wiki of the tool.

The custom rules language includes syntax such as:

Az – Append the specified characters to the word.
A0 – Prepend the specified characters to the word.
c – Capitalize a character positionally.

To define which characters to use, place the character sets in square brackets ([ ]) after the modifier patterns in double quotes. Examples include:

[0-9] – Numbers 0 to 9.
[0] – Only the number 0.
[A-z] – Uppercase and lowercase letters.
[A-Z] – Only uppercase letters.
[a-z] – Only lowercase letters.
[a] – Only the letter a.
[!£$%@] – The symbols !£$%@.

Call a custom rule in John using the --rule=<Rule Name> flag.

Other Types of Cracking

John the Ripper can also crack password-protected zip files, rar files, and SSH encrypted keys. For these, you must convert the file into a format that John can understand using specific tools:

For each of these, similarly to the unshadow tool that we used previously, we're going to be using a specific tool to convert the file into a hash format that John is able to understand.

zip2john <Options> <ZIP-File> > <Output-File> - Used to convert the ZIP file into a format the John can understand.

rar2john <RAR-File> > <Output-File> - Used to convert the RAR file into a format that John can understand.

ssh2john <Key-File> > <Output-File> - Used to convert the SSH key file into a format that John can understand.

john --wordlist=<Wordlist> <File-Name> - Used to try and crack any of the mentioned files (after conversion)