✅John The Ripper
John The Ripper is a hash cracking tool.
Introduction
John the Ripper is one of the most well-known, well-loved and versatile hash cracking tools out there.
The basic syntax of John the Ripper commands is as follows:
john <Options> <File to Crack>
John has built-in features to detect what type of hash it's being given, and to select appropriate rules and formats to crack it for you (not the most reliable):
john --wordlist=<Wordlist> <File to Crack>
Example 1:
john --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt
Example 2:
john --wordlist=/usr/share/wordlists/rockyou.txt hash2.txt
Since John's automatic detection of hash isn't always reliable, there is another tool that can be utilized to identify the hash,
/usr/share/hash-identifier/hash-id.py
If not installed, you can install it using:
wget https://gitlab.com/kalilinux/packages/hash-identifier/-/raw/kali/master/hash-id.py
Usage is simple just run it using python (
python3 /usr/share/hash-identifier/hash-id.py
)and then paste the hash to get its type.
After identifying the format of the hash, we can start format-specific cracking using this command,
john --format=<Format> --wordlist=<Wordlist> <File to Crack>
Example 1:
john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt
Example 2:
john --format=whirlpool --wordlist=/usr/share/wordlists/rockyou.txt hash4.txt
Example 3:
john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt ntlm.txt
To crack the /etc/shadow file we first need to use a tool that's built-in John The Ripper to convert the shadow file into a format that John can understand (
unshadow <Path to passwd> <Path to shadow>
)Example 1:
sudo unshadow /etc/passwd /etc/shadow > unshadowed.txt
Single Crack mode: In this mode, John uses only the information provided in the username, to try and work out possible passwords heuristically, by slightly changing the letters and numbers contained within the username. (
john --single --format=<Format> <File to Crack>
)Example 1:
john --single --format=raw-sha256 hashes.txt
If you're cracking hashes in single crack mode, you need to change the file format that you're feeding john for it to understand what data to create a wordlist from. You do this by prepending the hash with the username that the hash belongs to followed by
\:
so from1efee03cdcb96d90ad48ccc7b8666033
it becomes<User Name>:1efee03cdcb96d90ad48ccc7b8666033
Example 1:
mike:1efee03cdcb96d90ad48ccc7b8666033
Example 2:
Joker:7bf6d9bb82bed1302f331fc6b816aada
Custom Rules
Many organisations will require a certain level of password complexity to try and combat dictionary attacks.
This is good! However, we can exploit the fact that most users will be predictable in the location of these symbols.
For example, A password with the capital letter first, and a number followed by a symbol at the end.
Custom rules can let us exploit password complexity predictability
Custom rules are defined in the
john.conf
file, usually located in/etc/john/john.conf
[List.Rules:<Rule Name>]
is used to identify a rule (Example:[List.Rules:THMRules]
)The full syntax of the custom rules language can be found in the Wiki of the tool.
These are some of the syntax:
Az
- Takes the word and appends it with the characters you defineA0
- Takes the word and prepends it with the characters you definec
- Capitalises the character positionally
These can be used in combination to define where and what in the word you want to modify.
After that we need to identify the characters, we do this by adding character sets in square brackets
[ ]
in the order they should be used.These directly follow the modifier patterns inside of double quotes
" "
Examples:
[0-9]
- Will include numbers 0-9[0]
- Will include only the number 0[A-z]
- Will include both upper and lowercase[A-Z]
- Will include only uppercase letters[a-z]
- Will include only lowercase letters[a]
- Will include only a[!£$%@]
- Will include the symbols !£$%@
We could then call this custom rule as a John argument using the
--rule=<Rule Name>
flag.
Other Types of Cracking
John The Ripper can also crack other things, like password protected zip files, password protected rar files, and SSH encrypted keys.
For each of these, similarly to the unshadow tool that we used previously, we're going to be using a specific tool to convert the file into a hash format that John is able to understand.
zip2john <Options> <ZIP File> > <Output File>
- Used to convert the ZIP file into a format the John can understand.rar2john <RAR File> > <Output File>
- Used to convert the RAR file into a format that John can understand.ssh2john <Key File> > <Output File>
- Used to convert the SSH key file into a format that John can understand.john --wordlist=<Wordlist> <File Name>
- Used to try and crack any of the mentioned files (after conversion)
Last updated