John The Ripper
John The Ripper is a hash cracking tool.
Introduction
John the Ripper is one of the most well-known and versatile hash cracking tools available. It can automatically detect hash types and select appropriate rules and formats for cracking, though its automatic detection isn’t always reliable.
Basic Syntax:
john <Options> <File to Crack>
Automatic Hash Detection:
john --wordlist=<Wordlist> <File to Crack>
Example 1:
john --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt
Example 2:
john --wordlist=/usr/share/wordlists/rockyou.txt hash2.txt
Since John’s automatic hash detection isn’t always reliable, you can use the hash identifier tool:
/usr/share/hash-identifier/hash-id.py
If it’s not installed, download it with:
wget https://gitlab.com/kalilinux/packages/hash-identifier/-/raw/kali/master/hash-id.py
Run it using Python:
python3 /usr/share/hash-identifier/hash-id.py
Paste the hash into the tool to identify its type.
After identifying the hash format, run John with the format specified:
john --format=<Format> --wordlist=<Wordlist> <File to Crack>
Example 1:
john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt
Example 2:
john --format=whirlpool --wordlist=/usr/share/wordlists/rockyou.txt hash4.txt
Example 3:
john --format=nt --wordlist=/usr/share/wordlists/rockyou.txt ntlm.txt
Cracking the /etc/shadow File
Before cracking the
/etc/shadow
file, convert it using John’s built-in tool:unshadow <Path-to-passwd> <Path-to-shadow>
Example 1:
sudo unshadow /etc/passwd /etc/shadow > unshadowed.txt
In single crack mode, John uses information from the username to generate password guesses heuristically:
john --single --format=<Format> <File-to-Crack>
Example 1:
john --single --format=raw-sha256 hashes.txt
When using single crack mode, ensure that the hash file includes the username followed by a colon and then the hash (e.g.,
mike:1efee03cdcb96d90ad48ccc7b8666033
).Example 1:
mike:1efee03cdcb96d90ad48ccc7b8666033
Example 2:
Joker:7bf6d9bb82bed1302f331fc6b816aada
Custom Rules
Many organizations enforce password complexity rules, but users are often predictable with where symbols and numbers are placed (for example, a capital letter at the start and a number or symbol at the end).
Custom rules allow you to exploit this predictability. These rules are defined in the
john.conf
file (usually located in/etc/john/john.conf
).The full syntax of the custom rules language can be found in the Wiki of the tool.
The custom rules language includes syntax such as:
Az
– Append the specified characters to the word.A0
– Prepend the specified characters to the word.c
– Capitalize a character positionally.
To define which characters to use, place the character sets in square brackets (
[ ]
) after the modifier patterns in double quotes. Examples include:[0-9]
– Numbers 0 to 9.[0]
– Only the number 0.[A-z]
– Uppercase and lowercase letters.[A-Z]
– Only uppercase letters.[a-z]
– Only lowercase letters.[a]
– Only the letter a.[!£$%@]
– The symbols!£$%@
.
Call a custom rule in John using the
--rule=<Rule Name>
flag.
Other Types of Cracking
John the Ripper can also crack password-protected zip files, rar files, and SSH encrypted keys. For these, you must convert the file into a format that John can understand using specific tools:
For each of these, similarly to the unshadow tool that we used previously, we're going to be using a specific tool to convert the file into a hash format that John is able to understand.
zip2john <Options> <ZIP-File> > <Output-File>
- Used to convert the ZIP file into a format the John can understand.rar2john <RAR-File> > <Output-File>
- Used to convert the RAR file into a format that John can understand.ssh2john <Key-File> > <Output-File>
- Used to convert the SSH key file into a format that John can understand.john --wordlist=<Wordlist> <File-Name>
- Used to try and crack any of the mentioned files (after conversion)
Last updated