John the Ripper is a free password cracking software tool. Initially developed for the Unix operating system, it now runs on fifteen different platforms (eleven of which are architecture-specific versions of Unix, DOS, Win32, BeOS, and OpenVMS). It is one of the most popular password testing and breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker. It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix versions (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL, and others. Cracking password in Kali Linux using John the Ripper is very straight forward.

• John The Ripper Windows Tutorial

In this post, I will demonstrate that. John the Ripper is different from tools like Hydra. Hydra does blind brute-forcing by trying username/password combinations on a service daemon like ftp server or telnet server.

John however needs the hash first. So the greater challenge for a hacker is to first get the hash that is to be cracked.

Now a days hashes are more easily crackable using free rainbow tables available online. Just go to one of the sites, submit the hash and if the hash is made of a common word, then the site would show the word almost instantly. Rainbow tables basically store common words and their hashes in a large database.

Larger the database, more the words covered. One of the modes John the Ripper can use is the dictionary attack.

It takes text string samples (usually from a file, called a wordlist, containing words found in a dictionary or real passwords cracked before), encrypting it in the same format as the password being examined (including both the encryption algorithm and key), and comparing the output to the encrypted string. It can also perform a variety of alterations to the dictionary words and try these.

Many of these alterations are also used in John’s single attack mode, which modifies an associated plaintext (such as a username with an encrypted password) and checks the variations against the hashes. John also offers a brute force mode. In this type of attack, the program goes through all the possible plaintexts, hashing each one and then comparing it to the input hash. John uses character frequency tables to try plaintexts containing more frequently used characters first. This method is useful for cracking passwords which do not appear in dictionary wordlists, but it takes a long time to run. John the Ripper uses a 2 step process to cracking a password. First it will use the passwd and shadow file to create an output file.

Next, you then actually use dictionary attack against that file to crack it. In short, John the Ripper will use the following two files: /etc/passwd /etc/shadow Cracking password using John the Ripper In Linux, password hash is stored in /etc/shadow file. For the sake of this exercise, I will create a new user names john and assign a simple password ‘password’ to him. I will also add john to sudo group, assign /bin/bash as his shell.

There’s a nice article I posted last year which explains user creating in Linux in great details. It’s a good read if you are interested to know and understand the flags and this same structure can be used to almost any Linux/Unix/Solaris operating system. Also, when you create a user, you need their home directories created, so yes, go through post if you have any doubts. Now, that’s enough mambo jumbo, let’s get to business. First let’s create a user named john and assign password as his password.

(very secured.yeah!) root@kali:# useradd -m john -G sudo -s /bin/bash root@kali:# passwd john Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully root@kali:# Unshadowing password Now that we have created our victim, let’s start with unshadow commands. The unshadow command will combine the extries of /etc/passwd and /etc/shadow to create 1 file with username and password details. When you just type in unshadow, it shows you the usage anyway. Root@kali:# unshadow Usage: unshadow PASSWORD-FILE SHADOW-FILE root@kali:# unshadow /etc/passwd /etc/shadow /root/johnspasswd I’ve redirected the output to /root/johnspasswd file because I got the ticks for organizing things. Do what you feel like here.

Cracking process with John the Ripper At this point we just need a dictionary file and get on with cracking. John comes with it’s own small password file and it can be located in /usr/share/john/password.lst. I’ve showed the size of that file using the following command.

Root@kali:# ls -ltrah /usr/share/john/password.lst You can use your own password lists too or download a large one from Internet (there’s lots of dictionary file in terabyte size). John the Ripper’s cracking modes.

Mode descriptions here are short and only cover the basic things. Check other documentation files for information on customizing the modes.

Wordlist mode. This is the simplest cracking mode supported by John. All you need to do is specify a wordlist (a text file containing one word per line) and some password files. You can enable word mangling rules (which are used to modify or “mangle” words producing other likely passwords).

If enabled, all of the rules will be applied to every line in the wordlist file producing multiple candidate passwords from each source word. The wordlist should not contain duplicate lines. John does not sort entries in the wordlist since that would consume a lot of resources and would prevent you from making John try the candidate passwords in the order that you define (with more likely candidate passwords listed first). However, if you don’t list your candidate passwords in a reasonable order, it’d be better if you sort the wordlist alphabetically: with some hash types, John runs a bit faster if each candidate password it tries only differs from the previous one by a few characters. Most wordlists that you may find on the Net are already sorted anyway. On the other hand, if your wordlist is sorted alphabetically, you do not need to bother about some wordlist entries being longer than the maximum supported password length for the hash type you’re cracking. To give an example, for traditional DES-based crypt(3) hashes only the first 8 characters of passwords are significant.

This means that if there are two or more candidate passwords in the wordlist whose first 8 characters are exactly the same, they’re effectively the same 8 character long candidate password which only needs to be tried once. As long as the wordlist is sorted alphabetically, John is smart enough to handle this special case right. In fact, it is recommended that you do not truncate candidate passwords in your wordlist file since the rest of the characters (beyond the length limit of your target hash type) are likely still needed and make a difference if you enable word mangling rules.

John The Ripper Windows Tutorial

The recommended way to sort a wordlist for use with default wordlist rule set is: tr A-Z a-z TARGET See for information on writing your own wordlist rules. “Single crack” mode. This is the mode you should start cracking with. It will use the login names, “GECOS” / “Full Name” fields, and users’ home directory names as candidate passwords, also with a large set of mangling rules applied.

Since the information is only used against passwords for the accounts it was taken from (and against password hashes which happened to be assigned the same salt), “single crack” mode is much faster than wordlist mode. This permits for the use of a much larger set of word mangling rules with “single crack”, and their use is always enabled with this mode.

Successfully guessed passwords are also tried against all loaded password hashes just in case more users have the same password. Note that running this mode on many password files simultaneously may sometimes get more passwords cracked than it would if you ran it on the individual password files separately. “Incremental” mode. This is the most powerful cracking mode, it can try all possible character combinations as passwords. However, it is assumed that cracking with this mode will never terminate because of the number of combinations being too large (actually, it will terminate if you set a low password length limit or make it use a small charset), and you’ll have to interrupt it earlier. That’s one reason why this mode deals with trigraph frequencies, separately for each character position and for each password length, to crack as many passwords as possible within a limited time.

To use the mode you need a specific definition for the mode’s parameters, including password length limits and the charset to use. These parameters are defined in the configuration file sections called Incremental:MODE, where MODE is any name that you assign to the mode (it’s the name that you will need to specify on John’s command line).

You can either use a pre-defined incremental mode definition or define a custom one. As of version 1.8.0, pre-defined incremental modes are “ASCII” (all 95 printable ASCII characters), “LMASCII” (for use on LM hashes), “Alnum” (all 62 alphanumeric characters), “Alpha” (all 52 letters), “LowerNum” (lowercase letters plus digits, for 36 total), “UpperNum” (uppercase letters plus digits, for 36 total), “LowerSpace” (lowercase letters plus space, for 27 total), “Lower” (lowercase letters), “Upper” (uppercase letters), and “Digits” (digits only). The supplied.chr files include data for lengths up to 13 for all of these modes except for “LMASCII” (where password portions input to the LM hash halves are assumed to be truncated at length 7) and “Digits” (where the supplied.chr file and pre-defined incremental mode work for lengths up to 20).

Some of the many.chr files needed by these pre-defined incremental modes might not be bundled with every version of John the Ripper, being available as a separate download. See and for information on defining custom modes. External mode. You can define an external cracking mode for use with John. This is done with the configuration file sections called List.External:MODE, where MODE is any name that you assign to the mode.

The section should contain program code of some functions that John will use to generate the candidate passwords it tries. The functions are coded in a subset of C and are compiled by John at startup when you request the particular external mode on John’s command line.

What modes should I use? See for a reasonable order of cracking modes to use. John the Ripper usage examples. These examples are to give you some tips on what John’s features can be used for. Command line. First, you need to get a copy of your password file.

If your system uses shadow passwords, you may use John’s “unshadow” utility to obtain the traditional Unix password file, as root: umask 077 unshadow /etc/passwd /etc/shadow mypasswd (You may need to replace the filenames as needed.) Then make “mypasswd” available to your non-root user account that you will run John under. No further commands will need to be run as root. If your system is ancient enough that it keeps passwords right in the world-readable /etc/passwd, simply make a copy of that file.

If you’re going to be cracking Kerberos AFS passwords, use John’s “unafs” utility to obtain a passwd-like file. Similarly, if you’re going to be cracking Windows passwords, use any of the many utilities that dump Windows password hashes (LM and/or NTLM) in Jeremy Allison’s PWDUMP output format. Some of these utilities may be obtained here: 2. Now, let’s assume you’ve got a password file, “mypasswd”, and want to crack it. The simplest way is to let John use its default order of cracking modes: john mypasswd This will try “single crack” mode first, then use a wordlist with rules, and finally go for “incremental” mode. Please refer to for more information on these modes.

It is highly recommended that you obtain a larger wordlist than John’s default password.lst and edit the “Wordlist = ” line in the configuration file (see ) before running John. Some wordlists may be obtained here: Of those available in the collection at the URL above, all.lst (downloadable as all.gz) and huge.lst (only available on the CD) are good candidates for the “Wordlist = ” setting.

If you’ve got some passwords cracked, they are stored in $JOHN/john.pot. The john.pot file is not meant to be human-friendly. You should be using John itself to display the contents of its “pot file” in a convenient format: john -show mypasswd If the account list gets large and doesn’t fit on the screen, you should, of course, use your shell’s output redirection.

You might notice that many accounts have a disabled shell. You can make John skip those in the report.