Using John The Ripper To Crack Password Hashes

When To Use John The Ripper

John the Ripper is an offline password cracker. In other words, it tries to find passwords from captured files without having to interact with the target. By doing this, it does not generate suspicious traffic since the process is generally performed locally, on the attacker’s machine.

How to Download John The Ripper

John the Ripper is a free open-source project. You can download it for free from the Openwall website or from its official Github repository. You should make sure to download the correct package for your OS.

locate john

Getting Started

Once you’ve successfully downloaded and installed John, you can launch it by typing the name of the binary file on your command prompt followed by a password file.

./john passwordFile

John’s Cracking Modes

When attempting to crack a password file using John the Ripper, the first thing you need to consider is how should John go about performing the cracking process.

Wordlist Mode

This is the most common way to use John the Ripper. In this mode, you can specify a path to a wordlist file that contains a list of possible passwords. John will test all the words contained in that wordlist and check if the correct password is present there. This process is what is known as a Dictionary Attack.

./john --wordlist=/usr/share/wordlists/rockyou.txt passwordFile

Single Crack Mode

The single crack mode is generally used when trying to crack Unix passwords. It takes advantage of the GECOS fields present in the passwd file. These GECOS fields normally contain information about the user, such as their username and their full name.

unshadow /etc/passwd /etc/shadow > passwordFile
./john --single passwordFile

Incremental Mode

This is John’s brute force mode. When enabled, John will try every possible combination of characters within the specified charset and password length limit.

[Incremental:Alpha]
File = $JOHN/alpha.chr
MinLen = 1
MaxLen = 13
CharCount = 52
./john --incremental=Digits passwordFile

Hash Formats

By default, John the Ripper detects the hash type and then tries to crack the password based on that type. However, John can sometimes miss the correct type. In this case, it would be better to bypass the automatic hash detection and manually specify the type. To do so, you can use the ‘--format ‘ option followed by the hash type.

./john --format=Raw-MD5 passwordFile
./john --list=formats

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store