Using John The Ripper To Crack Password Hashes

Every self-respecting pentester should have a powerful password cracker in their toolkit, and John the Ripper is simply the best cracker out there.

Initially released in 1996 by Openwall, John the Ripper has grown to become the preferred password cracker for hackers and pentesters and a reliable tool used by auditors to spot weak passwords.

In this article, we will learn how to perform basic password cracking using John the Ripper.

When To Use John The Ripper

Although it’s primarily used to crack password hashes, John can also be used to crack protected archive files, encrypted private keys, and many more.

How to Download John The Ripper

If you have Kali Linux, then john should already be installed. You can find the correct location of the binary file by running the locate command.

locate john

Getting Started

In the below example, passwordFile is a file that contains a list of password hashes that we want to crack.

./john passwordFile

This is the most basic command that you can use. Since we have not specified any parameter other than the password file, John will try to crack this file using the default options.

Although this is the simplest and easiest way to use John, it will not necessarily provide the desired results. For this, we have to specify additional options.

John’s Cracking Modes

John has three main cracking modes that you can choose from. Let’s see what each of these modes does.

Wordlist Mode

It is important that the wordlist contains one password per line. Otherwise, John the Ripper will not process it correctly.

In the example below, I am using the ‘--wordlist’ option to specify the path to the wordlist file, which is ‘/usr/share/wordlists/rockyou.txt ‘. If the correct password is in that file, John will display it.

./john --wordlist=/usr/share/wordlists/rockyou.txt passwordFile

* ‘ passwordFile ‘ is the text file that contains the password hashes that we want to crack.

To increase the chances of finding a correct password, you can enable the wordlist mode with mangling rules. By doing this, John will slightly modify each word in the wordlist. This will result in new likely passwords that aren’t necessarily present in the wordlist, and thus it will increase your chances of finding the correct one.

To enable mangling rules, you can use the ‘--rules ‘ option. However, you should note that this will take a longer time to process the wordlist.

Single Crack Mode

John will generate a list of candidate passwords from these fields, and by using an extensive set of mangling rules (which John does by default in the single crack mode), the generated list will be customized to each user.

To enable Single Crack mode, you can simply use the ‘--single ‘ option.

You should note that, when no mode is specified, John by default starts with single crack mode, then the wordlist mode, before ending with the incremental mode (which we’ll see in the coming section).

To better illustrate this mode, let’s see an example of how you would crack the passwords of a Unix system.

Example

The classical password file where Unix systems store information about users is ‘/etc/passwd’. However, almost all Unix systems store password hashes in a separate file ‘/etc/shadow ‘.

Now, in order to have a single file with GECOS fields and password hashes, we can use the ‘ unshadow ‘ utility that comes with John.

You can do so by running the following command:

unshadow /etc/passwd /etc/shadow > passwordFile

The above command will save the generated file in the current directory under the name ‘ passwordFile ‘.

Once we have our password file, we can run John with the single crack mode.

./john --single passwordFile

Incremental Mode

To enable the incremental mode, you can use the ‘--incremental ‘ option followed by the mode to use. This mode is what defines the charset to use and the password length limit.

John comes with some predefined incremental modes. To choose the mode that best suits your purposes, you can check the ‘ john.conf ‘ file where settings for John the Ripper are stored.

Here is an example of the Alpha mode taken from ‘ john.conf ‘:

[Incremental:Alpha]
File = $JOHN/alpha.chr
MinLen = 1
MaxLen = 13
CharCount = 52

The Alpha mode, as defined in this config, can crack passwords ranging from 1 to 13 characters in length, and with a charset of 52 possible characters.

Other predefined modes that you can find in the config file include : ASCII (All printable ASCII characters), Alnum (All alphanumeric characters), Lower (Only lowercase letters), and Digits (Only digits).

If you can’t find an incremental mode that fits your needs, you can add it in the config. If you decide to do so, I invite you to read the official documentation about how to customize John the Ripper.

The following command will try to crack the passwords using the digits incremental mode.

./john --incremental=Digits passwordFile

Hash Formats

For example, the following command will crack the MD5 hashes contained in passwordFile:

./john --format=Raw-MD5 passwordFile

To get the list of all supported hash formats, you can run the following command:

./john --list=formats

You now have all the basics that you need to start cracking passwords using John the Ripper. Of course, John has other features that we haven’t covered here, so if you want a more complete learning material, I invite you to check the official documentation.

Originally published at https://patchthenet.com on June 29, 2021.

A cybersecurity enthusiast, and founder @ Patchthenet.com