For optimized display of this website, it is recommended to use a free and secure browser: Firefox. Tell Me Why!

Home · Hacking · Tutorials · How To Use John The Ripper To Crack Hashes And Passwords

How To Use John The Ripper To Crack Hashes And Passwords

John The Ripper, also known as "JTR", is an essential tool in a hacker or a cracker's arsenal. JTR is a powerful and fast command line tool to crack passwords and hashes. JTR is capable of bruteforcing an impressive number of algorithms, including MD5, DES, Blowfish and more. When you manage to obtain a password from a database, 9 times out of 10 you will only get the hash (most often a MD5 hash) which is unexploitable unless it is decrypted. JTR is "your man", and provided you have a powerful enough computer, it can do the task in very little time.
The problem is that for the less computer savvy, using JTR can be a little tedious, from its installation to the use of command lines. This tutorial is meant to deflate the common idea that John The Ripper is hard to use and help you understand how it works. Let's dive in and see how to install it, and how it can be used...

Disclaimer: the content of this article is meant for educational purposes only. This tutorial is intended mostly for users who wish to recover their password themselves, and for curious people who wish to learn how password recovery works. Under Your Hat Security does not condone password cracking for illegitimate purposes. Neither I, nor my web host will be held responsible for what you decide to do with this knowledge.

Note: Do NOT be scared by the length of this tutorial. The length of the article can be explained by the fact that it is very detailed and complete. However, the content is fairly easy to understand so bear with me and follow the steps!

Installation / Compiling The Sources

JTR is a free tool currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS (for those who weren't sure, that includes Mac OS X and Linux). It can be downloaded here. Go to this page, and download the version corresponding to your operating system.

Start by extracting the content of the downloaded archive to your Desktop of the folder of your choice, then rename the folder "John" to make the following steps easier.

The first important step is to build/compile the software yourself. It might seem difficult, but just follow the instructions below and you will be fine!

Open a Terminal window (for those who use Mac OS X or Linux. On OS X, Terminal is located in Applications > Utilities > Terminal.app) or a Command prompt (for those using Windows. Go to the Start menu, click Run, type 'command' (no quotes) and press enter).

Enter the directory that you just renamed "john." Enter the "src" subdirectory ("src" stands for "source") and invoke make to obtain a list of operating systems for which specific support exists.

To do this, the easiest way is to type cd, and then drag and drop the folder "src" onto the Terminal window.
Otherwise, you can type the full path to your src directory manually. Please note that there is no need to type ~username$ (where username is the name of the account you are using on your computer), as it will be displayed in the Terminal window. The instruction you need to type is what comes after ~username$. On Mac OS X, the command would look something like this:

~username$ cd /Users/underurhat/Desktop/john/src

On Windows, it would look more like:

~username$ cd UsersunderurhatDesktopjohnsrc

Now in the Terminal window, type:

~username$ make

You will see an entire list of systems appear in the Terminal window, that is completely normal. It is meant for you to choose the most appropriate target. Note the make target corresponding to your system and type:

~username$ make clean SYSTEM

where SYSTEM is the appropriate make target for your system. For instance if you are using a recent Mac, your command may look like the following:

src username$ make macosx-x86-sse2

Alternatively, if your system is not listed, or if you are unsure which one to use, just use the following command line:

make clean generic

If everything goes well, this will create the executables for John and its related utilities in the foler john/run/.

To launch John The Ripper, you can change the directory in Terminal with the following command:

$ cd ../run
./john --test

Alternatively, you may copy the entire "run" directory to anywhere you like and use John from there. That's it, you are done with the compilation part and you already knocked down the most annoying step!

How To Use John The Ripper

Basics Of Command Line Instructions

The usual format used in John The Ripper goes as follows:

path/to/johns/executable optionalInstruction formatToUse path/to/hash/or/password/to/crack

Cracking An MD5 Hash With John

For this tutorial, we will focus on cracking an MD5 hash. In this scenario, you already have in your possession a hash which you pulled from a database, for instance. As is, the hash is unusable and it needs to be decrypted to recover the original password and be able to eventually log in. This is what we are about to do here.

An MD5 hash is technically impossible to reverse, as it is a one-way encryption algorithm, serving as a sort of "fingerprint" of a file or string. However, John The Ripper's approach is to grab that hash, try different possibilities and compare, until the tested names correspond to the hash being used. This technique is called brute-forcing. In this particular tutorial, we will let John do all the work, but it is possible to create word lists and have John compare the hash against all the words in your list (we will talk tackle this technique below).

MD5 hashes are invariably composed of 32 characters, including letters and digits. As an example, we will use the username 'admin' and the hash '5f4dcc3b5aa765d61d8327deb882cf99.'

The first step is to open your text editor and create a plain text file containing the username and the hash in the following format:

username:thehashofthepassword

which in our case would be:

admin:5f4dcc3b5aa765d61d8327deb882cf99

Name the file "pass.txt" or something of the kind. Now start John The Ripper, you want to look for an executable called "john" in the subfolder "run", as shown in the screenshot below:

John The Ripper Executable

Drag and drop this executable onto the Terminal window (or type its full path manually). This tells the Terminal that it will need to launch the executable called "john" located at the path indicated.

Next, we need to help john to speed up the process by telling it what kind of algorithm we are trying to crack. It just so happens that we know it is an MD5 hash, so we will use the command --format=raw-MD5.
Then, we want to tell john to show us the password once it is cracked, so we will use the command --show.
Of course, we need to feed john the password hash itself, so it knows what it is supposed to crack: we just have to drag and drop the pass.txt file we created earlier onto the Terminal window, or type its full path, so that the command now looks like this:

src username$ /Users/underurhat/Desktop/john/run/john --format=raw-MD5 /Users/underurhat/Desktop/pass.txt

Note that each instruction is always separated by a single space only.

It is now time to start the brute-forcing process by clicking Enter on your keyboard. The particular hash we are using is a very common (and stupid) password, which makes the process almost instantaneous. Terminal shows something like below:

admin:password
1 password hash cracked, 0 left

This is indeed what we were looking for... our password is "password"!

Note: The process of cracking this hash, which took less than a second, may help you realize the importance of using a combination of uppercase characters, lowercase characters, digits, and avoid common dictionary nouns in your passwords. Tools such as John The Ripper, when used without a word list, will always try the most common passwords first, and most of the time succeed very rapidly!


This is the first and most basic technique to brute-force a hash, but JTR can be used for more evolved tasks, and it offers a number of different options. We will not study them all in this tutorial in order to keep it short, but the official JTR website contains multiple great resources on how to use other options with John.

More Options And Uses Of JTR

Using Wordlists

The use of word lists in JTR are an efficient way to crack, and most of the time it accelerates the cracking process. The downfall is that word lists are often hard to come by. Instead, you can create your own word lists automatically with tools such RbCafe's Cryptix (Googling "make word list for john the ripper" or similar keywords will most likely help you find the appropriate tool for your system).

To find out how to use JTR with wordlists, please read below.

Other Usage of JTR

To run John, you need to supply it with some password files and optionally specify a cracking mode, like this, using the default order of modes and assuming that "passwd" is a copy of your password file:

john passwd

or, to restrict it to the wordlist mode only, but permitting the use of word mangling rules:

john --wordlist=password.lst --rules passwd

Cracked passwords will be printed to the terminal and saved in the file called $JOHN/john.pot (in the documentation and in the configuration file for John, "$JOHN" refers to John's "home directory"; which directory it really is depends on how you installed John). The $JOHN/john.pot file is also used to not load password hashes that you already cracked when you run John the next time.

To retrieve the cracked passwords, run:

john --show passwd

While cracking, you can press any key for status, or Ctrl-C to abort the session saving its state to a file ($JOHN/john.rec by default). If you press Ctrl-C for a second time before John had a chance to handle your first Ctrl-C, John will abort immediately without saving. By default, the state is also saved every 10 minutes to permit for recovery in case of a crash.

To continue an interrupted session, run:

john --restore

These are just the most essential things you can do with John. For a complete list of command line options and for more complicated usage examples, you should refer to OPTIONS and EXAMPLES, respectively.

Documentation

John The Ripper's website offers a very complete documentation on the different uses and options that the program offers, and I highly recommend to take a look at it, depending on what you are trying to achieve. Below is a list of links to the official documentation (which, if you understood the above tutorial, should be easily understandable for you):

  • INSTALL - installation instructions
  • OPTIONS - command line options and additional utilities
  • MODES - cracking modes: what they are
  • CONFIG (*) - how to customize
  • RULES (*) - wordlist rules syntax
  • EXTERNAL (*) - defining an external mode
  • EXAMPLES - usage examples - strongly recommended
  • FAQ - guess
(*) most users can safely skip these.

Note: This tutorial also appears in the Cryptography Section.



Comments

Comment By PheNIX | 28.07.2012

excellent article, very well explained. my test hash took a while to crack though, because it was a complicated password.

Comment By PheNIX | 28.07.2012

by the way I sent you an email to see if I can write an article for you :)

Comment By Under Your Hat Admin | 28.07.2012

Hashes can take a long time to crack indeed, but it depends on several elements. Your CPU's speed, the length of the password and what it actually contains. If it has uppercase, lowercase, digits and special chars in it, you may be looking at hours or days before JTR comes up with a cracked hash. In that case, testing against a word list may be pretty useless... you have a better chance to just google it and hope that one of those MD5 cracking websites already has that password in their database! But if your first attempt does not work, you can also try a different mode in JTR.

Comment By OutkAsT | 22.09.2012

finally a good simple tutorial for this crappy software, its so hard to use!

:

:

: