How To Use John The Ripper To Crack Hashes And PasswordsJohn The Ripper, also known as "JTR", is an essential tool in a hacker or a cracker's arsenal. JTR is a powerful and fast command line tool to crack passwords and hashes. JTR is capable of bruteforcing an impressive number of algorithms, including MD5, DES, Blowfish and more. When you manage to obtain a password from a database, 9 times out of 10 you will only get the hash (most often a MD5 hash) which is unexploitable unless it is decrypted. JTR is "your man", and provided you have a powerful enough computer, it can do the task in very little time.
The problem is that for the less computer savvy, using JTR can be a little tedious, from its installation to the use of command lines. This tutorial is meant to deflate the common idea that John The Ripper is hard to use and help you understand how it works. Let's dive in and see how to install it, and how it can be used...
Disclaimer: the content of this article is meant for educational purposes only. This tutorial is intended mostly for users who wish to recover their password themselves, and for curious people who wish to learn how password recovery works. Under Your Hat Security does not condone password cracking for illegitimate purposes. Neither I, nor my web host will be held responsible for what you decide to do with this knowledge.
Note: Do NOT be scared by the length of this tutorial. The length of the article can be explained by the fact that it is very detailed and complete. However, the content is fairly easy to understand so bear with me and follow the steps!
Installation / Compiling The SourcesJTR is a free tool currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS (for those who weren't sure, that includes Mac OS X and Linux). It can be downloaded here. Go to this page, and download the version corresponding to your operating system.
Start by extracting the content of the downloaded archive to your Desktop of the folder of your choice, then rename the folder "John" to make the following steps easier.
The first important step is to build/compile the software yourself. It might seem difficult, but just follow the instructions below and you will be fine!
Open a Terminal window (for those who use Mac OS X or Linux. On OS X, Terminal is located in Applications > Utilities > Terminal.app) or a Command prompt (for those using Windows. Go to the Start menu, click Run, type 'command' (no quotes) and press enter).
Enter the directory that you just renamed "john." Enter the "src" subdirectory ("src" stands for "source") and invoke make to obtain a list of operating systems for which specific support exists.
To do this, the easiest way is to type cd, and then drag and drop the folder "src" onto the Terminal window.
Otherwise, you can type the full path to your src directory manually. Please note that there is no need to type ~username$ (where username is the name of the account you are using on your computer), as it will be displayed in the Terminal window. The instruction you need to type is what comes after ~username$. On Mac OS X, the command would look something like this:
~username$ cd /Users/underurhat/Desktop/john/src
On Windows, it would look more like:
~username$ cd UsersunderurhatDesktopjohnsrc
Now in the Terminal window, type:
You will see an entire list of systems appear in the Terminal window, that is completely normal. It is meant for you to choose the most appropriate target. Note the make target corresponding to your system and type:
~username$ make clean SYSTEM
where SYSTEM is the appropriate make target for your system. For instance if you are using a recent Mac, your command may look like the following:
src username$ make macosx-x86-sse2
Alternatively, if your system is not listed, or if you are unsure which one to use, just use the following command line:
make clean generic
If everything goes well, this will create the executables for John and its related utilities in the foler john/run/.
To launch John The Ripper, you can change the directory in Terminal with the following command:
$ cd ../run ./john --test
Alternatively, you may copy the entire "run" directory to anywhere you like and use John from there. That's it, you are done with the compilation part and you already knocked down the most annoying step!
How To Use John The Ripper
Basics Of Command Line InstructionsThe usual format used in John The Ripper goes as follows:
path/to/johns/executable optionalInstruction formatToUse path/to/hash/or/password/to/crack
Cracking An MD5 Hash With JohnFor this tutorial, we will focus on cracking an MD5 hash. In this scenario, you already have in your possession a hash which you pulled from a database, for instance. As is, the hash is unusable and it needs to be decrypted to recover the original password and be able to eventually log in. This is what we are about to do here.
An MD5 hash is technically impossible to reverse, as it is a one-way encryption algorithm, serving as a sort of "fingerprint" of a file or string. However, John The Ripper's approach is to grab that hash, try different possibilities and compare, until the tested names correspond to the hash being used. This technique is called brute-forcing. In this particular tutorial, we will let John do all the work, but it is possible to create word lists and have John compare the hash against all the words in your list (we will talk tackle this technique below).
MD5 hashes are invariably composed of 32 characters, including letters and digits. As an example, we will use the username 'admin' and the hash '5f4dcc3b5aa765d61d8327deb882cf99.'
The first step is to open your text editor and create a plain text file containing the username and the hash in the following format:
which in our case would be:
Name the file "pass.txt" or something of the kind. Now start John The Ripper, you want to look for an executable called "john" in the subfolder "run", as shown in the screenshot below:
Drag and drop this executable onto the Terminal window (or type its full path manually). This tells the Terminal that it will need to launch the executable called "john" located at the path indicated.
Next, we need to help john to speed up the process by telling it what kind of algorithm we are trying to crack. It just so happens that we know it is an MD5 hash, so we will use the command --format=raw-MD5.
Then, we want to tell john to show us the password once it is cracked, so we will use the command --show.
Of course, we need to feed john the password hash itself, so it knows what it is supposed to crack: we just have to drag and drop the pass.txt file we created earlier onto the Terminal window, or type its full path, so that the command now looks like this:
src username$ /Users/underurhat/Desktop/john/run/john --format=raw-MD5 /Users/underurhat/Desktop/pass.txt
Note that each instruction is always separated by a single space only.
It is now time to start the brute-forcing process by clicking Enter on your keyboard. The particular hash we are using is a very common (and stupid) password, which makes the process almost instantaneous. Terminal shows something like below:
admin:password 1 password hash cracked, 0 left
This is indeed what we were looking for... our password is "password"!
Note: The process of cracking this hash, which took less than a second, may help you realize the importance of using a combination of uppercase characters, lowercase characters, digits, and avoid common dictionary nouns in your passwords. Tools such as John The Ripper, when used without a word list, will always try the most common passwords first, and most of the time succeed very rapidly!
This is the first and most basic technique to brute-force a hash, but JTR can be used for more evolved tasks, and it offers a number of different options. We will not study them all in this tutorial in order to keep it short, but the official JTR website contains multiple great resources on how to use other options with John.
More Options And Uses Of JTR
Using WordlistsThe use of word lists in JTR are an efficient way to crack, and most of the time it accelerates the cracking process. The downfall is that word lists are often hard to come by. Instead, you can create your own word lists automatically with tools such RbCafe's Cryptix (Googling "make word list for john the ripper" or similar keywords will most likely help you find the appropriate tool for your system).
To find out how to use JTR with wordlists, please read below.
Other Usage of JTRTo run John, you need to supply it with some password files and optionally specify a cracking mode, like this, using the default order of modes and assuming that "passwd" is a copy of your password file:
or, to restrict it to the wordlist mode only, but permitting the use of word mangling rules:
john --wordlist=password.lst --rules passwd
Cracked passwords will be printed to the terminal and saved in the file called $JOHN/john.pot (in the documentation and in the configuration file for John, "$JOHN" refers to John's "home directory"; which directory it really is depends on how you installed John). The $JOHN/john.pot file is also used to not load password hashes that you already cracked when you run John the next time.
To retrieve the cracked passwords, run:
john --show passwd
While cracking, you can press any key for status, or Ctrl-C to abort the session saving its state to a file ($JOHN/john.rec by default). If you press Ctrl-C for a second time before John had a chance to handle your first Ctrl-C, John will abort immediately without saving. By default, the state is also saved every 10 minutes to permit for recovery in case of a crash.
To continue an interrupted session, run:
These are just the most essential things you can do with John. For a complete list of command line options and for more complicated usage examples, you should refer to OPTIONS and EXAMPLES, respectively.
DocumentationJohn The Ripper's website offers a very complete documentation on the different uses and options that the program offers, and I highly recommend to take a look at it, depending on what you are trying to achieve. Below is a list of links to the official documentation (which, if you understood the above tutorial, should be easily understandable for you):
- INSTALL - installation instructions
- OPTIONS - command line options and additional utilities
- MODES - cracking modes: what they are
- CONFIG (*) - how to customize
- RULES (*) - wordlist rules syntax
- EXTERNAL (*) - defining an external mode
- EXAMPLES - usage examples - strongly recommended
- FAQ - guess
Note: This tutorial also appears in the Cryptography Section.