In this article we describe how to crack password hashes with John the Ripper (JtR). It is not unheard of to come across a file containing password hashes during a penetration testing engagement. This can be a gold mine if you can crack the password hashes.
John the Ripper is a fantastic tool for ripping apart password hashes. Check out the full documentation here. Let us first take a look at how the tool works.
How does John the Ripper work?
John the Ripper is a password cracking tool capable or breaking a variety of hash types. When combined with a hefty word list such as the infamous rockyou.txt, the tool can make short work of simple passwords. John the Ripper determines the hash type of the password file and then attempts to find a match for those hashes.
This tool also highlights the importance of choosing a strong randomized password. Cracking passwords found in a word list is 10-fold faster than running an incremental brute-force attack.
By default the tool is capable of breaking the following hashes. If you need to break a hash that is not on the list, check the Internet. Given that JtR is open-source software it is likely someone has developed an extension capable of processing your hash type.
- UNIX crypt(3)
- Traditional DES-based
- BSDI extended DES-based
- FreeBSD MD5-based
- OpenBSD Blowfish-based
- Windows LM (DES-based)
- DES-based tripcodes
- SHA-crypt hashes
What is John the Ripper used for?
John the Ripper is used by security professionals to crack password hashes. During a penetration testing engagement it is not uncommon to get your hands on a file containing hashed passwords. In order to make use of these passwords the hashes must first be broken. Lets start by getting a copy installed.
How to download John the Ripper?
Before we jump in, you will need to download a copy of John the Ripper. If you are using Kali Linux it is likely you already have a copy installed. This is the easiest method as it keeps all of your penetration testing tools in a single place.
JtR is open-source software so you can also head over to the Github repository and download the source yourself.
Tutorials for using John the Ripper
Now that we have a copy of John the Ripper downloaded and installed we can jump into some basic commands.
You can run the following command at any time to list the built-in help:
To actually crack passwords we need to provide a file of password hashes. John the Ripper will determine the hash types before stepping through a number of cracking modes.
The most common cracking modes that JtR uses are:
- Single Crack: Fastest mode if a full password file is available
- Wordlist: Attempts passwords found in word lists, works very well against simple passwords
- Incremental: True brute-force, tries every possible combination until a match is found (or not)
The easiest and usually fastest method is to start John the Ripper and let it automatically step through its most efficient modes. This is usually fastest unless you know the passwords in question will not be on a wordlist.
You can also use a specific wordlist such as one downloaded from the Internet:
john <passfile> –-wordlist=”bestwordlist.txt”
Or specify which cracking mode to use:
john --single <passfile> john --incremental <passfile>
This will start John the Ripper in single crack or incremental mode respectively.
What is Single Crack Mode?
In single-crack mode the program will use the login names, “GECOS” / “Full Name” fields, and users’ home directory names as candidate passwords. It also applies heavy mangling rules for efficient processing. Information is only used against accounts that it was taken from making this mode much faster than wordlist mode. Any successfully guessed passwords are also tried against other hashes in case users are using the same passwords.
Word Mangling Rules
Word mangling rules are key to making JtR more efficient. If you are trying to crack complex or long passwords you will want to operate as efficiently as possible (and even then it will take a long time, or a lot of hardware!).
Mangling rules pre process the wordlists and make optimizations to improve the cracking process.
john --wordlist=”bestwordlist.txt” --rules <passfile>
Hopefully at this point you’ve cracked some passwords. You can view any cracked passwords with:
john --show <passfile>
This will show any cracked passwords for that password file. You can also filter the list to show users with a particular id or that are in a particular group:
john --show --users=0 <passfile> john --show --groups=0,1 <passfile>
Of course you can also pipe the output to another tool such as grep for further filtering:
john --show | grep "some user"