Security Slice

John the Ripper

John the Ripper

Description

John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems.

PlatformAll
AuthorOpenwall
LicenseGPLv3
URLhttps://www.openwall.com/john/

Usage

John the Ripper 1.9.0-jumbo-1 OMP [linux-gnu 64-bit x86_64 AVX2 AC]
Copyright (c) 1996-2019 by Solar Designer and others
Homepage: http://www.openwall.com/john/
 
Usage: john [OPTIONS] [PASSWORD-FILES]
--single[=SECTION[,..]]    "single crack" mode, using default or named rules
--single=:rule[,..]        same, using "immediate" rule(s)
--wordlist[=FILE] --stdin  wordlist mode, read words from FILE or stdin
                  --pipe   like --stdin, but bulk reads, and allows rules
--loopback[=FILE]          like --wordlist, but extract words from a .pot file
--dupe-suppression         suppress all dupes in wordlist (and force preload)
--prince[=FILE]            PRINCE mode, read words from FILE
--encoding=NAME            input encoding (eg. UTF-8, ISO-8859-1). See also
                           doc/ENCODINGS and --list=hidden-options.
--rules[=SECTION[,..]]     enable word mangling rules (for wordlist or PRINCE
                           modes), using default or named rules
--rules=:rule[;..]]        same, using "immediate" rule(s)
--rules-stack=SECTION[,..] stacked rules, applied after regular rules or to
                           modes that otherwise don't support rules
--rules-stack=:rule[;..]   same, using "immediate" rule(s)
--incremental[=MODE]       "incremental" mode [using section MODE]
--mask[=MASK]              mask mode using MASK (or default from john.conf)
--markov[=OPTIONS]         "Markov" mode (see doc/MARKOV)
--external=MODE            external mode or word filter
--subsets[=CHARSET]        "subsets" mode (see doc/SUBSETS)
--stdout[=LENGTH]          just output candidate passwords [cut at LENGTH]
--restore[=NAME]           restore an interrupted session [called NAME]
--session=NAME             give a new session the NAME
--status[=NAME]            print status of a session [called NAME]
--make-charset=FILE        make a charset file. It will be overwritten
--show[=left]              show cracked passwords [if =left, then uncracked]
--test[=TIME]              run tests and benchmarks for TIME seconds each
--users=[-]LOGIN|UID[,..]  [do not] load this (these) user(s) only
--groups=[-]GID[,..]       load users [not] of this (these) group(s) only
--shells=[-]SHELL[,..]     load users with[out] this (these) shell(s) only
--salts=[-]COUNT[:MAX]     load salts with[out] COUNT [to MAX] hashes
--costs=[-]C[:M][,...]     load salts with[out] cost value Cn [to Mn]. For
                           tunable cost parameters, see doc/OPTIONS
--save-memory=LEVEL        enable memory saving, at LEVEL 1..3
--node=MIN[-MAX]/TOTAL     this node's number range out of TOTAL count
--fork=N                   fork N processes
--pot=NAME                 pot file to use
--list=WHAT                list capabilities, see --list=help or doc/OPTIONS
--devices=N[,..]           set OpenCL device(s) (see --list=opencl-devices)
--format=NAME              force hash of type NAME. The supported formats can
                           be seen with --list=formats and --list=subformats

Examples

john ~/labs/web01.hashes

This will run john in default mode and try to crack the hashes in the provided file.

msf6 exploit(windows/smb/psexec) > john labs/web01.hashes
Warning: detected hash type "LM", but the string is also recognized as "NT"
Use the "--format=NT" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "LM-opencl"
Use the "--format=LM-opencl" option to force loading these as that type instead
Warning: detected hash type "LM", but the string is also recognized as "NT-opencl"
Use the "--format=NT-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Using default target encoding: CP850
Loaded 38 password hashes with no different salts (LM [DES 256/256 AVX2])
Warning: poor OpenMP scalability for this hash type, consider --fork=2
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 78 candidates buffered for the current salt, minimum 512 needed for performance.
Proceeding with wordlist:/usr/local/share/john/password.lst, rules:Wordlist
                 (dmckenzie)
                 (ckhan)
                 (phorne)
                 (egeorge)
                 (pmartin)
                 (scook)
                 (kkennedy)
                 (srichardson)
                 (dbryant)
                 (sbates)
                 (cgentry)
                 (khansen)
                 (abates)
                 (nramos)
                 (dwilliams)
                 (rduarte)
                 (ksutton)
                 (kcooper)
                 (hhopkins)
                 (jrivera)
                 (vcollins)
                 (mmiller)
                 (awalker)
                 (tandersen)
                 (lstout)
                 (mlara)
                 (wrobinson)
                 (rgray)
                 (aparker)
                 (slopez)
                 (antivirus)
                 (SROCAdmin)
                 (WDAGUtilityAccount)
                 (DefaultAccount)
                 (Guest)
                 (Administrator)
Proceeding with incremental:LM_ASCII
MIMIGOT          (vberry:1)
KNENZ2G          (vberry:2)
38g 0:00:00:02 DONE 3/3 (2022-03-17 01:29) 15.01g/s 40495Kp/s 40495Kc/s 48036KC/s KNEIRS8..KNENZ2G
Warning: passwords printed above might be partial
Use the "--show --format=LM" options to display all of the cracked passwords reliably
Session completed
 john ~/labs/web01.hashes –show

This command will show which passwords have already been cracked in the given file.

sec560@slingshot:~$ sudo john labs/web01.hashes --show
Administrator::500:aad3b435b51404eeaad3b435b51404ee:1ef98de8555541f1579f98084f32875b:::
Guest::501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount::503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount::504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::
SROCAdmin::1008:aad3b435b51404eeaad3b435b51404ee:2e920723943f81ec0af0fd735f737fef:::
antivirus::1009:aad3b435b51404eeaad3b435b51404ee:47f0ca5913c6e70090d7b686afb9e13e:::
slopez::1010:aad3b435b51404eeaad3b435b51404ee:87e968ead530264915a4b295c57c37d5:::
aparker::1011:aad3b435b51404eeaad3b435b51404ee:9b5684b030226a1203e4e7b718a3f9df:::
rgray::1012:aad3b435b51404eeaad3b435b51404ee:23d26a03aa7102abce4805d88e568a78:::
wrobinson::1013:aad3b435b51404eeaad3b435b51404ee:5deaec4b57b859c25cdd0513fb7bc750:::
mlara::1014:aad3b435b51404eeaad3b435b51404ee:d8d9eee954da5f2d42fe72f862fa493f:::
lstout::1015:aad3b435b51404eeaad3b435b51404ee:ca3f0e9ce3188b0602742da2976d6773:::
tandersen::1016:aad3b435b51404eeaad3b435b51404ee:bf459116e5854e34031997be8e13596d:::
awalker::1017:aad3b435b51404eeaad3b435b51404ee:fe1f27a2561b61511588b0d24e333a7c:::
mmiller::1018:aad3b435b51404eeaad3b435b51404ee:7a1f1fd59eb2b97041c74748ea6a68f8:::
vcollins::1019:aad3b435b51404eeaad3b435b51404ee:5bd9b7b6fce76d3aabfebee9debaa932:::
jrivera::1020:aad3b435b51404eeaad3b435b51404ee:baa90a3ad89d359009ce5425063dff3e:::
hhopkins::1021:aad3b435b51404eeaad3b435b51404ee:92929561b2758f409df2b4a24a59c6f4:::
kcooper::1022:aad3b435b51404eeaad3b435b51404ee:5ae44bf0a1e24c0b1ec96708f30e7b84:::
ksutton::1023:aad3b435b51404eeaad3b435b51404ee:a6051a02b7a2bfb4cd0e2c1a9cb4a694:::
rduarte::1024:aad3b435b51404eeaad3b435b51404ee:7ce56170c73f9582fa348db88de2c192:::
dwilliams::1025:aad3b435b51404eeaad3b435b51404ee:c6fd7d8bb36d8862c1b978896a6bec51:::
nramos::1026:aad3b435b51404eeaad3b435b51404ee:0f46bafd2c4acdac0003a1ff4da92625:::
abates::1027:aad3b435b51404eeaad3b435b51404ee:62a56ba1b94193d7f553b895bca28292:::
khansen::1028:aad3b435b51404eeaad3b435b51404ee:fc9fdcdbf09c5be4928287e4ad847dd7:::
vberry:MIMIGOTKNENZ2G:1029:97abc432e5e8e8a03b9ce0ab2b8f2634:d99438ebb5f67b113dab1f907e26979b:::
cgentry::1030:aad3b435b51404eeaad3b435b51404ee:059db5a4061f5a2cb5053e753f9664b4:::
sbates::1031:aad3b435b51404eeaad3b435b51404ee:4f8bfa5d78d7a6398915c9657cd49769:::
dbryant::1032:aad3b435b51404eeaad3b435b51404ee:858bf9272facf23b3593f609e5b64c06:::
srichardson::1033:aad3b435b51404eeaad3b435b51404ee:819dc07ca50e1729d72214e8e9ee8f3a:::
kkennedy::1034:aad3b435b51404eeaad3b435b51404ee:7c3acf216ef4ec061b9330e0ad103c35:::
scook::1035:aad3b435b51404eeaad3b435b51404ee:2d474458480f9aa524ba3ebb1f3f9e6e:::
pmartin::1036:aad3b435b51404eeaad3b435b51404ee:98f9db311936bea281e9a65f45dd1f62:::
egeorge::1037:aad3b435b51404eeaad3b435b51404ee:f482c3342543f49df31a5a240a0558cf:::
phorne::1038:aad3b435b51404eeaad3b435b51404ee:b9a04517b70e549f8b2e4153ee8f4107:::
ckhan::1039:aad3b435b51404eeaad3b435b51404ee:aff059fe35c553548f56db9c85b2d90c:::
dmckenzie::1040:aad3b435b51404eeaad3b435b51404ee:50a173c77e22c87c419cacb5e0629b52:::
 
38 password hashes cracked, 0 left
john –format=nt –wordlist=/opt/passwords/rockyou.txt ~/labs/web01.hashes

The following is the output when you run john with a wordlist.

sec560@slingshot:~$ sudo john --format=nt --wordlist=/opt/passwords/rockyou.txt ~/labs/web01.hashes
Using default input encoding: UTF-8
Loaded 36 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Remaining 35 password hashes with no different salts
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
Warrior07        (vcollins)
Tibbetts3        (slopez)
Patrique2238     (wrobinson)
Packardbell350   (mlara)
Oozle11          (aparker)
KAMTPS20!!tim    (rgray)
Chirmol01        (awalker)
BHLMSTz2         (mmiller)
Angels100%       (tandersen)
2soWht!a         (lstout)
10g 0:00:00:00 DONE (2022-03-17 01:46) 10.30g/s 14787Kp/s 14787Kc/s 475458KC/s  Ttwwl789..*7¡Vamos!
Warning: passwords printed above might not be all those cracked
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed
 zip2john file.zip

This will produce a crackable hash from an encrypted zip file and store it in a file named backup.hashes.

└─$ zip2john ./backup.zip > ./backup.hashes
ver 2.0 efh 5455 efh 7875 backup.zip/index.php PKZIP Encr: TS_chk, cmplen=1201, decmplen=2594, crc=3A41AE06 ts=5722 cs=5722 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/style.css PKZIP Encr: TS_chk, cmplen=986, decmplen=3274, crc=1B1CCD6A ts=989A cs=989a type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
john –format=Raw-MD5 –wordlist=./wordlist8.txt ./passhash.txt

This command will attempt to crack a raw MD5 password hash using the wordlist.

└─$ john --format=Raw-MD5 --wordlist=./wordlist8.txt ./passhash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
qwerty789        (?)    
1g 0:00:00:00 DONE (2022-03-27 14:12) 50.00g/s 1891Kp/s 1891Kc/s 1891KC/s snapdragon..play2win
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.

Blog Posts