Introduction
John the Ripper is free and Open Source software,
distributed primarily in source code form.
If you would rather use a commercial product tailored for your specific
operating system, please consider
John the Ripper
Pro,
which is distributed primarily in the form of "native" packages
for the target operating systems and in general is meant to be easier to
install and use while delivering optimal performance.
Installing John
Although, at least on the distributions we tried, the package in
named simply "john" with Gentoo making an exception and naming it
"johntheripper", we will make it easy for you and show you how to
install it on several known distributions.
Debian
Debian differs from other distributions that offer John in their
repositories because it offers a nice manual page, although upstream
doesn't have one. To install, simply type
# aptitude install john
Fedora
On Fedora, it's also as simple as doing
# yum install john
Arch Linux
# pacman -S john
OpenSuse Linux
# zypper install john
Gentoo
As we said, Gentoo's package is named differently from what others offer, so here you will have to run
# emerge johntheripper
Slackware
Although there doesn't seem to be a john package in the official
repositories, there is a slackbuild that gets John installed on your
system (this was tested on Slackware 13.37).
Although we gave you just a few examples on how you can get John on
your Linux system, many of the examples presented will run if you have
other OS installed: besides source code, the project offers the program
for BeOS, Microsoft Windows, Solaris or MacOS X. But for our article, as
the title says, we tested the examples on Linux.
Using John the Ripper
You need not worry about cryptic configuration files, as John is
ready to use with the appropriate command-line flags with no other
effort on your part. One word of warning, though: as you already
noticed, we tell our readers when they should use root privileges and
when they shouldn't. Except when noted, you are strongly recommended to
use your normal everyday user (or another, if you prefer, but it
shouldn't have super user rights). On my Debian system, John is
available as /usr/sbin/john, so if you don't find it we recommend you
use whereis and type the whole path when running john unprivileged (or
you can simply create an alias).
The simplest way to get your feet wet is to type
$ /usr/sbin/john --test
for doing some tests and benchmarks on John's capabilities. If you
have no idea what Kerberos, MD5, DES or Blowfish are, we recommend you
start reading some basic security books, because, like we said before,
you need some security/administration background. Now, let's create a
text file in password format (<user>:<hash>) with a valid
hash, of course, and get John to work. You can simply copy a user from
/etc/shadow, but we recommend something simpler, because we presume you
want to see the results as fast as you can. So create a file named
password.txt somewhere inside your /home and put this in it:
myuser:AZl.zWwxIh15Q
Save the file, then simply feed it to John with no arguments (for now):
$ /usr/sbin/john password.txt
We must repeat our warning: password cracking is a CPU-intensive and
long process, so depending on your system, that might take quite a
while. However, this also depends on what you want to achieve, because
if your powerful CPU has been crunching at the password(s) for days with
no outcome, it's only safe to say that it's a good password. But if the
password is really critical, leave the system until John finishes its'
work to make sure everything is alright. Like we said before, this could
take many days.
Now, if you have a powerful box with the sole purpose of testing
passwords, which is always a good thing given the means, you can try
your real-life passwords with John. One way is to use /etc/shadow
directly, but we recommend you take a somewhat different course. Note
that this applies to systems using shadow passwords, and all the modern
Linux distributions do. John offers a nifty utility called unshadow,
which we will use to create a file from our passwd and shadow files:
# unshadow /etc/passwd /etc/shadow > mypasswd.txt
Now make sure that mypasswd.txt is available to your normal user and do
$ /usr/sbin/john mypasswd.txt
John will try single crack mode first, then wordlist mode, then
incremental. In John's terms, a mode is a method it uses to crack
passwords. As you know, there are many kinds of attacks: dictionary
attacks, brute force attacks, and so on. Well, this is roughly what
John's modes are. As some of you might have realized, wordlist mode is
basically a dictionary attack. Besides these three modes enumerated
above, John also supports another one called external mode. You can
select what mode to use with, for example, --single, --external and so
on. We recommend you check out the documentation over at openwall.com
for a good but brief description of every mode. But of course we will
tell you, in short, what every mode does.
John the Ripper's documentation recommends starting with single crack
mode, mostly because it's faster and even faster if you use multiple
password files at a time. Incremental mode is the most powerful mode
available, as it will try various combinations when cracking, and you
can choose what kind of mode (mode applied to the incremental option) to
use, including your own. External mode, as the name implies, will use
custom functions that you write yourself, while wordlist mode takes a
word list specified as an argument to the option (it can be a file with a
list of words written one per line, or stdin) and tries a simple
dictionary attack on passwords.
If John is succesful in cracking one of the passwords, it will write
to ~/.john/john.pot. However, that file isn't human-readable, so you can
read cracked passwords with
$ /usr/sbin/john --show mypasswd.txt
To check if the root password got cracked, filter by UID:
$ /usr/sbin/john --show --users=0 mypasswd.txt
Of course, John knows about wildcards and multiple files:
$ /usr/sbin/john --show --users=0 *passwd*
Just as you can filter by user, you can also filter by group, by
using the --groups flag, and that filtering is available also when
cracking. Going further to wordlist mode, here's how you can use it with
the built-in mangling rules enabled:
$ /usr/sbin/john --wordlist=passwd.lst --rules passwd.txt
John also allows you to create multiple named sessions, which is
practical, because since John can take lots of time to complete a task,
you can later view all sessions running to decide which one to kill. The
option for named sessions is --session=taskname and you can use
--status or --status=taskname to see all or certain sessions. But
there's more: you can restore sessions or particular ones by name using
--restore or --restore=taskname. A few examples:
$ /usr/sbin/john --session=allrules --wordlist=all.lst --rules mypasswd.txt
$ /usr/sbin/john --status=allrules
$ ps aux | grep john #get the PID of the john session you want to kill
$ kill HUP $PID_of_john_session_to_kill
$ /usr/sbin/john --restore=allrules
Here's some examples of using incremental mode with John:
$ /usr/sbin/john --incremental mypasswd.txt
$ /usr/sbin/john --incremental=alpha mypasswd.txt
Of course, this isn't a replacement of John's documentation.
Although, as we said, it doesn't offer a manual page, you will find lots
of documentation on its' page, as well as a useful wiki. For example,
you will notice that even if you're running John on a multiprocessor
machine, it will use only one core, usually the first. You can address
this problem by reading the documentation and following the instructions
there.
Conclusion
We feel that it might be best we end this article with a little word
on ethics. Although it very well might not be your case, there are those
few who've seen Hackers too many times and think of cracking (as
opposed to hacking) as a cool activity. We only suggest you try and use
your knowledge for good, not for something that has 99.8% of failing and
getting you a nice criminal record. Have fun.