Introduction
John the Ripper is free and Open Source software, distributed primarily in source code form. If you would rather use a commercial product tailored for your specific operating system, please consider John the Ripper Pro, which is distributed primarily in the form of "native" packages for the target operating systems and in general is meant to be easier to install and use while delivering optimal performance.Installing John
Although, at least on the distributions we tried, the package in named simply "john" with Gentoo making an exception and naming it "johntheripper", we will make it easy for you and show you how to install it on several known distributions.Debian
Debian differs from other distributions that offer John in their repositories because it offers a nice manual page, although upstream doesn't have one. To install, simply type# aptitude install john
Fedora
On Fedora, it's also as simple as doing# yum install john
Arch Linux
# pacman -S john
OpenSuse Linux
# zypper install john
Gentoo
As we said, Gentoo's package is named differently from what others offer, so here you will have to run# emerge johntheripper
Slackware
Although there doesn't seem to be a john package in the official repositories, there is a slackbuild that gets John installed on your system (this was tested on Slackware 13.37).Although we gave you just a few examples on how you can get John on your Linux system, many of the examples presented will run if you have other OS installed: besides source code, the project offers the program for BeOS, Microsoft Windows, Solaris or MacOS X. But for our article, as the title says, we tested the examples on Linux.
Using John the Ripper
You need not worry about cryptic configuration files, as John is ready to use with the appropriate command-line flags with no other effort on your part. One word of warning, though: as you already noticed, we tell our readers when they should use root privileges and when they shouldn't. Except when noted, you are strongly recommended to use your normal everyday user (or another, if you prefer, but it shouldn't have super user rights). On my Debian system, John is available as /usr/sbin/john, so if you don't find it we recommend you use whereis and type the whole path when running john unprivileged (or you can simply create an alias).The simplest way to get your feet wet is to type
$ /usr/sbin/john --testfor doing some tests and benchmarks on John's capabilities. If you have no idea what Kerberos, MD5, DES or Blowfish are, we recommend you start reading some basic security books, because, like we said before, you need some security/administration background. Now, let's create a text file in password format (<user>:<hash>) with a valid hash, of course, and get John to work. You can simply copy a user from /etc/shadow, but we recommend something simpler, because we presume you want to see the results as fast as you can. So create a file named password.txt somewhere inside your /home and put this in it:
myuser:AZl.zWwxIh15QSave the file, then simply feed it to John with no arguments (for now):
$ /usr/sbin/john password.txtWe must repeat our warning: password cracking is a CPU-intensive and long process, so depending on your system, that might take quite a while. However, this also depends on what you want to achieve, because if your powerful CPU has been crunching at the password(s) for days with no outcome, it's only safe to say that it's a good password. But if the password is really critical, leave the system until John finishes its' work to make sure everything is alright. Like we said before, this could take many days.
Now, if you have a powerful box with the sole purpose of testing passwords, which is always a good thing given the means, you can try your real-life passwords with John. One way is to use /etc/shadow directly, but we recommend you take a somewhat different course. Note that this applies to systems using shadow passwords, and all the modern Linux distributions do. John offers a nifty utility called unshadow, which we will use to create a file from our passwd and shadow files:
# unshadow /etc/passwd /etc/shadow > mypasswd.txtNow make sure that mypasswd.txt is available to your normal user and do
$ /usr/sbin/john mypasswd.txtJohn will try single crack mode first, then wordlist mode, then incremental. In John's terms, a mode is a method it uses to crack passwords. As you know, there are many kinds of attacks: dictionary attacks, brute force attacks, and so on. Well, this is roughly what John's modes are. As some of you might have realized, wordlist mode is basically a dictionary attack. Besides these three modes enumerated above, John also supports another one called external mode. You can select what mode to use with, for example, --single, --external and so on. We recommend you check out the documentation over at openwall.com for a good but brief description of every mode. But of course we will tell you, in short, what every mode does.
John the Ripper's documentation recommends starting with single crack mode, mostly because it's faster and even faster if you use multiple password files at a time. Incremental mode is the most powerful mode available, as it will try various combinations when cracking, and you can choose what kind of mode (mode applied to the incremental option) to use, including your own. External mode, as the name implies, will use custom functions that you write yourself, while wordlist mode takes a word list specified as an argument to the option (it can be a file with a list of words written one per line, or stdin) and tries a simple dictionary attack on passwords.
If John is succesful in cracking one of the passwords, it will write to ~/.john/john.pot. However, that file isn't human-readable, so you can read cracked passwords with
$ /usr/sbin/john --show mypasswd.txtTo check if the root password got cracked, filter by UID:
$ /usr/sbin/john --show --users=0 mypasswd.txtOf course, John knows about wildcards and multiple files:
$ /usr/sbin/john --show --users=0 *passwd*Just as you can filter by user, you can also filter by group, by using the --groups flag, and that filtering is available also when cracking. Going further to wordlist mode, here's how you can use it with the built-in mangling rules enabled:
$ /usr/sbin/john --wordlist=passwd.lst --rules passwd.txtJohn also allows you to create multiple named sessions, which is practical, because since John can take lots of time to complete a task, you can later view all sessions running to decide which one to kill. The option for named sessions is --session=taskname and you can use --status or --status=taskname to see all or certain sessions. But there's more: you can restore sessions or particular ones by name using --restore or --restore=taskname. A few examples:
$ /usr/sbin/john --session=allrules --wordlist=all.lst --rules mypasswd.txt $ /usr/sbin/john --status=allrules $ ps aux | grep john #get the PID of the john session you want to kill $ kill HUP $PID_of_john_session_to_kill $ /usr/sbin/john --restore=allrulesHere's some examples of using incremental mode with John:
$ /usr/sbin/john --incremental mypasswd.txt $ /usr/sbin/john --incremental=alpha mypasswd.txtOf course, this isn't a replacement of John's documentation. Although, as we said, it doesn't offer a manual page, you will find lots of documentation on its' page, as well as a useful wiki. For example, you will notice that even if you're running John on a multiprocessor machine, it will use only one core, usually the first. You can address this problem by reading the documentation and following the instructions there.
