Welcome back, aspiring cyberwarriors!
John the Ripper (often called “John”) is a tool that earned a reputation as one of the most powerful and versatile in the field. Originally developed by Openwall, John has become an essential tool for penetration testers, security auditors, and anyone else who needs to assess password strength.
In this tutorial, you’ll learn how to use John the Ripper from the ground up. We’ll start with installation and basic concepts, then move through the three main password cracking modes with hands-on exercises for each. Let’s get rolling!
What Makes John the Ripper Powerful?
John the Ripper works by comparing password hashes against potential passwords. It generates candidate passwords, hashes them using the same algorithm as the target, and checks for matches. This approach is effective against various hash types, including MD5, SHA-1, SHA-256, bcrypt, and more.
In addition, the tool supports multiple platforms, including Linux, Windows, and macOS. It features multiple cracking modes, including Single, Wordlist, and Incremental approaches. John supports extensive hash formats, allowing you to crack dozens of different hash types. Besides that, you can create customizable rules to generate password variations, and the Jumbo version even includes GPU acceleration for significantly faster cracking.
Installation
John the Ripper is pre-installed on Kali Linux. Verify the installation:
kali> john
For Ubuntu/Debian, you can install John from the apt repository:
kali> sudo apt install john
Once you have installed John, try the help command to make sure your installation is working.
kali> john -h
Understanding Password Cracking Modes
John the Ripper offers three primary cracking modes, each suited for different scenarios.
1. Single Crack Mode
Single Crack Mode uses information from the username to generate password variations. This mode is surprisingly effective because users often create passwords based on their usernames.
You should use Single Crack Mode as a quick first attempt, especially when you have username information available. The syntax is straightforward:
kali> john –single –format=FORMAT hashfile.txt
The mode works by taking patterns from the username and generating variations. If the username is “hacker”, John will try variations like Hacker2025, HACKER2025, hacker2025!, 2025hacker, and many more permutations based on capitalization changes, number additions, and common character substitutions.
The command for cracking will be the following:
kali> john –single –format=raw-sha256 hash.txt
And immediately, we got an output with the password.
2. Wordlist Mode (Dictionary Attack)
Wordlist Mode compares hashes against a list of potential passwords from a dictionary file. This is the most commonly used mode for password cracking because it balances speed with effectiveness.
You should use Wordlist Mode when you have a good wordlist, which covers most real-world scenarios. The syntax requires specifying both the wordlist file and the hash format:
kali> john –wordlist=WORDLIST_FILE –format=FORMAT hashfile.txt
The RockYou wordlist is the most famous collection, containing over 14 million passwords leaked from the RockYou.com breach. But your cracking process should not be focused on this list. Consider creating your own wordlist, specific to your target. We’ve covered previously how to do so with tools like crunch and cupp.
But for demonstration purposes, I created a hash file with the password from a RockYou list.
The command for cracking will be the following:
kali> john –wordlist=/usr/share/wordlists/rockyou.txt –format=raw-sha256 hash.txt
3. Incremental Mode (Brute Force)
Incremental Mode tries all possible character combinations. This is the most thorough but slowest method, making it suitable only for specific scenarios.
You should use Incremental Mode as a last resort, particularly for short passwords when other methods have failed. The basic syntax is:
kali> john –incremental –format=FORMAT hashfile.txt
This mode exhaustively tries every possible combination of characters, starting with single characters and working up to longer passwords. This process can take days, weeks, or even years for moderately long passwords.
The command for cracking will be the following:
kali> john –incremental –format=raw-sha256 hash.txt
Cracking Windows NTLM Hashes
In Windows, password hashes are stored in the SAM database. The SAM uses the LM/NTLM hash format for passwords, and we can use John the Ripper to crack one of these hashes. Retrieving passwords from the SAM database is beyond the scope of this article, but let’s assume you have obtained a password hash for a Windows user. Here is the command to crack it:
kali> john –format=NT ntlm_hash.txt
This command will use a Single mode for cracking by default.
Cracking a Linux Password
In Linux, two important files are stored in the /etc directory: passwd and shadow. The passwd file contains information such as the username, user ID, and login shell, while the shadow file holds the password hash, expiration details, and other related data.
Besides the main “john” command, John the Ripper includes several additional utilities, one of which is called unshadow. This tool merges the passwd and shadow files into a single combined file that John can process when cracking passwords.
Here is how you use the unshadow command:
kali> unshadow passwd shadow > hash.txt
This command will combine the files and create a hash.txt file. Now, we can crack the hash using John. But here is a thing: Kali Linux’s John the Ripper doesn’t readily detect the hash type of Linux (crypt). If you omit the — format flag below, John won’t crack anything at all. So the command will be as follows:
kali> john –format=crypt hash.txt
Summary
John the Ripper is a robust tool for cracking passwords. It compares password hashes against potential passwords using various algorithms and is compatible with many types of hashes.
This tool works on a bunch of different platforms and is made to use energy wisely, which is why it’s a favorite among security experts and aspiring hackers. With security needs on the rise, John the Ripper is still a strong and valuable tool in the world of cybersecurity.
Source: HackersArise
Source Link: https://hackers-arise.com/password-cracking-getting-started-with-john-the-ripper/