Table of Contents
Introduction to John The Ripper - Password Cracker
John The Ripper (JTR) is one of the most popular password cracking tools available in most Penetration testing Linux distributions like Kali Linux, Parrot OS, etc. The tool has been used in most Cyber demos, and one of the most popular was when it was used by the Varonis Incident Response Team. John The Ripper password cracking utility brags of a user-friendly command-line interface and the ability to detect most password hash types. This tutorial will dive into John the Ripper, show you how it works, and explain why you need it for security testing.
What are Password Hashes?
Currently, password login is one of the most authentication methods used for security purposes. When you create a log-in password on most secure systems, it is stored in a hashed format. Some of the common hashing algorithms include MD5, SHA-1, SHA-2, NTLM, and LANMAN. For example, if I set my password as
john@2021@ and it's hashed with the MD5 algorithm, the resulting password hash will be
5960fe967092ea6724ef5e6adb3ab9c6. When you want to log in, the system will hash the password with the same algorithm and compare the hash with that stored in the database.
Password Cracking With John the Ripper (JtR)
Password cracking with JtR is an iterative process. A word is selected from the wordlist, hashed with the same hash algorithm used to hash the password, and the resulting hash is compared with the password hash. If they match, then the word picked from the wordlist is the original password. If they don't match, JtR will pick another word to repeat the same process until a match is found. And as you guessed it! This process can take some time if the password used was complex. John the Ripper supports most encryption technologies found in UNIX and Windows systems.
Note: macOS is UNIX-based.
We will use our existing Kali Linux setup to demonstrate this article.
Modes of Password Cracking
JtR supports 3 main modes of password cracking:
- Single Mode Crack: JtR tries to use usernames found on the GECOS field and test them as possible passwords. GECOS is a field of each record in the
/etc/passwdfile on UNIX systems.
- Wordlist mode: JtR tries all the password combinations in a wordlist file.
- Incremental mode (aka Brute-Force attack): JtR tries all character combinations to crack the password
To properly understand how these three modes work, let's try cracking the password hash of our Linux system.
Single Mode Password Cracking
By default, the hashed user login passwords are stored in the
/etc/shadow directory on any Linux system. To view the contents of the shadow file, execute the command below in your terminal.
$ sudo cat /etc/shadow
From the image, we will crack the password for users
Karen. Since password cracking can be, at times, a lengthy process for complex passwords, we set the username as the password. We will copy the whole field and save it in a file with a name
shadow.hashes on the Desktop. To crack the password hash, we will use the syntax below:
$ sudo john --single shadow.hashes
From the image, you can see JtR cracked the password for users johndoe and Karen. The users are the ones enclosed in brackets.
Wordlist Cracking Mode
With this mode, John the Ripper uses a wordlist to crack a password. Let's create a new user called Debian with the password secret123, then use a wordlist to try and crack the password. To create a user and set up a password, we will execute the commands below:
$ sudo useradd Debian $ sudo passwd Debian
Now, we will copy the password hash in the
/etc/shadow directory and store it in the file
hashes.txt. To crack this password hash using a wordlist, we will use the
--wordlist parameter then provide the path of the wordlist.
See the command below:
john --wordlist=/usr/share/wordlists/crypton.txt hashes.txt
From the image above, we can clearly see that John the Ripper successfully cracked the password to our user Debian. Essentially, the tool was picking a single password from the wordlist, hashing it with the Sha512 algorithm, then compared the resulting hash with the hash we provided until it found a match.
Incremental Password Cracking Mode
With this mode, JtR attempts a brute force style attack, trying every combination of characters possible. This cracking mode can take quite some time since John will keep trying higher and higher password lengths until it fonds a match. The basic syntax for the incremental mode is shown below.
$ john --incremental hashes.txt
Stopping and Restoring Cracking
When cracking large complex passwords, some situations compel us to pause or cancel the cracking process. Luckily JtR includes a feature that allows you to cancel a running process and resume from where you left from.
To pause or stop a password cracking process, type Q or use the keyboard combination Ctrl + C. To resume and continue from where you left from, use the command below:
$ john --restore
Word mangling rules
When using a wordlist to crack password hashes, you can set rules to mangle the words in the wordlist to try variations of that word. For example, if we have a word like johndoe, JtR will add numbers to the end of the word and try replacing letters with numbers and adding other random symbols. The resulting output might include:
johnDoe JohnDOE johndoe123 @JohnDoe And so on.
You can enable word mangling rules (which are used to modify or "mangle" words producing other likely passwords). If enabled, all of the rules will be applied to every line in the wordlist file producing multiple candidate passwords from each source word. The wordlist should not contain duplicate lines. Let us now look at some real-world examples.
Cracking a Zip File Password with John The Ripper
To crack a zip file, we first need to extract the password hash then crack it with John the Ripper. To extract zip file password hashes, we will use a tool called
zip2john. If we were working with a rare file, we would use the tool
rar2john to extract the hashes.
Execute the command below to extract the hashes on your zipped file and store them in a file named
$ zip2john protected.zip > zip.hashes
After successfully extracting the password hash, we will crack it with John the Ripper using a wordlist. Execute the command below:
$ john --wordlist=/usr/share/wordlists/crypton.txt zip.hashes
From the image above, we were able to crack the zip file password successfully.
Even though there are many password-cracking utilities available today, John the Ripper is with no doubt one of the best and most reliable. It has been used with other tools in most Cyber Attack Conferences to exploit the vulnerability of a system of elevated privileges on a compromised system. I believe this tutorial has given you a clear guide on how to get started with password cracking using JtR.