How to use the command 'john' (with examples)
John the Ripper, often referred to simply as ‘john’, is a popular open-source password cracking tool. Its primary goal is to identify weak passwords by using brute force or dictionary attacks, by analyzing hashed passwords. It supports a variety of encryption algorithms and can be used on many operating systems. John the Ripper is particularly suitable for security professionals and penetration testers looking to assess the strength of passwords in a system.
Use case 1: Crack password hashes
Code:
john path/to/hashes.txt
Motivation: Cracking password hashes is a critical task for penetration testers and cybersecurity professionals. By decrypting these hashes, they can audit the security of passwords used within an organization. This use case allows them to identify weak passwords and recommend stronger alternatives to improve overall security.
Explanation:
john
: This is the command-line invocation of John the Ripper.path/to/hashes.txt
: This represents the file path to the text file containing the password hashes you want to crack. This file should include hashes that need auditing to assess their strength.
Example Output:
Loaded 10 password hashes with no different salts (descrypt [32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
Password1 (user1)
123456 (user2)
rockyou (user3)
...
Use case 2: Show passwords cracked
Code:
john --show path/to/hashes.txt
Motivation: After attempting a password crack, there is a need to review which passwords have been successfully decrypted. This immediately informs security teams of compromised accounts and allows them to take prompt action, such as resetting affected passwords or informing the users.
Explanation:
john
: Initiates the John the Ripper command.--show
: This option displays the cracked passwords from the previously attempted cracking session.path/to/hashes.txt
: Specifies the file containing the initial password hashes for which the cracking attempt was made.
Example Output:
user1:Password1
user2:123456
user3:rockyou
3 password hashes cracked, 7 left
Use case 3: Display users’ cracked passwords by user identifier from multiple files
Code:
john --show --users=user_ids path/to/hashes1.txt path/to/hashes2.txt ...
Motivation: When working with systems that have numerous users, identifying problematic accounts via user IDs expedites the process. This use case is helpful for focusing on specific users or subsets of the user base across several hash files, aiding targeted security audits.
Explanation:
john
: The command-line utility being used.--show
: Instructs John to display already cracked passwords.--users=user_ids
: This option only shows results for specified user identifiers, making it easier to pinpoint certain users.path/to/hashes1.txt
,path/to/hashes2.txt
, …: These are the file paths where password hashes are stored. It accepts multiple files for a broader search across databases.
Example Output:
user1_from_hashes1:Password1
user3_from_hashes2:rockyou
Use case 4: Crack password hashes, using a custom wordlist
Code:
john --wordlist=path/to/wordlist.txt path/to/hashes.txt
Motivation: Utilizing custom wordlists makes John the Ripper highly versatile. Organizations can create wordlists that reflect common password patterns used by staff, along with industry-specific jargon or names, enhancing the efficiency of password audits.
Explanation:
john
: Initiates the password cracking process using John the Ripper.--wordlist=path/to/wordlist.txt
: Directs John to use a specific custom wordlist file for attempting to crack passwords.path/to/hashes.txt
: File containing the hashes that need to be cracked.
Example Output:
Loaded 10 password hashes with no different salts (descrypt [32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
customword1 (user2)
customword2 (user5)
Use case 5: List available hash formats
Code:
john --list=formats
Motivation: Awareness of supported hash formats provided by John the Ripper is vital for penetration testers. This enables them to ensure compatibility with all the password hash types they encounter during security assessments, ensuring a comprehensive audit.
Explanation:
john
: Calls upon the John the Ripper utility.--list=formats
: Command option to list all hash formats that John the Ripper currently supports.
Example Output:
bcrypt
md5crypt
PBKDF2-HMAC-SHA256
sha256crypt
sha512crypt
...
Use case 6: Crack password hashes, using a specific hash format
Code:
john --format=md5crypt path/to/hashes.txt
Motivation: Selecting a specific hash format is necessary when dealing with systems that utilize diverse encryption standards. By explicitly declaring the format, users avoid compatibility issues and ensure John the Ripper efficiently performs the crack.
Explanation:
john
: Invokes John the Ripper software.--format=md5crypt
: This option specifies the exact hashing algorithm format to be used, which optimizes the cracking process.path/to/hashes.txt
: File path where the relevant password hashes are saved.
Example Output:
Loaded 5 password hashes with no different salts (md5crypt [MD5 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
password123 (user7)
welcome2023 (user8)
Use case 7: Crack password hashes, enabling word mangling rules
Code:
john --rules path/to/hashes.txt
Motivation: Word mangling significantly enhances the ability of John the Ripper to crack complex passwords by altering base words according to a set of predefined rules. This expands the scope of guessable passwords beyond what’s provided in wordlists alone.
Explanation:
john
: Calls the password-cracking utility.--rules
: Enables word mangling, which generates new password guesses based on transformations applied to the initial wordlist.path/to/hashes.txt
: Points to the file containing password hashes for cracking.
Example Output:
Loaded 10 password hashes with no different salts (descrypt [32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
P@ssw0rd (user4)
Admin2023 (user9)
Use case 8: Restore an interrupted cracking session from a state file
Code:
john --restore=path/to/mycrack.rec
Motivation: Complex password cracking operations may require extended times to complete. Interruptions due to software updates, user interferences, or power failures could halt sessions. John the Ripper allows you to save current sessions and restore them without losing progress, ensuring long-term operations resume efficiently.
Explanation:
john
: The command-line password-cracking mechanism used.--restore=path/to/mycrack.rec
: Instructs John to resume a previously saved session, using the recorded state file that captures its last position before interruption.
Example Output:
Session aborted, resuming session from state file mycrack.rec
...
Conclusion:
John the Ripper stands out as a robust tool for cracking password hashes, catering to a variety of scenarios from quick crack attempts to detailed security audits involving custom wordlists or rules. Each example highlights its capability for enhancing password security audits, educating both users and administrators on reinforcing their password policies and practices.