john (john the ripper) — a password cracker for linux and windows 
Introduction
John the Ripper (a.k.a. JtR, or simply john) is a popular fast password cracker for both Linux and Windows. It is quite useful for identifying weak passwords. By weak, I mean ones that do not take a long time to crack. In this article I will show you how to install and use John the Ripper utility to crack weak passwords.
Installation
If you do not have john installed by default then do not worry, just read on, as in this section I will explain in detail how to get john installed. Lets start with a no fuss install procedure, i.e. lets use a package manager such as Apt or Yum. To install john using Apt run the following command.
sudo apt-get install john
The output of the installer is shown below.
Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: john 0 upgraded, 1 newly installed, 0 to remove and 15 not upgraded. Need to get 547kB of archives. After unpacking 1155kB of additional disk space will be used. Get:1 http://archive.ubuntu.com gutsy/main john 1.6-40.1ubuntu2 [547kB] Fetched 547kB in 0s (1183kB/s) Selecting previously deselected package john. (Reading database ... 142662 files and directories currently installed.) Unpacking john (from .../john_1.6-40.1ubuntu2_i386.deb) ... Setting up john (1.6-40.1ubuntu2) ...
If you are using Yum package manager, then try the following command instead.
sudo yum install john
You could also compile and install john from source distribution. First, you will need to download the source code from http://www.openwall.com/john. Use wget for that.
wget http://www.openwall.com/john/f/john-1.7.2.tar.bz2
The output of wget will look something like this:
--23:22:35-- http://www.openwall.com/john/f/john-1.7.2.tar.bz2 Resolving www.openwall.com... 195.42.179.202 Connecting to www.openwall.com|195.42.179.202|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 691706 (675K) [application/octet-stream] Saving to: `john-1.7.2.tar.bz2' 100%[=======================================================>] 691,706 --.-K/s in 0.06s 23:22:35 (10.7 MB/s) - `john-1.7.2.tar.bz2' saved [691706/691706]
Note that at the time of writing of this article the current version of john was 1.7.2. You may wish to check for the latest version at http://www.openwall.com/john and get that. Anyhow, once you have the sources, extract the tar.bz2 archive using tar as follows.
tar xjf john-1.7.2.tar.bz2
Then go into the source sub-directory.
cd john-1.7.2/src
Once there, run make.
make
This will produce a long list of supported architectures, a fragment of which is shown below.
To build John the Ripper, type: make clean SYSTEM where SYSTEM can be one of the following: linux-x86-sse2 Linux, x86 with SSE2 (best) linux-x86-mmx Linux, x86 with MMX linux-x86-any Linux, x86 linux-x86-64 Linux, AMD x86-64 with SSE2 ... generic Any other Unix-like system with gcc
Pick one that suits you (i.e. one matching your architecture) and use it as follows to build john.
make clean linux-x86-any
Once the compilation process is complete go the the run subdirectory.
cd ../run
List its content using ls.
ls -la
It should look something similar to the following.
total 1228 drwx------ 2 kamil kamil 4096 Nov 22 00:03 . drwx------ 5 kamil kamil 4096 May 22 2006 .. lrwxrwxrwx 1 kamil kamil 4 Nov 22 00:03 unafs -> john lrwxrwxrwx 1 kamil kamil 4 Nov 22 00:03 unique -> john lrwxrwxrwx 1 kamil kamil 4 Nov 22 00:03 unshadow -> john -rw------- 1 kamil kamil 341064 Dec 17 2005 all.chr -rw------- 1 kamil kamil 232158 Dec 17 2005 alnum.chr -rw------- 1 kamil kamil 131549 Dec 17 2005 alpha.chr -rw------- 1 kamil kamil 40391 Dec 17 2005 digits.chr -rwx------ 1 kamil kamil 212440 Nov 22 00:03 john -rw------- 1 kamil kamil 15087 Mar 2 2006 john.conf -rw------- 1 kamil kamil 215982 Dec 17 2005 lanman.chr -rwx------ 1 kamil kamil 785 Dec 2 1998 mailer -rw------- 1 kamil kamil 22346 Dec 17 2005 password.lst
The built john binary should be there along with some test files. To check that john is working correctly, execute the following command from the run subdirectory.
./john --test
This will produce test results for various encryption algorithms.
Benchmarking: Traditional DES [24/32 4K]... DONE Many salts: 143872 c/s real, 145619 c/s virtual Only one salt: 125004 c/s real, 137066 c/s virtual Benchmarking: BSDI DES (x725) [24/32 4K]... DONE Many salts: 3164 c/s real, 4733 c/s virtual Only one salt: 3902 c/s real, 4505 c/s virtual Benchmarking: FreeBSD MD5 [32/32]... DONE Raw: 2416 c/s real, 3481 c/s virtual Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE Raw: 216 c/s real, 233 c/s virtual Benchmarking: Kerberos AFS DES [24/32 4K]... DONE Short: 95129 c/s real, 134363 c/s virtual Long: 366100 c/s real, 392697 c/s virtual Benchmarking: NT LM DES [32/32 BS]... DONE Raw: 1927K c/s real, 2594K c/s virtual
Copy the john binary to some executable path for future use. Voilà!
Using john to find weak passwords (i.e. to crack passwords)
Type in john at the shell. This will produce john's detailed usage information.
Created directory: /home/kamil/.john John the Ripper password cracker, version 1.7.0.2 Copyright (c) 1996-2006 by Solar Designer and others Homepage: http://www.openwall.com/john/ Usage: john [OPTIONS] [PASSWORD-FILES] --single "single crack" mode --wordlist=FILE --stdin wordlist mode, read words from FILE or stdin --rules enable word mangling rules for wordlist mode --incremental[=MODE] "incremental" mode [using section MODE] --external=MODE external mode or word filter --stdout[=LENGTH] just output candidate passwords [cut at LENGTH] --restore[=NAME] restore an interrupted session [called NAME] --session=NAME give a new session the NAME --status[=NAME] print status of a session [called NAME] --make-charset=FILE make a charset, FILE will be overwritten --show show cracked passwords --test perform a benchmark --users=[-]LOGIN|UID[,..] [do not] load this (these) user(s) only --groups=[-]GID[,..] load users [not] of this (these) group(s) only --shells=[-]SHELL[,..] load users with[out] this (these) shell(s) only --salts=[-]COUNT load salts with[out] at least COUNT passwords only --format=NAME force ciphertext format NAME: DES/BSDI/MD5/BF/AFS/LM --save-memory=LEVEL enable memory saving, at LEVEL 1..3
Basically john is used as follows.
john [options] password-files
Lets begin by adding a new user called test.
sudo useradd test
Now lets set test's password to something really easy (i.e. something that is in john's password dictionary, and thus will get broken real quick). How about… joes? Run:
sudo passwd test
and enter joes as a password.
Enter new UNIX password: joes Retype new UNIX password: joes passwd: password updated successfully
On modern Linux systems, passwords are shadowed, i.e. password hashes are stored in the /etc/shadow file. You will need root privileges to access this file. An example fragment of this file is given below.
root:$1$hw1na4sdT$ms4dp3Vda1v4d3rKDgfsRS/mUj/9.:13833:0:99999:7::: ... kamil:$1$t2po.u3v$lk1ke3a5mj5ghs8ZaR5k7kjg/:13833:0:99999:7::: ... test:$1$Ms6pYWKS$KZcUUyXUHsqDkZDw.gqeo/:13838:0:99999:7:::
Run the following command to get crack'n…
sudo john /etc/shadow
Now, each time you press enter, john will print out the password it is currently trying, as shown below. Also shown below is one password found: joes.
Loaded 3 passwords with 3 different salts (FreeBSD MD5 [32/32]) guesses: 0 time: 0:00:00:02 85% (1) c/s: 3231 trying: R9999909 guesses: 0 time: 0:00:00:03 0% (2) c/s: 2992 trying: bond007 joes (test) guesses: 1 time: 0:00:00:21 19% (2) c/s: 2636 trying: school! Session aborted
john caches found passwords so that you can request them at a later time without a delay. Use the following command to see cached passwords.
sudo john --show /etc/shadow
The output of the above command is shown below.
test:joes:13838:0:99999:7::: 1 password cracked, 2 left
For more detailed usage examples see http://www.openwall.com/john/doc/EXAMPLES.shtml. Enjoy!
Did you find the above information useful and interesting? If so, please support this site by using the blog directory links at the bottom of this page. Thanks for your support!
If you have any Linux related problems or questions then please feel free to post them on our Linux Forums: http://linux.dsplabs.com.au/forums.
September 18th, 2008 at 9:31 pm
stated there:
"Once there, run make."
Can't run command "make" at the Mandriva.
What suitable command replace "make" in Mandriva in order to run and install John rippler
September 18th, 2008 at 10:56 pm
have you tried: urpmi john ?
June 11th, 2010 at 7:50 am
Please don't use linux-x86-any, it's not optmized for your cpu.
You can save alot of time by using linux-x86-sse2 if it works for your architecture.
Compile it couple it couple of times, run "john -test" each time and determin which one works best for you.
I've seen upto 8x increase in speed.
December 17th, 2012 at 7:50 pm
Hi,
I'm running Fedora 17 (Acer one D255). I made the steps to install john till the "make clean …" step.
I've tried all the linux 32bit systems & generic as well, but i've got the same msg
rm -f ../run/john ../run/unshadow ../run/unafs ../run/unique ../run/john.bin ../run/john.com ../run/unshadow.com ../run/unafs.com ../run/unique.com ../run/john.exe ../run/unshadow.exe ../run/unafs.exe ../run/unique.exe
rm -f ../run/john.exe john-macosx-* *.o *.bak core
rm -f detect bench generic.h arch.h tmp.s
cp /dev/null Makefile.dep
rm -f arch.h
gcc -c -Wall -O2 -fomit-frame-pointer detect.c
make: gcc: Command not found
make: *** [generic.h] Error 127
Does anyone can help me whith that?