john (john the ripper) — a password cracker for linux and windows 

Introduction

John the Ripper (a.k.a. JtR, or simply john) is a popular fast password cracker for both Linux and Windows. It is quite useful for identifying weak passwords. By weak, I mean ones that do not take a long time to crack. In this article I will show you how to install and use John the Ripper utility to crack weak passwords.

Installation

If you do not have john installed by default then do not worry, just read on, as in this section I will explain in detail how to get john installed. Lets start with a no fuss install procedure, i.e. lets use a package manager such as Apt or Yum. To install john using Apt run the following command.

sudo apt-get install john  # ©2007 dsplabs.com.au

The output of the installer is shown below.

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed: john
0 upgraded, 1 newly installed, 0 to remove and 15 not upgraded.
Need to get 547kB of archives.
After unpacking 1155kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com gutsy/main john 1.6-40.1ubuntu2 [547kB]
Fetched 547kB in 0s (1183kB/s)
Selecting previously deselected package john.
(Reading database ... 142662 files and directories currently installed.)
Unpacking john (from .../john_1.6-40.1ubuntu2_i386.deb) ...
Setting up john (1.6-40.1ubuntu2) ...

If you are using Yum package manager, then try the following command instead.

sudo yum install john  # ©2007 dsplabs.com.au

You could also compile and install john from source distribution. First, you will need to download the source code from http://www.openwall.com/john. Use wget for that.

wget http://www.openwall.com/john/f/john-1.7.2.tar.bz2  # ©2007 dsplabs.com.au

The output of wget will look something like this:

--23:22:35--  http://www.openwall.com/john/f/john-1.7.2.tar.bz2
Resolving www.openwall.com... 195.42.179.202
Connecting to www.openwall.com|195.42.179.202|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 691706 (675K) [application/octet-stream]
Saving to: `john-1.7.2.tar.bz2'

100%[=======================================================>] 691,706  --.-K/s in 0.06s

23:22:35 (10.7 MB/s) - `john-1.7.2.tar.bz2' saved [691706/691706]

Note that at the time of writing of this article the current version of john was 1.7.2. You may wish to check for the latest version at http://www.openwall.com/john and get that. Anyhow, once you have the sources, extract the tar.bz2 archive using tar as follows.

tar xjf john-1.7.2.tar.bz2  # ©2007 dsplabs.com.au

Then go into the source sub-directory.

cd john-1.7.2/src  # ©2007 dsplabs.com.au

Once there, run make.

make  # ©2007 dsplabs.com.au

This will produce a long list of supported architectures, a fragment of which is shown below.

To build John the Ripper, type: make clean SYSTEM
where SYSTEM can be one of the following:
linux-x86-sse2           Linux, x86 with SSE2 (best)
linux-x86-mmx            Linux, x86 with MMX
linux-x86-any            Linux, x86
linux-x86-64             Linux, AMD x86-64 with SSE2
...
generic                  Any other Unix-like system with gcc

Pick one that suits you (i.e. one matching your architecture) and use it as follows to build john.

make clean linux-x86-any  # ©2007 dsplabs.com.au

Once the compilation process is complete go the the run subdirectory.

cd ../run  # ©2007 dsplabs.com.au 

List its content using ls.

ls -la  # ©2007 dsplabs.com.au

It should look something similar to the following.

total 1228
drwx------ 2 kamil kamil   4096 Nov 22 00:03 .
drwx------ 5 kamil kamil   4096 May 22  2006 ..
lrwxrwxrwx 1 kamil kamil      4 Nov 22 00:03 unafs -> john
lrwxrwxrwx 1 kamil kamil      4 Nov 22 00:03 unique -> john
lrwxrwxrwx 1 kamil kamil      4 Nov 22 00:03 unshadow -> john
-rw------- 1 kamil kamil 341064 Dec 17  2005 all.chr
-rw------- 1 kamil kamil 232158 Dec 17  2005 alnum.chr
-rw------- 1 kamil kamil 131549 Dec 17  2005 alpha.chr
-rw------- 1 kamil kamil  40391 Dec 17  2005 digits.chr
-rwx------ 1 kamil kamil 212440 Nov 22 00:03 john
-rw------- 1 kamil kamil  15087 Mar  2  2006 john.conf
-rw------- 1 kamil kamil 215982 Dec 17  2005 lanman.chr
-rwx------ 1 kamil kamil    785 Dec  2  1998 mailer
-rw------- 1 kamil kamil  22346 Dec 17  2005 password.lst

The built john binary should be there along with some test files. To check that john is working correctly, execute the following command from the run subdirectory.

./john --test  # ©2007 dsplabs.com.au

This will produce test results for various encryption algorithms.

Benchmarking: Traditional DES [24/32 4K]... DONE
Many salts:     143872 c/s real, 145619 c/s virtual
Only one salt:  125004 c/s real, 137066 c/s virtual

Benchmarking: BSDI DES (x725) [24/32 4K]... DONE
Many salts:     3164 c/s real, 4733 c/s virtual
Only one salt:  3902 c/s real, 4505 c/s virtual

Benchmarking: FreeBSD MD5 [32/32]... DONE
Raw:    2416 c/s real, 3481 c/s virtual

Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE
Raw:    216 c/s real, 233 c/s virtual

Benchmarking: Kerberos AFS DES [24/32 4K]... DONE
Short:  95129 c/s real, 134363 c/s virtual
Long:   366100 c/s real, 392697 c/s virtual

Benchmarking: NT LM DES [32/32 BS]... DONE
Raw:    1927K c/s real, 2594K c/s virtual

Copy the john binary to some executable path for future use. Voilà!

Using john to find weak passwords (i.e. to crack passwords)

Type in john at the shell. This will produce john's detailed usage information.

Created directory: /home/kamil/.john
John the Ripper password cracker, version 1.7.0.2
Copyright (c) 1996-2006 by Solar Designer and others
Homepage: http://www.openwall.com/john/

Usage: john [OPTIONS] [PASSWORD-FILES]
--single                   "single crack" mode
--wordlist=FILE --stdin    wordlist mode, read words from FILE or stdin
--rules                    enable word mangling rules for wordlist mode
--incremental[=MODE]       "incremental" mode [using section MODE]
--external=MODE            external mode or word filter
--stdout[=LENGTH]          just output candidate passwords [cut at LENGTH]
--restore[=NAME]           restore an interrupted session [called NAME]
--session=NAME             give a new session the NAME
--status[=NAME]            print status of a session [called NAME]
--make-charset=FILE        make a charset, FILE will be overwritten
--show                     show cracked passwords
--test                     perform a benchmark
--users=[-]LOGIN|UID[,..]  [do not] load this (these) user(s) only
--groups=[-]GID[,..]       load users [not] of this (these) group(s) only
--shells=[-]SHELL[,..]     load users with[out] this (these) shell(s) only
--salts=[-]COUNT           load salts with[out] at least COUNT passwords only
--format=NAME              force ciphertext format NAME: DES/BSDI/MD5/BF/AFS/LM
--save-memory=LEVEL        enable memory saving, at LEVEL 1..3

Basically john is used as follows.

john [options] password-files  # ©2007 dsplabs.com.au

Lets begin by adding a new user called test.

sudo useradd test

Now lets set test's password to something really easy (i.e. something that is in john's password dictionary, and thus will get broken real quick). How about… joes? Run:

sudo passwd test  # ©2007 dsplabs.com.au

and enter joes as a password.

Enter new UNIX password: joes
Retype new UNIX password: joes
passwd: password updated successfully

On modern Linux systems, passwords are shadowed, i.e. password hashes are stored in the /etc/shadow file. You will need root privileges to access this file. An example fragment of this file is given below.

root:$1$hw1na4sdT$ms4dp3Vda1v4d3rKDgfsRS/mUj/9.:13833:0:99999:7:::
...
kamil:$1$t2po.u3v$lk1ke3a5mj5ghs8ZaR5k7kjg/:13833:0:99999:7:::
...
test:$1$Ms6pYWKS$KZcUUyXUHsqDkZDw.gqeo/:13838:0:99999:7:::

Run the following command to get crack'n…

sudo john /etc/shadow  # ©2007 dsplabs.com.au

Now, each time you press enter, john will print out the password it is currently trying, as shown below. Also shown below is one password found: joes.

Loaded 3 passwords with 3 different salts (FreeBSD MD5 [32/32])
guesses: 0  time: 0:00:00:02 85% (1)  c/s: 3231  trying: R9999909
guesses: 0  time: 0:00:00:03 0% (2)  c/s: 2992  trying: bond007
joes             (test)
guesses: 1  time: 0:00:00:21 19% (2)  c/s: 2636  trying: school!
Session aborted

john caches found passwords so that you can request them at a later time without a delay. Use the following command to see cached passwords.

sudo john --show /etc/shadow  # ©2007 dsplabs.com.au

The output of the above command is shown below.

test:joes:13838:0:99999:7:::
1 password cracked, 2 left

For more detailed usage examples see http://www.openwall.com/john/doc/EXAMPLES.shtml. Enjoy!


Did you find the above information useful and interesting? If so, please support this site by using the blog directory links at the bottom of this page. Thanks for your support!

If you have any Linux related problems or questions then please feel free to post them on our Linux Forums: http://linux.dsplabs.com.au/forums.




VPS Hosting Referral Code DZZCC3

Add me to Technorati Favorites Vote for me on Blog Catalog

4 Responses to “john (john the ripper) — a password cracker for linux and windows”

  1. sal Says:

    stated there:
    "Once there, run make."

    Can't run command "make" at the Mandriva.
    What suitable command replace "make" in Mandriva in order to run and install John rippler

  2. Kamil Says:

    have you tried: urpmi john ?

  3. Pétur Ingi Says:

    Please don't use linux-x86-any, it's not optmized for your cpu.

    You can save alot of time by using linux-x86-sse2 if it works for your architecture.

    Compile it couple it couple of times, run "john -test" each time and determin which one works best for you.

    I've seen upto 8x increase in speed.

  4. temz Says:

    Hi,
    I'm running Fedora 17 (Acer one D255). I made the steps to install john till the "make clean …" step.
    I've tried all the linux 32bit systems & generic as well, but i've got the same msg

    rm -f ../run/john ../run/unshadow ../run/unafs ../run/unique ../run/john.bin ../run/john.com ../run/unshadow.com ../run/unafs.com ../run/unique.com ../run/john.exe ../run/unshadow.exe ../run/unafs.exe ../run/unique.exe
    rm -f ../run/john.exe john-macosx-* *.o *.bak core
    rm -f detect bench generic.h arch.h tmp.s
    cp /dev/null Makefile.dep
    rm -f arch.h
    gcc -c -Wall -O2 -fomit-frame-pointer detect.c
    make: gcc: Command not found
    make: *** [generic.h] Error 127

    Does anyone can help me whith that?

Leave a Reply