John the Ripper (a.k.a. JtR, or simply
john) is a popular fast password cracker for both Linux and Windows. It is quite useful for identifying weak passwords. By weak, I mean ones that do not take a long time to crack. In this article I will show you how to install and use John the Ripper utility to crack weak passwords.
If you do not have
john installed by default then do not worry, just read on, as in this section I will explain in detail how to get
john installed. Lets start with a no fuss install procedure, i.e. lets use a package manager such as Apt or Yum. To install
john using Apt run the following command.
sudo apt-get install john # ©2007 dsplabs.com.au
The output of the installer is shown below.
Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: john 0 upgraded, 1 newly installed, 0 to remove and 15 not upgraded. Need to get 547kB of archives. After unpacking 1155kB of additional disk space will be used. Get:1 http://archive.ubuntu.com gutsy/main john 1.6-40.1ubuntu2 [547kB] Fetched 547kB in 0s (1183kB/s) Selecting previously deselected package john. (Reading database ... 142662 files and directories currently installed.) Unpacking john (from .../john_1.6-40.1ubuntu2_i386.deb) ... Setting up john (1.6-40.1ubuntu2) ...
If you are using Yum package manager, then try the following command instead.
sudo yum install john # ©2007 dsplabs.com.au
You could also compile and install
john from source distribution. First, you will need to download the source code from http://www.openwall.com/john. Use
wget for that.
wget http://www.openwall.com/john/f/john-1.7.2.tar.bz2 # ©2007 dsplabs.com.au
The output of
wget will look something like this:
--23:22:35-- http://www.openwall.com/john/f/john-1.7.2.tar.bz2 Resolving www.openwall.com... 18.104.22.168 Connecting to www.openwall.com|22.214.171.124|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 691706 (675K) [application/octet-stream] Saving to: `john-1.7.2.tar.bz2' 100%[=======================================================>] 691,706 --.-K/s in 0.06s 23:22:35 (10.7 MB/s) - `john-1.7.2.tar.bz2' saved [691706/691706]
Note that at the time of writing of this article the current version of
john was 1.7.2. You may wish to check for the latest version at http://www.openwall.com/john and get that. Anyhow, once you have the sources, extract the tar.bz2 archive using
tar as follows.
tar xjf john-1.7.2.tar.bz2 # ©2007 dsplabs.com.au
Then go into the source sub-directory.
cd john-1.7.2/src # ©2007 dsplabs.com.au
Once there, run
make # ©2007 dsplabs.com.au
This will produce a long list of supported architectures, a fragment of which is shown below.
To build John the Ripper, type: make clean SYSTEM where SYSTEM can be one of the following: linux-x86-sse2 Linux, x86 with SSE2 (best) linux-x86-mmx Linux, x86 with MMX linux-x86-any Linux, x86 linux-x86-64 Linux, AMD x86-64 with SSE2 ... generic Any other Unix-like system with gcc
Pick one that suits you (i.e. one matching your architecture) and use it as follows to build
make clean linux-x86-any # ©2007 dsplabs.com.au
Once the compilation process is complete go the the run subdirectory.
cd ../run # ©2007 dsplabs.com.au
List its content using
ls -la # ©2007 dsplabs.com.au
It should look something similar to the following.
total 1228 drwx------ 2 kamil kamil 4096 Nov 22 00:03 . drwx------ 5 kamil kamil 4096 May 22 2006 .. lrwxrwxrwx 1 kamil kamil 4 Nov 22 00:03 unafs -> john lrwxrwxrwx 1 kamil kamil 4 Nov 22 00:03 unique -> john lrwxrwxrwx 1 kamil kamil 4 Nov 22 00:03 unshadow -> john -rw------- 1 kamil kamil 341064 Dec 17 2005 all.chr -rw------- 1 kamil kamil 232158 Dec 17 2005 alnum.chr -rw------- 1 kamil kamil 131549 Dec 17 2005 alpha.chr -rw------- 1 kamil kamil 40391 Dec 17 2005 digits.chr -rwx------ 1 kamil kamil 212440 Nov 22 00:03 john -rw------- 1 kamil kamil 15087 Mar 2 2006 john.conf -rw------- 1 kamil kamil 215982 Dec 17 2005 lanman.chr -rwx------ 1 kamil kamil 785 Dec 2 1998 mailer -rw------- 1 kamil kamil 22346 Dec 17 2005 password.lst
john binary should be there along with some test files. To check that
john is working correctly, execute the following command from the run subdirectory.
./john --test # ©2007 dsplabs.com.au
This will produce test results for various encryption algorithms.
Benchmarking: Traditional DES [24/32 4K]... DONE Many salts: 143872 c/s real, 145619 c/s virtual Only one salt: 125004 c/s real, 137066 c/s virtual Benchmarking: BSDI DES (x725) [24/32 4K]... DONE Many salts: 3164 c/s real, 4733 c/s virtual Only one salt: 3902 c/s real, 4505 c/s virtual Benchmarking: FreeBSD MD5 [32/32]... DONE Raw: 2416 c/s real, 3481 c/s virtual Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE Raw: 216 c/s real, 233 c/s virtual Benchmarking: Kerberos AFS DES [24/32 4K]... DONE Short: 95129 c/s real, 134363 c/s virtual Long: 366100 c/s real, 392697 c/s virtual Benchmarking: NT LM DES [32/32 BS]... DONE Raw: 1927K c/s real, 2594K c/s virtual
john binary to some executable path for future use. Voilà!
john to find weak passwords (i.e. to crack passwords)
john at the shell. This will produce
john's detailed usage information.
Created directory: /home/kamil/.john John the Ripper password cracker, version 126.96.36.199 Copyright (c) 1996-2006 by Solar Designer and others Homepage: http://www.openwall.com/john/ Usage: john [OPTIONS] [PASSWORD-FILES] --single "single crack" mode --wordlist=FILE --stdin wordlist mode, read words from FILE or stdin --rules enable word mangling rules for wordlist mode --incremental[=MODE] "incremental" mode [using section MODE] --external=MODE external mode or word filter --stdout[=LENGTH] just output candidate passwords [cut at LENGTH] --restore[=NAME] restore an interrupted session [called NAME] --session=NAME give a new session the NAME --status[=NAME] print status of a session [called NAME] --make-charset=FILE make a charset, FILE will be overwritten --show show cracked passwords --test perform a benchmark --users=[-]LOGIN|UID[,..] [do not] load this (these) user(s) only --groups=[-]GID[,..] load users [not] of this (these) group(s) only --shells=[-]SHELL[,..] load users with[out] this (these) shell(s) only --salts=[-]COUNT load salts with[out] at least COUNT passwords only --format=NAME force ciphertext format NAME: DES/BSDI/MD5/BF/AFS/LM --save-memory=LEVEL enable memory saving, at LEVEL 1..3
john is used as follows.
john [options] password-files # ©2007 dsplabs.com.au
Lets begin by adding a new user called test.
sudo useradd test
Now lets set
test's password to something really easy (i.e. something that is in
john's password dictionary, and thus will get broken real quick). How about… joes? Run:
sudo passwd test # ©2007 dsplabs.com.au
and enter joes as a password.
Enter new UNIX password: joes Retype new UNIX password: joes passwd: password updated successfully
On modern Linux systems, passwords are shadowed, i.e. password hashes are stored in the
/etc/shadow file. You will need root privileges to access this file. An example fragment of this file is given below.
root:$1$hw1na4sdT$ms4dp3Vda1v4d3rKDgfsRS/mUj/9.:13833:0:99999:7::: ... kamil:$1$t2po.u3v$lk1ke3a5mj5ghs8ZaR5k7kjg/:13833:0:99999:7::: ... test:$1$Ms6pYWKS$KZcUUyXUHsqDkZDw.gqeo/:13838:0:99999:7:::
Run the following command to get crack'n…
sudo john /etc/shadow # ©2007 dsplabs.com.au
Now, each time you press enter,
john will print out the password it is currently trying, as shown below. Also shown below is one password found: joes.
Loaded 3 passwords with 3 different salts (FreeBSD MD5 [32/32]) guesses: 0 time: 0:00:00:02 85% (1) c/s: 3231 trying: R9999909 guesses: 0 time: 0:00:00:03 0% (2) c/s: 2992 trying: bond007 joes (test) guesses: 1 time: 0:00:00:21 19% (2) c/s: 2636 trying: school! Session aborted
john caches found passwords so that you can request them at a later time without a delay. Use the following command to see cached passwords.
sudo john --show /etc/shadow # ©2007 dsplabs.com.au
The output of the above command is shown below.
test:joes:13838:0:99999:7::: 1 password cracked, 2 left
For more detailed usage examples see http://www.openwall.com/john/doc/EXAMPLES.shtml. Enjoy!
Did you find the above information useful and interesting? If so, please support this site by using the blog directory links at the bottom of this page. Thanks for your support!
If you have any Linux related problems or questions then please feel free to post them on our Linux Forums: http://linux.dsplabs.com.au/forums.