John the Ripper (a.k.a. JtR, or simply john) is a popular fast password cracker for both Linux and Windows. It is quite useful for identifying weak passwords. By weak, I mean ones that do not take a long time to crack. In this article I will show you how to install and use John the Ripper utility to crack weak passwords.
If you do not have john installed by default then do not worry, just read on, as in this section I will explain in detail how to get john installed. Lets start with a no fuss install procedure, i.e. lets use a package manager such as Apt or Yum. To install john using Apt run the following command.
sudo apt-get install john # ©2021 gnulinux.ro
The output of the installer is shown below.
Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: john 0 upgraded, 1 newly installed, 0 to remove and 15 not upgraded. Need to get 547kB of archives. After unpacking 1155kB of additional disk space will be used. Get:1 http://archive.ubuntu.com gutsy/main john 1.6-40.1ubuntu2 [547kB] Fetched 547kB in 0s (1183kB/s) Selecting previously deselected package john. (Reading database ... 142662 files and directories currently installed.) Unpacking john (from .john_1.6-40.1ubuntu2_i386.deb) ... Setting up john (1.6-40.1ubuntu2) ...
If you are using Yum package manager, then try the following command instead.
sudo yum install john # ©2021 gnulinux.ro
You could also compile and install john from source distribution. First, you will need to download the source code from http://www.openwall.com/john. Use wget for that.
wget http://www.openwall.com/john/f/john-1.7.2.tar.bz2 # ©2021 gnulinux.ro
The output of wget will look something like this:
--23:22:35-- http://www.openwall.com/john/f/john-1.7.2.tar.bz2 Resolving www.openwall.com... 126.96.36.199 Connecting to www.openwall.com|188.8.131.52|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 691706 (675K) [application/octet-stream] Saving to: `john-1.7.2.tar.bz2' 100%[=======================================================>] 691,706 --.-K/s in 0.06s 23:22:35 (10.7 MB/s) - `john-1.7.2.tar.bz2' saved [691706/691706]
Note that at the time of writing of this article the current version of john was 1.7.2. You may wish to check for the latest version at http://www.openwall.com/john and get that. Anyhow, once you have the sources, extract the tar.bz2 archive using tar as follows.
tar xjf john-1.7.2.tar.bz2 # ©2021 gnulinux.ro
Then go into the source sub-directory.
cd john-1.7.2/src # ©2021 gnulinux.ro
Once there, run make.
make # ©2021 gnulinux.ro
This will produce a long list of supported architectures, a fragment of which is shown below.
To build John the Ripper, type: make clean SYSTEM where SYSTEM can be one of the following: linux-x86-sse2 Linux, x86 with SSE2 (best) linux-x86-mmx Linux, x86 with MMX linux-x86-any Linux, x86 linux-x86-64 Linux, AMD x86-64 with SSE2 ... generic Any other Unix-like system with gcc
Pick one that suits you (i.e. one matching your architecture) and use it as follows to build john.
make clean linux-x86-any # ©2021 gnulinux.ro
Once the compilation process is complete go the the run subdirectory.
cd run # ©2021 gnulinux.ro
List its content using ls.
ls -la # ©2021 gnulinux.ro
It should look something similar to the following.
total 1228 drwx------ 2 florin florin 4096 Nov 22 00:03 . drwx------ 5 florin florin 4096 May 22 2006 .. lrwxrwxrwx 1 florin florin 4 Nov 22 00:03 unafs -> john lrwxrwxrwx 1 florin florin 4 Nov 22 00:03 unique -> john lrwxrwxrwx 1 florin florin 4 Nov 22 00:03 unshadow -> john -rw------- 1 florin florin 341064 Dec 17 2005 all.chr -rw------- 1 florin florin 232158 Dec 17 2005 alnum.chr -rw------- 1 florin florin 131549 Dec 17 2005 alpha.chr -rw------- 1 florin florin 40391 Dec 17 2005 digits.chr -rwx------ 1 florin florin 212440 Nov 22 00:03 john -rw------- 1 florin florin 15087 Mar 2 2006 john.conf -rw------- 1 florin florin 215982 Dec 17 2005 lanman.chr -rwx------ 1 florin florin 785 Dec 2 1998 mailer -rw------- 1 florin florin 22346 Dec 17 2005 password.lst
The built john binary should be there along with some test files. To check that john is working correctly, execute the following command from the run subdirectory.
./john --test # ©2021 gnulinux.ro
This will produce test results for various encryption algorithms.
Benchmarking: Traditional DES [24/32 4K]... DONE Many salts: 143872 c/s real, 145619 c/s virtual Only one salt: 125004 c/s real, 137066 c/s virtual Benchmarking: BSDI DES (x725) [24/32 4K]... DONE Many salts: 3164 c/s real, 4733 c/s virtual Only one salt: 3902 c/s real, 4505 c/s virtual Benchmarking: FreeBSD MD5 [32/32]... DONE Raw: 2416 c/s real, 3481 c/s virtual Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE Raw: 216 c/s real, 233 c/s virtual Benchmarking: Kerberos AFS DES [24/32 4K]... DONE Short: 95129 c/s real, 134363 c/s virtual Long: 366100 c/s real, 392697 c/s virtual Benchmarking: NT LM DES [32/32 BS]... DONE Raw: 1927K c/s real, 2594K c/s virtual
Copy the john binary to some executable path for future use. Voilà!
Using john to find weak passwords (i.e. to crack passwords)
Type in john at the shell. This will produce john’s detailed usage information.
Created directory: /home/florin/.john John the Ripper password cracker, version 184.108.40.206 Copyright (c) 1996-2006 by Solar Designer and others Homepage: http://www.openwall.com/john/ Usage: john [OPTIONS] [PASSWORD-FILES] --single "single crack" mode --wordlist=FILE --stdin wordlist mode, read words from FILE or stdin --rules enable word mangling rules for wordlist mode --incremental[=MODE] "incremental" mode [using section MODE] --external=MODE external mode or word filter --stdout[=LENGTH] just output candidate passwords [cut at LENGTH] --restore[=NAME] restore an interrupted session [called NAME] --session=NAME give a new session the NAME --status[=NAME] print status of a session [called NAME] --make-charset=FILE make a charset, FILE will be overwritten --show show cracked passwords --test perform a benchmark --users=[-]LOGIN|UID[,..] [do not] load this (these) user(s) only --groups=[-]GID[,..] load users [not] of this (these) group(s) only --shells=[-]SHELL[,..] load users with[out] this (these) shell(s) only --salts=[-]COUNT load salts with[out] at least COUNT passwords only --format=NAME force ciphertext format NAME: DES/BSDI/MD5/BF/AFS/LM --save-memory=LEVEL enable memory saving, at LEVEL 1..3
Basically john is used as follows.
john [options] password-files # ©2021 gnulinux.ro
Lets begin by adding a new user called test.
sudo useradd test
Now lets set test’s password to something really easy (i.e. something that is in john’s password dictionary, and thus will get broken real quick). How about… joes? Run:
sudo passwd test # ©2021 gnulinux.ro
and enter joes as a password.
Enter new UNIX password: joes Retype new UNIX password: joes passwd: password updated successfully
On modern Linux systems, passwords are shadowed, i.e. password hashes are stored in the /etc/shadow file. You will need root privileges to access this file. An example fragment of this file is given below.
root:$1$hw1na4sdT$ms4dp3Vda1v4d3rKDgfsRS/mUj/9.:13833:0:99999:7::: ... florin:$1$t2po.u3v$lk1ke3a5mj5ghs8ZaR5k7kjg/:13833:0:99999:7::: ... test:$1$Ms6pYWKS$KZcUUyXUHsqDkZDw.gqeo/:13838:0:99999:7:::
Run the following command to get crack’n…
sudo john /etc/shadow # ©2021 gnulinux.ro
Now, each time you press enter, john will print out the password it is currently trying, as shown below. Also shown below is one password found: joes.
Loaded 3 passwords with 3 different salts (FreeBSD MD5 [32/32]) guesses: 0 time: 0:00:00:02 85% (1) c/s: 3231 trying: R9999909 guesses: 0 time: 0:00:00:03 0% (2) c/s: 2992 trying: bond007 joes (test) guesses: 1 time: 0:00:00:21 19% (2) c/s: 2636 trying: school! Session aborted
john caches found passwords so that you can request them at a later time without a delay. Use the following command to see cached passwords.
sudo john --show /etc/shadow # ©2021 gnulinux.ro
The output of the above command is shown below.
test:joes:13838:0:99999:7::: 1 password cracked, 2 left
For more detailed usage examples see http://www.openwall.com/john/doc/EXAMPLES.shtml.
- What is your reaction?
- powered by Verysign
- powered by Verysign