John the ripper is a password cracking tool which decryptes the passwords using DES standards..
Password Files
Create a text document with the password that you want to crack in it with the format given below
john:234abc56
Or you can just use the file in the format it is given, John the Ripper will work with either format, this is an example of what part of a password file looks like with all the information.
john:234abc56:9999:13:John Johnson:/home/dir/john:/bin/john
To open a text document in windows go to start/programs/accessories/word pad
-----------------2.1
Broken down, this is what the above password file states:
john:234abc56:9999:13:John Johnson:/home/dir/john:/bin/john
Username: john
Encrypted Password: 234abc56
User Number: 9999
Group Number: 13
Other Information: John Johnson
Home Directory: /home/dir/john
Shell: /bin/john
John the Ripper
Open a Dos window, then change to the directory in which the john.com file is in (using the cd comand) then you must decide how you want to crack the file. I would recommend the following approach
single mode
wordlist mode
wordlist mode with rules
incremental
To open a dos window go to start/programs/dos prompt
Using the Single Crack Mode
Using the single crack mode is recommended as the first mode as it will break all the week passwords. Single crack mode runs through a set of simple rules with a basic word list, this mode is a good way to start as it is fast and will quickly break weak passwords.
john -single pass.txt
where pass.txt is your password file, information on configuring the single crack mode from the defaults is given in the documentation that comes with John the Ripper in the RULES document
Using the Wordlist Mode
To run John the Ripper with a wordlist using the rules option, type in the Dos window
john -w:word.dic -rules pass.txt
where word.dic is your wordlist and pass.txt is your password file, a word list of 2megs is recommended. This mode of cracking will use your specified wordlist with a set of rules and will break most passwords as most users will chose passwords which have meaning and are easy to remember.
Using the Incremental Mode
The incremental mode should be used after trying the single and wordlist modes.
john -i:all pass.txt goes through all characters
john -i:alpha pass.txt goes though all the letters
john -i:digits pass.txt goes through all numbers
john -i:lanman pass.txt goes through capital letters, lower case letters, numbers and a few special characters
The incremental does as the name suggests by incrementing though all possible permiutations of the character set. First it would try a then b then c through to zzzzzz if the minimum value was 1 and the maximum value was 6, and the character set was all lower case letters.
Using an external mode
.
john -external:MODE pass.txt
where pass.txt is the password file to be cracked and MODE is defined in the john.ini file in the [list.External:MODE] section.
Trading Hard-Drive Space for Speed
Trading hard-drive space for speed
if you use jtr and you use the incremental modes often you might want to try this.
john -stdout i:[whatever] > blah.txt
where whatever is your favorite mode for john. Then when you want to run that incremental you would type
john -w:blah.txt
this works much faster and comes in handy if you can trade hard drive space for preformance
Customizing Cracking Modes
Configuring Incremental Mode
Editing the john.ini file for the incremental mode can be done as shown below
1) scroll down to where it says #incremental
2) go to the
[Incremental:Alpha]
File = ~/alpha.chr
MinLen = 0
MaxLen = 8
CharCount = 26
Now you need to guess the minimum and maximum lengths so if you think that it is a 5 digit password you would change it to look like
[Incremental:Alpha]
File = ~/alpha.chr
MinLen = 5
MaxLen = 5
CharCount = 36
Extra=1234567890
save your changes and then open your Dos windows and type
john -i:alpha pass.txt
Configuring the Wordlist Mode
Open the john.ini file and scroll down to the
[list.Rules:Wordlist]
add the rules in the order that u want them to run, for more information on how to create a rule set refer to the RULES document that comes with John the Ripper click here for some examples.
Making a Character Set
To generate a character set for use with the incremental mode.
This mode is usefull in using any characters you choose to use. Say for instance by some deceptive means that we know the password is only made up of capitol letters and numbers.
( but you can use any combination of upper case, lower case, a couple of special chars, any thing you want to add).
To generate the character set follow the following instructions.
1) Open up a text editor (click here if unsure how)
2) type the characters you want preceeded by a ":" you will type this
:ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
3) then goto save as " john.pot" make sure you DONT save it as a text file so select all file types, also make sure you save it in the same dir as your JTR program.
4) Then go to your dos prompt where you normally run JTR from and type
john -makechars:custom.chr
5) JTR will do a few calculations and it will tell you how many characters you have used - make a note of how many.
6) then either edit john.ini or open it with your text editor. Scroll down till you see the incremental section. Add the following lines.
[Incremental:custom]
File = ~/custom.chr
Minlen = 0
Maxlen = 8
CharCount = 36
7) You make the charcount what ever JTR calculated - obviuosly if you have the alphabet plus ten numbers that is going to add up to 36, then save the changes made to john.ini.
minlen and maxlen can be anything you want, for values of min length under 3 is almost instantanous so you may as well make it start at 0 just in case some sys admin was feeling easy that day. There is no sense in making the max lenghth larger than 8 unless you have way too much time on your hands, especially in word mode where the way JTR handles it - if it gets a match on the first 8 chars then that will be considered a correct guess.
9) In your dos prompt or wherever you normally run JTR from type
john -i:custom pass.txt
where pass.txt is the password file to break
Cracking specific accounts
a) ignoring a type of shell
b) choseing the shells u want to crack
c) cracking specific users in multiple accounts
d) excluding users from cracking attempt
e) loading specific users
a)
If you notice that an account has a disabled shell you can make John ignore them. If the disabled shell was /etc/expired you would type
john -show -shells:-/etc/expired password.txt
where password.txt is the encrypted file. If there are multiple shells you wish to ignore you would type
john -show -shells:-expired,newuser password.txt
if the other shell was /etc/newuser
b)
If you only want to crack accounts from shells;sh,csh,tcsh,bash you would type
john -w:dictonary.dic -rules -shells:sh,csh,tcsh,bash
you might choose this option if the other user accounts have very limited priviledges
c)
To crack a specific user in multiple password files password1.txt password2.txt and password3.txt you would type
john -w:dictonary.dic -rules -users:0 password*
that will attempt to crack root in all three files.
d)
To exclude users from the cracking attempt, for example say that you know the root password consists on 9 characters, since you wont want to waste your time trying to crack root you would type
john -w:dictonary.dic -rules -users:-root password.txt
e)
Loading specific users type
john -users:[-]LOGIN|UID[,..] pass.txt for specific users
john -groups:[-]GID[,..] pass.txt for specific groups
john -shells:[-]SHELL[,..] pass.txt for specific shells
with the shell option you can omit the path before a shell name, so '-shells:csh' will match both '/bin/csh' and '/usr/bin/csh', while '-shells:/bin/csh' will only match '/bin/csh'.
Simultaneous Cracking
If you have several password files you can crack them all at the same time, if your password files are password1.txt, password2.txt and password3.txt you would type
john -single password1.txt password2.txt password3.txt
or
john -single password*
Defining Custom Rules
Rules
There isn't really any way that I can make all this up from scratch, so I am going to refer heavily to the JTR documentation in this section, though I will add examples of how you could use each option. I am unfortunately going to tell you that you must read the example rules in the original john.ini file as these are well annotated and explain what happens to each word. I am not going to explain the rules too simply so click here for a breakdown of what each command does.
I am going to assume you leave the -single option alone, but want to apply rules to your own wordfile. The command to run is then :
john password.txt -w:wordfile.dic -rules
Load up the original john.ini and find this about half way down :
- Wordlist mode rules
[list.Rules:Wordlist]
This is where you will type your rules, and where the example set are. Note that any line starting with "#" is an annotation and ignored by JTR, and I ( and I suggest you ) comment out lines that could be run by adding a semi-colon in front of it so that JTR skips it this time.
I suggest you delete everything that is there already - remember you can click the above link to get them back again. Remember that in what follows, only the yellow lines would run - so comment the others out ( best not delete them so you can refer back to them later )
<4>7
only check words that are 5 or 6 characters long
<5>7lc
only check words that are 6 long, and then lowercase and make first letter a capital
l<9/ese3
lowercase, and swap 'e' for '3'. Reject if no 'e' or longer than 8
l>2<4/isi1
lowercase, and swap 'i' for '1'. Reject if no 'i' or length not equal to 3
l<8/isi1^[0-9]
lowercase, swap 'i' for '1' and prepend 0-9 in turn. Reject if no 'i' or starting word length is 8+
'6/ese3/isi1$[0-9]
Truncate at 6 long, swap 'i' for '1' and 'e' for '3' and append one digit. Reject if no 'i' or 'e'
Word = 4 long, prepend 2 digits ( i.e. birthyear ) and swap case of second letter ( position 1 )
'7T0$[aeiou0-9]
Truncate at 7 chars, swap case of first letter, then append either a vowel or a number
i0[X]i2[Y]
Using insertion, make first char be 'X' and third 'Y' - i.e. word -> XwYord
o4[123]
Overwrite fifth character to be 1,2 or 3 - i.e. password -> pass1ord, pass2ord, pass3ord
!?ds5Y
Reject the word unless it has a number. Swap '5' for 'Y', if it has one
=0?d$6
Reject the word unless it has a digit as the first character. Then append a '6'
@?w
Delete all spaces from the word ( well, phrase here
%2x
Reject the word unless 'x' appears at least twice
Those are the main types of rule, and by mixing and matching then you can probably crack any password that is based on a word. Instant respect to those that crack 2hqBaxh/iGPzU. I have a 91kb word.ini, which about covers everything - but with substantial cutting, pasting, searching and replacing
The only other thing to mention is that in some circumstance ( such as if you applying very complicated rules, or only doing a few simple one ) you can output what the rules are doing to the words by typing :
john -w:wordfile.dic -rules -stdout > output.file
Note that no cracking is actually occuring so no password file is specified. The most useful advantage of the above is that it enables you to check that the rules are doing what you wanted them to do, and that you haven't gone wrong in writing john.ini. Bear in mind that JTR generates words very quickly - mine creates a MB in just over 30 seconds. If you apply very complicated rules to a large wordfile, you can fill up your HD so press 'space' to check on your progress. I wouldn't go running it for more than an hour without some simple maths to check you have the space
Saving and Viewing Cracked Passwords
Saving and restoring multiple or single sessions
saving your cracking attack, push Ctrl C and john will save where it is up to, to resume type
john -restore
This will only allow you to save one file, to save more than one file you must define the session before starting by typing
john -session:name pass.txt
where name is the name you want to give to the session and pass.txt is the password file you want to crack. To restore the session type
john -restore:name
To view how far through a saved session you are type
john -status:name
View your cracked passwords
Type
john -show pass.txt
where pass.txt is the password file to break
Viewing the Status of a Saved or Interrupted file
If your session has been interupted (computer reset, power failure, etc) you can see how far through the process you where by typing
john -status
this will give an output like this
guesses: 3 time: 0:00:00:50
If you have been running multiple session and have them saved using different names you can view each one seperatly by typing
john -status:name1
john -status:name2
where name1 and name2 are two session you where running previously. Click here for information on how to save multiple sessions.
Viewing specific cracked accounts
To check if any root accounts got cracked type
john -show -users:0 password.txt
To check multiple files, password1.txt and password2.txt type
john -show -users:0 password*
To check for privileged accounts type
john -show -groups:0,1 password.txt
Piping the output
What is pipeing? Pipeing is where you can redirect the output of a dos program from the screen into a file. This makes it possible to view all the output, where some of the output wont fit on the screen. Another way to view all the output is using the scroll lock key, however pipeing allows you to reference the output later.
When you crack a large file all the cracked accounts will not fit on to the screen, so to make for easy viewing you can pipe the results into a text file, for example if you had cracked a file called pass.txt to pipe the cracked accounts into a text file you could type
john -show pass.txt > output.txt
where output.txt is the file you wish to pipe the cracked accounts into.
Specifying the Type of Encryption to crack
To change the type of cipher text to crack type
john -format:NAME
where name is one of the following: DES, BSDI, MD5, BF, AFS, LM
Using Salts
The salts are used to make the encryption harder to break, to example sections of password files are given below, try using John the Ripper with both of them and look at the different in the c/s
rj:GpZfNL9Uyz.F6
swimmer:Gpa/yCH9EN4CU
cristian:GpNCyGwgDgRX.
galaxyeng:GpM82aYsocajg
puppy3481:GpLz4TL.M6BeM
Quinn:GpsyHfQzLfwzg
tigger:GpwrQgJEC1otc
boeluv:GpvLPwjqdkmJY
mbrooks:Gpkv73fL6Jh9Y
eros_96:GpoQAPAFJ3FPY
MEvans9321:GpGYjZZWx6lOs
ROOTY:GpCmFE5HFhmeA
alant:GpwVv9cUpUOXo
wickdani:Gp.0w1z7.C79M
Notice that the first two letters of each encrypted password are the same.
admin:ZUThDIlsSDhRs
szymonw:aYCHor8ozVxYg
amac0008:a3sYyPAERdgSc
wula1966:a5q2SbwGztH2s
tommbakk:a5Yf2a.GpI.mk
sundsval:adVAGtPKOFX9g
121221:aeJW.a8Mgo6zU
THEHBIC:ae2RwyRHFh9ME
THEEBIC:ahkhlQxhU0.X6
kwfish:aoeaE0bJ5RmEw
bufflo:arIBOGP3msI42
randy77:uVZ2OleOtJDu6
mxtwrestler:aQ6/Mh5xGU2xc
BUFFLO:aciTcHHepUUZY
.
Notice that when you run the second password file you will get values of around 7000 c/s where as with the first lots of passwords you will get values around 2500000 c/s. When there are no different salts brute forcing a - zzzzzz becomes a very feasible option.
.
the modes for using the salts are
-salts:2
-salt:-2
an example command would be
.
john password.txt -salt:1000 -i:custom
.
The 'salt' option tells it only to crack accounts if there are at least 1000 accounts with the same salt.
Common Problems
Zero Passwords loaded
click here first, if you have done this step correctly try typing
john -show pass.txt
as the password may already be cracked and stored in john.pot
John opens then immediately closes
John gives you an incorrect password
If you run John and it displays a password that doesnt work or looks like
guesses: 0 time 00.00.01:13 c/s 6100 trying trypah - tuahj
This is NOT a cracked password this is a common mistake people make a cracked
password looks like this
guesses: 0 time 00.00.01:13 c/s 6100 trying trypah - tuahj
blah (blah)
Fatal Errors or Access Denied
Simply delete your copy of John the Ripper and go to the homepage and download it again