John the Ripper

johntheripper0 linuxstrengthtraining password_attacks

John the Ripper (Jumbo, 7.4k ⭐), a.k.a. john/JtR is, like hashcat, a tool to crack hashes. For convenience's sake, we store the hash in myhash.

# use single quotes, so that $/... aren't interpreted
$ echo 'some hash here' > myhash

List hash formats. Standard formats such as MD5 start with "raw-".

$ john --list=formats | grep -i "md5"

Cracked passwords are usually stored in ~/.john/john.pot. If a hash was already cracked, you can show it using:

$ john myhash --show
hash:password

Formats and wordlists

Reminder: the wordlist is the list of passwords to test, while the format is the kind of hash, such as MD5.

πŸ‘‰ With an incorrect hash (improperly formatted), or an incorrect format (MD5 specified, but it was MD4...), john will mostly likely start then stop.

  • πŸ₯‰ Let john guess the format and use the default wordlist
$ john myhash
$ john 'some hash here' # if you didn't use a file
  • πŸ₯ˆ Give the format but use john default wordlist
$ john myhash --format=raw-md5
$ john myhash --format=raw-md4
$ john myhash --format=raw-sha1
  • πŸ† Give both the format and the wordlist
$ john hash --format=raw-md4 --wordlist=/usr/share/wordlists/rockyou.txt

⚠️ It seems that now, you must call john hash --format=XXX --show after cracking a hash, to see the password. Remove the leading "?:".

Single crack mode

passwordattacks password_attacks

The single crack mode is one of JtR modes. In this mode, we define rules πŸ” that are applied to the wordlist, to generate a new "enhanced" wordlist. πŸ”₯ For instance, users tend to

  • πŸ”€ capitalize the first letter
  • πŸ”’ add a number at the end
  • πŸ”£ add a symbol after the number (if required)

This is the default mode. It can be explicitly called with:

$ john myhash --single [...]

πŸ‘‰ Default rules are stored in /etc/john/john.conf.

➑️ See Word Mangling, and GECOS fields.

Custom rules

Create a file xxx.rules with some rules inside:

[List.Rules:RuleName]
; refer to the documentation

$ john myhash --single --rules=xxx.rules [...]

Wordlist generation

By adding --stdout to john, and not providing a hash, john will output a wordlist after applying a rule:

$ john --wordlist=xxx --rules=yyy --stdout > wordlist

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • --incremental mode