John the Ripper usage examples. These examples are to give you some tips on what John's features can be used for. Command line. 1. First, you need to get a copy of your password file. If your system uses shadow passwords, you may use John's "unshadow" utility to obtain the traditional Unix password file, as root: umask 077 unshadow /etc/passwd /etc/shadow > mypasswd (You may need to replace the filenames as needed.) Then make "mypasswd" available to your non-root user account that you will run John under. No further commands will need to be run as root. If your system is ancient enough that it keeps passwords right in the world-readable /etc/passwd, simply make a copy of that file. If you're going to be cracking Kerberos AFS passwords, use John's "unafs" utility to obtain a passwd-like file. Similarly, if you're going to be cracking Windows passwords, use any of the many utilities that dump Windows password hashes (LM and/or NTLM) in Jeremy Allison's PWDUMP output format. Some of these utilities may be obtained here: http://www.openwall.com/passwords/pwdump 2. Now, let's assume you've got a password file, "mypasswd", and want to crack it. The simplest way is to let John use its default order of cracking modes: john mypasswd This will try "single crack" mode first, then use a wordlist with rules, and finally go for "incremental" mode. Please refer to MODES for more information on these modes. It is highly recommended that you obtain a larger wordlist than John's default password.lst and edit the "Wordlist = ..." line in the configuration file (see CONFIG) before running John. Some wordlists may be obtained here: http://www.openwall.com/wordlists/ Of those available in the collection at the URL above, all.lst (downloadable as all.gz) and huge.lst (only available on the CD) are good candidates for the "Wordlist = ..." setting. 3. If you've got some passwords cracked, they are stored in $JOHN/john.pot. The john.pot file is not meant to be human-friendly. You should be using John itself to display the contents of its "pot file" in a convenient format: john --show mypasswd If the account list gets large and doesn't fit on the screen, you should, of course, use your shell's output redirection. You might notice that many accounts have a disabled shell. You can make John skip those in the report. Assuming that the disabled shell is called "/etc/expired", the command would be: john --show --shells=-/etc/expired mypasswd or shorter, but will also match "/any/path/expired": john --show --shells=-expired mypasswd or if you also want to ignore some other shell, say "/etc/newuser": john --show --shells=-expired,newuser mypasswd To check if any root (UID 0) accounts got cracked: john --show --users=0 mypasswd or to check for cracked root (UID 0) accounts in multiple files: john --show --users=0 *passwd* *.pwd To display the root (username "root") account only: john --show --users=root mypasswd And finally, to check for privileged groups: john --show --groups=0,1 mypasswd 4. You might prefer to manage the cracking modes manually. It is wise to start with "single crack" mode: john --single mypasswd or since the GNU-style double dashes are optional and since option names can be abbreviated for as long as they remain unambiguous: john -si mypasswd You should not abbreviate options in scripts which you would want to work with future versions of John since what is unambiguous now might become ambiguous with the addition of more options. If you have more files to crack, it is preferable to load them at the same time: john --single passwd1 passwd2 or even: john --single *passwd* *.pwd This way, John will run faster and might even crack more passwords than it would if you ran it on each password file separately. 5. To catch weak passwords not derived from readily available users' personal information, you should proceed with cracking modes demanding more processor time. First, let's try a tiny wordlist with word mangling rules enabled: john --wordlist=password.lst --rules mypasswd or abbreviating the options: john -w=password.lst -ru mypasswd Then proceed with a larger wordlist, also applying the mangling rules: john --wordlist=all.lst --rules mypasswd If you've got a lot of spare disk space to trade for performance and the hash type of your password files is relatively slow, you may use John's "unique" utility to eliminate any duplicate candidate passwords: john --wordlist=all.lst --rules --stdout | unique mangled.lst john --wordlist=mangled.lst mypasswd If you know that your target hash type truncates passwords at a given length, you may optimize this even further: john --wordlist=all.lst --rules --stdout=8 | unique mangled8.lst john --wordlist=mangled8.lst mypasswd Alternatively, you may simply use huge.lst available on Openwall wordlist collection CDs. It has word mangling rules pre-applied for the most common languages and it has any duplicates purged. Depending on target hash type, the number of different salts (if applicable), the size of your wordlist, rules, and processor performance, wordlist-based cracking may take anywhere from under a second to many days. You do not have to leave John running on a (pseudo-)terminal. If running John on a Unix-like system, you can simply disconnect from the server, close your xterm, etc. John will catch the SIGHUP ("hangup" signal) and continue running. Alternatively, you may prefer to start it in the background right away: john --wordlist=all.lst --rules mypasswd & Obviously, the "&" is specific to Unix shells and will not work on most other platforms. You may further enhance this by specifying a session name: john --session=allrules --wordlist=all.lst --rules mypasswd & This ensures that you won't accidentally interfere with the instance of John running in the background if you proceed to start other sessions. To view the status of a running session, use: john --status for the default session or: john --status=allrules for any other session. This works for both interrupted and running sessions. To obtain the most up-to-date information from a running session on a Unix-like system, send a SIGHUP to the appropriate "john" process. Any interrupted sessions may be continued with: john --restore or: john --restore=allrules Finally, to make John have less impact on other processes, you should set the option "Idle = Y" in the configuration file (see CONFIG). The default may vary depending on the version and build of JtR. To only crack accounts with a "good" shell (in general, the shell, user, and group filters described above work for all cracking modes as well): john --wordlist=all.lst --rules --shells=sh,csh,tcsh,bash mypasswd Like with all other cracking modes, it is faster to crack all the files you need cracked simultaneously: john --wordlist=all.lst --rules passwd1 passwd2 You can crack some passwords only. This will try cracking all root (UID 0) accounts in all the password files: john --wordlist=all.lst --rules --users=0 *passwd* Alternatively, you may wish to not waste time cracking your very own passwords, if you're sure they're uncrackable: john --wordlist=all.lst --rules --users=-root,solar *passwd* Sometimes it is useful to split your password hashes into two sets which you crack separately, like: john --wordlist=all.lst --rules --salts=2 *passwd* john --wordlist=all.lst --rules --salts=-2 *passwd* This will make John try salts used on two or more password hashes first and then try the rest. Total cracking time will be almost the same, but you will get some passwords cracked earlier, which is useful, for example, for penetration testing and demonstrations to management. Similarly, you may check all password hashes with a small wordlist, but only those that you can check faster (with "--salts=2") with a larger one. With large numbers of password hashes and/or with a highly non-uniform distribution of salts, it may be appropriate to use a threshold larger than 2 with "--salts" (sometimes even values as high as 1000 will do). Note that the default wordlist rules include ":" (a no-op - try words as they are in the list) on the first line. If you already ran through a wordlist without using rules, and then decided to also try the same wordlist with rules, you'd better comment this line out. 6. The most powerful cracking mode in John is called "incremental" (not a proper name, but kept for historical reasons). You can simply run: john --incremental mypasswd or: john -i mypasswd This will use the default "incremental" mode parameters, which are defined in the configuration file's section named either [Incremental:All] (for most hash types) or [Incremental:LanMan] (for Windows LM hashes). By default, the [Incremental:All] parameters are set to use the full printable US-ASCII character set (95 characters) and to try all possible password lengths from 0 to 8. [Incremental:LanMan] is similar, except that it takes advantage of LM hashes being case-insensitive and of their halves limited to 7 characters each. Don't expect "incremental" mode sessions to terminate in a reasonable time (unless all the passwords are weak and get cracked), read MODES for an explanation of this. In some cases it is faster to use some other pre-defined incremental mode parameters and only crack simpler passwords, from a limited character set. The following command will try 26 different characters only, passwords from "a" to "zzzzzzzz" (in an optimal order): john -i=alpha mypasswd Of course, you can use most of the additional features demonstrated above for wordlist mode with "incremental" mode as well. For example, on a large-scale penetration test, you may have John crack only root (UID 0) accounts in a set of password files: john -i -u=0 *.pwd 7. If you've got a password file for which you already have a lot of passwords cracked or obtained by other means, and the passwords are unusual, then you may want to generate a new charset file, based on character frequencies from that password file only: john --make-charset=custom.chr mypasswd Then use that new file with "incremental" mode. If you've got many password files from a particular country, organization, etc., it might be useful to use all of them for the charset file that you then use to crack even more passwords from these files or from some other password files from the same place: john --make-charset=custom.chr passwd1 passwd2 [ Configure your custom "incremental" mode now. See below. ] john -i=custom passwd3 You can use some pre-defined or custom word filters when generating the charset file to have John consider some simpler passwords only: john --make-charset=my_alpha.chr --external=filter_alpha mypasswd If your "pot file" got large enough (or if you don't have any charset files at all), you might want to use it to generate a new set of main charset files: john --make-charset=all.chr john --make-charset=alnum.chr --external=filter_alnum john --make-charset=alpha.chr --external=filter_alpha john --make-charset=digits.chr --external=filter_digits john --make-charset=lanman.chr --external=filter_lanman In the example above, John will overwrite the charset files with new ones that are based on your entire $JOHN/john.pot (John uses the entire "pot file" if you don't specify any password files). Note that the word filters used here are pre-defined in the configuration file supplied with John, for your convenience. 8. Finally, you might want to e-mail all users with weak passwords to tell them to change their passwords. (This is not always a good idea, though, since lots of people do not check their e-mail or ignore such messages, and the messages can be a hint for crackers.) Edit the "mailer" script supplied with John: the message it sends and possibly the mail command (especially if the password file is from a different machine). Then run: mailer mypasswd Configuration file. Please refer to CONFIG for general information on the configuration file and its possible locations. 1. Let's assume that you notice that in some password file a lot of users have their passwords set to login names with "?!" appended. Then you just make a new "single crack" mode rule (see RULES for information on the syntax) and place it somewhere near the beginning: [List.Rules:Single] $?$! Hint: if you want to temporarily disable all of the default rules, you can simply rename the section to something John doesn't use and define a new one with the section's old name, but be sure to leave the "List." prefix of the name intact to maintain correct configuration file syntax. All the same applies to wordlist mode rules as well. 2. If you generate a custom charset file (described above) you will also need to define a configuration file section with the "incremental" mode parameters. In the simplest case it will be like this (where "Custom" can be replaced with any name you like): [Incremental:Custom] File = custom.chr This way, John will only use characters from passwords used to generate the charset file only. To make John try some more characters, add: Extra = !@#$% These extra characters will then be added, but still considered the least probable. If you want to make sure that, with your extra characters, John will try all the 95 printable US-ASCII characters, you can add: CharCount = 95 This will make John print a warning if it only has fewer than 95 characters in its charset. You can also use CharCount to limit the number of different characters that John tries, even if the charset file has more: CharCount = 20 If you didn't use any filters when generating the charset file, setting CharCount this low will make John never attempt rare characters and character combinations, not even for really short passwords, spending the time on simple longer candidate passwords instead. However, the default length switching is usually smart enough so that you shouldn't need this trick. To make John try passwords of certain lengths only, use the following lines: MinLen = 6 MaxLen = 8 Setting "MinLen" high, as in the example above, is reasonable if shorter passwords weren't allowed to set on the machine you got the password file from (however, note that root can usually set any password for any user and there are often loopholes in operating systems' password policy enforcement capabilities). On the contrary, you may want to set "MaxLen" low if you think there are a lot of short passwords. 3. Another example: a lot of users at some site use short duplicated words as their passwords, such as "fredfred". As the number of such potential passwords is fairly low, it makes sense to code a new external cracking mode that tries them all, up to some length. You can find the actual implementation of such a cracking mode with lots of comments in the default configuration file supplied with John. Please refer to EXTERNAL for information on the programming language used. $Owl: Owl/packages/john/john/doc/EXAMPLES,v 1.8 2009/12/25 16:59:31 solar Exp $