283 lines
13 KiB
Plaintext
Executable File
283 lines
13 KiB
Plaintext
Executable File
John the Ripper's command line syntax.
|
|
(Updated in/for the jumbo patch by Jim Fougeron)
|
|
|
|
When invoked with no command line arguments, "john" prints its usage
|
|
summary.
|
|
|
|
The supported command line arguments are password file names and
|
|
options. Many of the supported options accept additional arguments.
|
|
|
|
You can list any number of password files right on the command line of
|
|
"john". You do not have to specify any options. If valid password
|
|
files are specified but no options are given, John will go through
|
|
the default selection of cracking modes with their default settings.
|
|
|
|
Options may be specified along with password files or on their own,
|
|
although some require that password files be specified and some do not
|
|
support operation on password files.
|
|
|
|
All options are case sensitive, can be abbreviated as long as the
|
|
abbreviations are unambiguous, can be prefixed with two dashes
|
|
(GNU-style) or with one dash, and can use "=" or ":" to indicate an
|
|
argument (if supported for a given option).
|
|
|
|
The supported options are as follows, square brackets denote optional
|
|
arguments:
|
|
|
|
--single[=SECTION] "single crack" mode
|
|
|
|
Enables the "single crack" mode, using rules from the configuration
|
|
file section [List.Rules:Single]. If --single=Single_2 then the rules
|
|
from [List.Rules:Single_2] section would be used.
|
|
|
|
--wordlist=FILE wordlist mode, read words from FILE,
|
|
--stdin or from stdin
|
|
|
|
These are used to enable the wordlist mode.
|
|
|
|
--utf8 enable UTF-8 conversion
|
|
|
|
John defaults to assuming ISO-8859-1 when converting plaintexts or salts
|
|
to UTF-16. Using this flag will enable UTF-8 conversion instead. This affects
|
|
many Microsoft formats like NT, mscash and mssql. Formats not affected will
|
|
silently ignore this option flag.
|
|
|
|
--rules[=SECTION] enable word mangling rules for wordlist mode
|
|
|
|
Enables word mangling rules that are read from [List.Rules:Wordlist].
|
|
If --rules=Wordlist_elite was used, then [List.Rules:Wordlist_elite]
|
|
would be the section used.
|
|
|
|
--incremental[=MODE] "incremental" mode [using section MODE]
|
|
|
|
Enables the "incremental" mode, using the specified configuration file
|
|
definition (section [Incremental:MODE], or [Incremental:All] by default
|
|
except for LM hashes for which the default is [Incremental:LanMan]).
|
|
|
|
--external=MODE external mode or word filter
|
|
|
|
Enables an external mode, using external functions defined in section
|
|
[List.External:MODE].
|
|
|
|
--stdout[=LENGTH] just output candidate passwords
|
|
|
|
When used with a cracking mode, except for "single crack", makes John
|
|
output the candidate passwords it generates to stdout instead of
|
|
actually trying them against password hashes; no password files may be
|
|
specified when this option is used. If a LENGTH is given, John
|
|
assumes that to be the significant password length and only produces
|
|
passwords up to that length.
|
|
|
|
--restore[=NAME] restore an interrupted session
|
|
|
|
Continues an interrupted cracking session, reading state information
|
|
from the specified session file or from $JOHN/john.rec by default.
|
|
|
|
--session=NAME give a new session the NAME
|
|
|
|
This option can only be used when starting a new cracking session and
|
|
its purpose is to give the new session a name (to which John will
|
|
append the ".rec" suffix to form the session file name). This is
|
|
useful for running multiple instances of John in parallel or to be
|
|
able to later recover a session other than the last one you interrupt.
|
|
john.log file will also be named NAME.log (whatever 'NAME' is), so
|
|
that any logging of the session work will end up in this file.
|
|
|
|
--status[=NAME] print status of a session [called NAME]
|
|
|
|
Prints status of an interrupted or running session. Note that on a
|
|
Unix-like system, you can get a detached running session to update its
|
|
session file by sending a SIGHUP to the appropriate "john" process;
|
|
then use this option to read in and display the status.
|
|
|
|
--make-charset=FILE make a charset, overwriting FILE
|
|
|
|
Generates a charset file based on character frequencies from
|
|
$JOHN/john.pot, for use with the "incremental" mode. The entire
|
|
$JOHN/john.pot will be used for the charset generation by default. You
|
|
may restrict the set of passwords used by specifying some password files
|
|
(in which case only the cracked passwords that correspond to those
|
|
password files will be used), "--format", or/and "--external" (with an
|
|
external mode that defines a filter() function).
|
|
|
|
--show[=left] show cracked passwords
|
|
|
|
Shows the cracked passwords for given password files (which you must
|
|
specify). You can use this option while another instance of John is
|
|
cracking to see what John did so far; to get the most up to date
|
|
information, first send a SIGHUP to the appropriate "john" process.
|
|
if --show=left then all uncracked hashes are listed (in a john 'input'
|
|
file format way). =left is just that literal string "=left".
|
|
|
|
--test[=TIME] run tests and benchmarks for TIME seconds each
|
|
|
|
Tests all of the compiled in hashing algorithms for proper operation and
|
|
benchmarks them. The "--format" option can be used to restrict this to
|
|
a specific algorithm.
|
|
|
|
--users=[-]LOGIN|UID[,..] [do not] load this (these) user(s)
|
|
|
|
Allows you to select just a few accounts for cracking or for other
|
|
operations. A dash before the list can be used to invert the check
|
|
(that is, load information for all the accounts that are not listed).
|
|
|
|
--groups=[-]GID[,..] load users [not] of this (these) group(s)
|
|
|
|
Tells John to load (or to not load) information for accounts in the
|
|
specified group(s) only.
|
|
|
|
--shells=[-]SHELL[,..] load users with[out] this (these) shell(s)
|
|
|
|
This option is useful to load accounts with a valid shell only or to
|
|
not load accounts with a bad shell. You can omit the path before a
|
|
shell name, so "--shells=csh" will match both "/bin/csh" and
|
|
"/usr/bin/csh", while "--shells=/bin/csh" will only match "/bin/csh".
|
|
|
|
--salts=[-]COUNT[:MAX] load salts with[out] at least COUNT passwords
|
|
|
|
This is a feature which allows to achieve better performance in some
|
|
special cases. For example, you can crack only some salts using
|
|
"--salts=2" faster and then crack the rest using "--salts=-2". Total
|
|
cracking time will be about the same, but you will likely get some
|
|
passwords cracked earlier. If MAX is listed, then no hashes are
|
|
loaded where there are more than MAX salts. This is so that if you
|
|
have run --salts=25 and then later can run --salts=10:24 and none of
|
|
the hashes that were already done from the --salts=25 will be re-done.
|
|
|
|
--pot=NAME pot filename to use
|
|
|
|
By default, john will use john.pot. This override allows using a different
|
|
john.pot-like file (to start from, and to store any found password into).
|
|
|
|
--format=NAME force hash type NAME
|
|
|
|
Allows you to override the hash type detection. Currently, valid
|
|
"format names" are DES, BSDI, MD5, BF, AFS, LM, and crypt (and many more
|
|
are added with various patches). You can use this option when you're
|
|
starting a cracking session or along with one of: "--test", "--show",
|
|
"--make-charset". Note that John can't crack hashes of different types
|
|
at the same time. If you happen to get a password file that uses more
|
|
than one hash type, then you have to invoke John once for each hash type
|
|
and you need to use this option to make John crack hashes of types other
|
|
than the one it would autodetect by default.
|
|
|
|
"--format=crypt" may or may not be supported in a given build of John.
|
|
In default builds of John, this support is currently only included on
|
|
Linux and Solaris. When specified (and supported), this option makes
|
|
John use the system's crypt(3) or crypt_r(3) function. This may be
|
|
needed to audit password hashes supported by the system, but not yet
|
|
supported by John's own optimized cryptographic routines. Currently,
|
|
this is the case for glibc 2.7+ SHA-crypt hashes as used by recent
|
|
versions of Fedora and Ubuntu, and for SunMD5 hashes supported (but not
|
|
used by default) on recent versions of Solaris. In fact, you do not
|
|
have to explicitly specify "--format=crypt" for hashes of these specific
|
|
types unless you have other hash types (those supported by John
|
|
natively) in the password file(s) as well (in which case another hash
|
|
type may get detected unless you specify this option).
|
|
|
|
"--format=crypt" is also a way to make John crack crypt(3) hashes of
|
|
different types at the same time, but doing so results in poor
|
|
performance and in unnecessarily poor results (in terms of passwords
|
|
cracked) for hashes of the "faster" types (as compared to the "slower"
|
|
ones loaded for cracking at the same time). So you are advised to use
|
|
separate invocations of John, one per hash type.
|
|
|
|
--subformat=LIST displays all the built-in md5-gen formats, and exits
|
|
|
|
--save-memory=LEVEL enable memory saving, at LEVEL 1..3
|
|
|
|
You might need this option if you don't have enough memory or don't
|
|
want John to affect other processes too much. Level 1 tells John to
|
|
not waste memory on login names; it is only supported when a cracking
|
|
mode other than "single crack" is explicitly requested. The only
|
|
impact is that you won't see the login names while cracking. Higher
|
|
memory saving levels have a performance impact; you should probably
|
|
avoid using them unless John doesn't work or gets into swap otherwise.
|
|
|
|
--mem-file-size=SIZE max size of wordlist to preload into memory
|
|
|
|
One of the significant performance improvements for some builds of
|
|
john, is preloading the wordlist file into memory, instead of reading
|
|
line by line. This is especially true when running with a large list
|
|
of --rules. The default max size file is 5 million bytes. Using this
|
|
option allows making this larger. NOTE if --save-memory is used,
|
|
then memory file processing is turned off.
|
|
|
|
--field-separator-char=c Use 'c' instead of the char ':'
|
|
|
|
By design, john works with most files, as 'tokenized' files. The field
|
|
separator used by john is the colon ':' character. However, there are
|
|
hashes which use the colon in the salt field, and there are users which
|
|
may have a colon for a user name (for a couple examples of problems
|
|
with it). However, an advanced john user can change the input files,
|
|
by using a different character than the ':' (and different than any
|
|
other 'used' character), and avoid problems of lines not being properly
|
|
processed. The side effects are that the pot file will get this
|
|
'character' used in it also (and only lines in the pot file that HAVE
|
|
that character will be loaded at startup), and there are other side
|
|
effects. Usually, this is ONLY used in very advanced situations, where
|
|
the user 'knows what he is doing'. If the character can not be easily
|
|
represented by the keyboard, then the format of
|
|
--field-separator-char=\xHH can be used. --field-separator-char=\x1F
|
|
would represent the character right before the space (space is 0x20)
|
|
|
|
--fix-state-delay=N only determine the wordlist offset every N times
|
|
|
|
This is an optimization which helps on some systems. This just
|
|
limits the number of times that the ftell() call is performed.
|
|
The one side effect, is that if john is aborted, and restarted, it
|
|
may redo more tests. Thus, the use of this option is only acceptable
|
|
and desirable for fast hash types (e.g., raw MD5).
|
|
|
|
--nolog turns off john.log file
|
|
|
|
This will turn off creation, or updating to the john.log file (which may
|
|
have a different name if the --session=NAME flag was used.) Often the
|
|
logging is not wanted, and this log file can often become very large
|
|
(such as working with many 'fast' rules on a fast format). The log file
|
|
is often used to check what work has been done, but if this will not be
|
|
needed, and the log file is simply going to be deleted when done, then
|
|
running in --nolog mode may be used.
|
|
|
|
|
|
Additional utilities.
|
|
|
|
There are some related utilities in John's run directory:
|
|
|
|
unshadow PASSWORD-FILE SHADOW-FILE
|
|
|
|
Combines the "passwd" and "shadow" files (when you already have access
|
|
to both) for use with John. You might need this since if you only
|
|
used your shadow file, the "Full Name" or "GECOS" information wouldn't
|
|
be used by the "single crack" mode (thus reducing its efficiency) and
|
|
you wouldn't be able to use the "--groups" and "--shells" options and
|
|
to select by UID with "--users". You probably also want to see all of
|
|
the passwd file fields with "--show".
|
|
|
|
You'll usually want to redirect the output of "unshadow" to a file
|
|
which you then pass to John.
|
|
|
|
unafs DATABASE-FILE CELL-NAME
|
|
|
|
Gets password hashes out of the binary AFS database and produces
|
|
output usable by John (you should redirect the output to a file).
|
|
|
|
unique OUTPUT-FILE
|
|
|
|
Removes duplicates from a wordlist (read from stdin) without changing
|
|
the order of entries. You might want to use this with John's
|
|
"--stdout" option if you've got a lot of disk space to trade for the
|
|
reduced cracking time (on possibly trying some duplicates as they
|
|
might be produced with word mangling rules).
|
|
This program has been updated. It is faster, it now can 'cut' the
|
|
lines (in a couple of ways), and can unique the files data, AND also
|
|
unique it against an existing file.
|
|
|
|
mailer PASSWORD-FILE
|
|
|
|
A shell script to send mail to all the users who got weak passwords.
|
|
You should edit the message inside the script before using it.
|
|
|
|
Based on (and modified in the jumbo patch):
|
|
$Owl: Owl/packages/john/john/doc/OPTIONS,v 1.9 2011/04/27 18:02:49 solar Exp $
|