metasploit-framework/data/john/doc/OPTIONS

283 lines
13 KiB
Plaintext

John the Ripper's command line syntax.
(Updated in/for the jumbo patch by Jim Fougeron)
When invoked with no command line arguments, "john" prints its usage
summary.
The supported command line arguments are password file names and
options. Many of the supported options accept additional arguments.
You can list any number of password files right on the command line of
"john". You do not have to specify any options. If valid password
files are specified but no options are given, John will go through
the default selection of cracking modes with their default settings.
Options may be specified along with password files or on their own,
although some require that password files be specified and some do not
support operation on password files.
All options are case sensitive, can be abbreviated as long as the
abbreviations are unambiguous, can be prefixed with two dashes
(GNU-style) or with one dash, and can use "=" or ":" to indicate an
argument (if supported for a given option).
The supported options are as follows, square brackets denote optional
arguments:
--single[=SECTION] "single crack" mode
Enables the "single crack" mode, using rules from the configuration
file section [List.Rules:Single]. If --single=Single_2 then the rules
from [List.Rules:Single_2] section would be used.
--wordlist=FILE wordlist mode, read words from FILE,
--stdin or from stdin
These are used to enable the wordlist mode.
--utf8 enable UTF-8 conversion
John defaults to assuming ISO-8859-1 when converting plaintexts or salts
to UTF-16. Using this flag will enable UTF-8 conversion instead. This affects
many Microsoft formats like NT, mscash and mssql. Formats not affected will
silently ignore this option flag.
--rules[=SECTION] enable word mangling rules for wordlist mode
Enables word mangling rules that are read from [List.Rules:Wordlist].
If --rules=Wordlist_elite was used, then [List.Rules:Wordlist_elite]
would be the section used.
--incremental[=MODE] "incremental" mode [using section MODE]
Enables the "incremental" mode, using the specified configuration file
definition (section [Incremental:MODE], or [Incremental:All] by default
except for LM hashes for which the default is [Incremental:LanMan]).
--external=MODE external mode or word filter
Enables an external mode, using external functions defined in section
[List.External:MODE].
--stdout[=LENGTH] just output candidate passwords
When used with a cracking mode, except for "single crack", makes John
output the candidate passwords it generates to stdout instead of
actually trying them against password hashes; no password files may be
specified when this option is used. If a LENGTH is given, John
assumes that to be the significant password length and only produces
passwords up to that length.
--restore[=NAME] restore an interrupted session
Continues an interrupted cracking session, reading state information
from the specified session file or from $JOHN/john.rec by default.
--session=NAME give a new session the NAME
This option can only be used when starting a new cracking session and
its purpose is to give the new session a name (to which John will
append the ".rec" suffix to form the session file name). This is
useful for running multiple instances of John in parallel or to be
able to later recover a session other than the last one you interrupt.
john.log file will also be named NAME.log (whatever 'NAME' is), so
that any logging of the session work will end up in this file.
--status[=NAME] print status of a session [called NAME]
Prints status of an interrupted or running session. Note that on a
Unix-like system, you can get a detached running session to update its
session file by sending a SIGHUP to the appropriate "john" process;
then use this option to read in and display the status.
--make-charset=FILE make a charset, overwriting FILE
Generates a charset file based on character frequencies from
$JOHN/john.pot, for use with the "incremental" mode. The entire
$JOHN/john.pot will be used for the charset generation by default. You
may restrict the set of passwords used by specifying some password files
(in which case only the cracked passwords that correspond to those
password files will be used), "--format", or/and "--external" (with an
external mode that defines a filter() function).
--show[=left] show cracked passwords
Shows the cracked passwords for given password files (which you must
specify). You can use this option while another instance of John is
cracking to see what John did so far; to get the most up to date
information, first send a SIGHUP to the appropriate "john" process.
if --show=left then all uncracked hashes are listed (in a john 'input'
file format way). =left is just that literal string "=left".
--test[=TIME] run tests and benchmarks for TIME seconds each
Tests all of the compiled in hashing algorithms for proper operation and
benchmarks them. The "--format" option can be used to restrict this to
a specific algorithm.
--users=[-]LOGIN|UID[,..] [do not] load this (these) user(s)
Allows you to select just a few accounts for cracking or for other
operations. A dash before the list can be used to invert the check
(that is, load information for all the accounts that are not listed).
--groups=[-]GID[,..] load users [not] of this (these) group(s)
Tells John to load (or to not load) information for accounts in the
specified group(s) only.
--shells=[-]SHELL[,..] load users with[out] this (these) shell(s)
This option is useful to load accounts with a valid shell only or to
not load accounts with a bad shell. You can omit the path before a
shell name, so "--shells=csh" will match both "/bin/csh" and
"/usr/bin/csh", while "--shells=/bin/csh" will only match "/bin/csh".
--salts=[-]COUNT[:MAX] load salts with[out] at least COUNT passwords
This is a feature which allows to achieve better performance in some
special cases. For example, you can crack only some salts using
"--salts=2" faster and then crack the rest using "--salts=-2". Total
cracking time will be about the same, but you will likely get some
passwords cracked earlier. If MAX is listed, then no hashes are
loaded where there are more than MAX salts. This is so that if you
have run --salts=25 and then later can run --salts=10:24 and none of
the hashes that were already done from the --salts=25 will be re-done.
--pot=NAME pot filename to use
By default, john will use john.pot. This override allows using a different
john.pot-like file (to start from, and to store any found password into).
--format=NAME force hash type NAME
Allows you to override the hash type detection. Currently, valid
"format names" are DES, BSDI, MD5, BF, AFS, LM, and crypt (and many more
are added with various patches). You can use this option when you're
starting a cracking session or along with one of: "--test", "--show",
"--make-charset". Note that John can't crack hashes of different types
at the same time. If you happen to get a password file that uses more
than one hash type, then you have to invoke John once for each hash type
and you need to use this option to make John crack hashes of types other
than the one it would autodetect by default.
"--format=crypt" may or may not be supported in a given build of John.
In default builds of John, this support is currently only included on
Linux and Solaris. When specified (and supported), this option makes
John use the system's crypt(3) or crypt_r(3) function. This may be
needed to audit password hashes supported by the system, but not yet
supported by John's own optimized cryptographic routines. Currently,
this is the case for glibc 2.7+ SHA-crypt hashes as used by recent
versions of Fedora and Ubuntu, and for SunMD5 hashes supported (but not
used by default) on recent versions of Solaris. In fact, you do not
have to explicitly specify "--format=crypt" for hashes of these specific
types unless you have other hash types (those supported by John
natively) in the password file(s) as well (in which case another hash
type may get detected unless you specify this option).
"--format=crypt" is also a way to make John crack crypt(3) hashes of
different types at the same time, but doing so results in poor
performance and in unnecessarily poor results (in terms of passwords
cracked) for hashes of the "faster" types (as compared to the "slower"
ones loaded for cracking at the same time). So you are advised to use
separate invocations of John, one per hash type.
--subformat=LIST displays all the built-in md5-gen formats, and exits
--save-memory=LEVEL enable memory saving, at LEVEL 1..3
You might need this option if you don't have enough memory or don't
want John to affect other processes too much. Level 1 tells John to
not waste memory on login names; it is only supported when a cracking
mode other than "single crack" is explicitly requested. The only
impact is that you won't see the login names while cracking. Higher
memory saving levels have a performance impact; you should probably
avoid using them unless John doesn't work or gets into swap otherwise.
--mem-file-size=SIZE max size of wordlist to preload into memory
One of the significant performance improvements for some builds of
john, is preloading the wordlist file into memory, instead of reading
line by line. This is especially true when running with a large list
of --rules. The default max size file is 5 million bytes. Using this
option allows making this larger. NOTE if --save-memory is used,
then memory file processing is turned off.
--field-separator-char=c Use 'c' instead of the char ':'
By design, john works with most files, as 'tokenized' files. The field
separator used by john is the colon ':' character. However, there are
hashes which use the colon in the salt field, and there are users which
may have a colon for a user name (for a couple examples of problems
with it). However, an advanced john user can change the input files,
by using a different character than the ':' (and different than any
other 'used' character), and avoid problems of lines not being properly
processed. The side effects are that the pot file will get this
'character' used in it also (and only lines in the pot file that HAVE
that character will be loaded at startup), and there are other side
effects. Usually, this is ONLY used in very advanced situations, where
the user 'knows what he is doing'. If the character can not be easily
represented by the keyboard, then the format of
--field-separator-char=\xHH can be used. --field-separator-char=\x1F
would represent the character right before the space (space is 0x20)
--fix-state-delay=N only determine the wordlist offset every N times
This is an optimization which helps on some systems. This just
limits the number of times that the ftell() call is performed.
The one side effect, is that if john is aborted, and restarted, it
may redo more tests. Thus, the use of this option is only acceptable
and desirable for fast hash types (e.g., raw MD5).
--nolog turns off john.log file
This will turn off creation, or updating to the john.log file (which may
have a different name if the --session=NAME flag was used.) Often the
logging is not wanted, and this log file can often become very large
(such as working with many 'fast' rules on a fast format). The log file
is often used to check what work has been done, but if this will not be
needed, and the log file is simply going to be deleted when done, then
running in --nolog mode may be used.
Additional utilities.
There are some related utilities in John's run directory:
unshadow PASSWORD-FILE SHADOW-FILE
Combines the "passwd" and "shadow" files (when you already have access
to both) for use with John. You might need this since if you only
used your shadow file, the "Full Name" or "GECOS" information wouldn't
be used by the "single crack" mode (thus reducing its efficiency) and
you wouldn't be able to use the "--groups" and "--shells" options and
to select by UID with "--users". You probably also want to see all of
the passwd file fields with "--show".
You'll usually want to redirect the output of "unshadow" to a file
which you then pass to John.
unafs DATABASE-FILE CELL-NAME
Gets password hashes out of the binary AFS database and produces
output usable by John (you should redirect the output to a file).
unique OUTPUT-FILE
Removes duplicates from a wordlist (read from stdin) without changing
the order of entries. You might want to use this with John's
"--stdout" option if you've got a lot of disk space to trade for the
reduced cracking time (on possibly trying some duplicates as they
might be produced with word mangling rules).
This program has been updated. It is faster, it now can 'cut' the
lines (in a couple of ways), and can unique the files data, AND also
unique it against an existing file.
mailer PASSWORD-FILE
A shell script to send mail to all the users who got weak passwords.
You should edit the message inside the script before using it.
Based on (and modified in the jumbo patch):
$Owl: Owl/packages/john/john/doc/OPTIONS,v 1.9 2011/04/27 18:02:49 solar Exp $