cheatsheets/cheatsheets/security/passwords/password-cracking-john.md

---

title: Password/Hash Cracking with John categories: [cheatsheets]

tags: [cracking, passwords, john]

Password/Hash Cracking - John the Ripper

• Basic Usage
  • Common Formats

• Advanced Usage

  • Modes
    • Wordlist Mode
    • Single Crack Mode
    • Incremental Mode

• John: https://www.openwall.com/john

• Documentation: https://www.openwall.com/john/doc/

Basic Usage:

• Basic Command structure: john [OPTIONS] <hash-file>

• Using a wordlist to crack

  john --wordlist=rockyou.txt hash.txt
  

• Specifying the hash-format (--format)

  john --wordlist=rockyou.txt --format=md5 hash.txt
  

• Showing the cracked password²

  john --show hash.txt
  

• Restore an interrupted session (when canceled with Ctrl-C or q)²

  john --restore
  

• Start in incremental mode

  john --incremental=<MODE> hash.txt
  

• Start in external mode

  john --external=<MODE> hash.txt
  

• ² Session Information is stored in $HOME/.john/.

Common Formats

By default, john will try to detect the hash(es) that are supplied. This mode can be overwritten by specifying the format with the --format flag.

Common formats are:

• raw-md5 (MD5)
• raw-sha1 (SHA1)
• raw-sha256 (SHA256)
• crypt (Linux /etc/shadow hash)
• wpapsk (WPA PSK Hash)
• bcrypt/scrypt
• ...

All formats can be viewed with the following command:

john --list=formats

Advanced Usage:

Modes

Wordlist Mode

Simples mode, just specify a wordlist with --wordlist=<file>

If the wordlist should be sorted, use the following command:

tr A-Z a-z < SOURCE | sort -u > TARGET

Incremental Mode

• Really powerfull mode
• Tries all possible character combinations
• Charset, Minum and Maximum Length must be specified
  • Defined in johns configuration file located at $JOHN/john.conf

• Must be defined as:

  [Incremental:WPA_PSK]
  File = $JOHN/utf8.chr
  MinLen = 8
  MaxLen = 12
  CharCount = 192
  

And called like that:

john --incremental=<MODE> hash.txt

• Predefined Modes are
  • ASCII
  • LM_ASCII
  • Alpha
  • Digits
  • Lower/Upper
  • LowerNum/UpperNum
  • LowerSpace/UpperSpace

External Mode

An external cracking MODE can be defined in $JOHN/john.conf. The sections contains source-code (subset of C) that is compiled when john is starting up in that particular mode. This functionality is used/applied to generate target passwords.

An example would be:

[List.External:Filter_ASCII]
void filter()
{
	int i, c;

	i = 0;
	while (c = word[i++])
	if (c < 0x20 || c > 0x7e || i > 13) {
		word = 0; return;
	}
}

• Supported/Called C functions

  init()		called at startup, should initialize global variables
  filter()	called for each word to be tried, can filter some words out
  generate()	called to generate words, when no other cracking modes used
  restore()	called when restoring an interrupted session
  

• In the filter() call, the global variable word can be changed

• if word == 0, the word is skipped