You might also want to see my article Installing JTR On Backtrack for Multiprocessor Cores
I am too lazy to restore the old version of this file from my old website (it was hosted for years on mambo and I am just too lazy to do the db conversion). Anyways, this website serves a couple of purposes, first is to keep some of my own notes handy and second to help others. With that in mind, here is a collection of tips on using john the ripper:
Prepare Linux Shadow Passwords
[codesyntax lang=”bash”]
umask 077 ./unshadow /etc/passwd /etc/shadow > mypasswds
[/codesyntax]
Default Modes – This will try “single crack” mode first, then use a wordlist with rules, and finally go for “incremental” mode.
[codesyntax lang=”bash”]
./john mypasswds
[/codesyntax]
Show Passwords
[codesyntax lang=”bash”]
john --show mypasswds
[/codesyntax]
Specify Modes
[codesyntax lang=”bash”]
john --single mypasswds
[/codesyntax]
Multiple Files Containing Hashes
[codesyntax lang=”bash”]
john --single passwd1 passwd2 mypasswds [/codesyntax] or use a wildcard [codesyntax lang="bash"] john --single passwd* mypasswds
[/codesyntax]
To use a wordlist
[codesyntax lang=”bash”]
john --wordlist=/path/to/password.lst mypasswds
[/codesyntax]
To mangle words from the wordlist, use the –rules option
[codesyntax lang=”bash”]
john --wordlist=/path/to/password.lst --rules mypasswds
[/codesyntax]
To run in the background and specify a session in case the session is interupted, use the session option
[codesyntax lang=”bash”]
john --session=mysessionname --wordlist=/path/to/password.lst --rules mypasswds &
[/codesyntax]
See the status of a session
[codesyntax lang=”bash”]
john --status=mysessionname
[/codesyntax]
To restore a session by name
[codesyntax lang=”bash”]
john --restore=mysessionname
[/codesyntax]
If cracking linux shadow files, to only crack passwords with valid shells
[codesyntax lang=”bash”]
john --wordlist=/path/to/password.lst --rules --shells=sh,csh,tcsh,bash mypasswds
[/codesyntax]
To exclude cracking specific users
[codesyntax lang=”bash”]
john --wordlist=/path/to/passwords.lst --rules --users=-root,me mypasswds
[/codesyntax]
Incremental Passwords – this takes forever but has a higher rate of obtaining passwords that are not common words
This will use the default “incremental” mode parameters, which are defined in the configuration file’s section named either [Incremental:All] (for most hash types) or [Incremental:LanMan] (for Windows LM hashes). By default, the [Incremental:All] parameters are set to use the full printable US-ASCII character set (95 characters) and to try all possible password lengths from 0 to 8. [Incremental:LanMan] is similar, except that it takes advantage of LM hashes being case-insensitive and of their halves limited to 7 characters each. You should see Modes at the openwall web site.
[codesyntax lang=”bash”]
john --incremental mypasswds
[/codesyntax]
Speed
A few regular visitors of my website also on my twitter send me some messages and asked about speed. I think that speed is important of course, and you likely won’t see the speed of gpu cracking with john, but you will see decent speeds. What I decided to do was to take my own personal dictionary file and run it through both john and hashcat against a password list I have some personal information about.
Below I am using my own custom password list file. It is very large and I often use it when I am not enabling rules option of john. If I am enabling rules, I use a much smaller list that keeps the time more manageable. Info about this list:
[codesyntax lang=”bash”]
ewiget@TSPH4GD:/pentest/passwords/wordlists$ wc -l eds.passwd.list 310,261,848 eds.passwd.list
[/codesyntax]
Here are the results….first with john and the rules option used, which is pretty much guaranteed to get the most passwords cracked….but I aborted this because I mostly wanted to show that it was going to take a very long time – from February 10 to April 8th, estimated:
[codesyntax lang=”bash”]
ewiget@TSPH4GD:/pentest/passwords/john-1.7.9-jumbo-5/run$ ./john --wordlist=/pentest/passwords/wordlists/eds.passwd.list --rules --shells=sh,csh,tcsh,bash /home/ewiget/mypasswds Loaded 20 password hashes with 20 different salts (FreeBSD MD5 [SSE2i 12x]) guesses: 0 time: 0:00:00:15 0.00% c/s: 8489 trying: 0u75pi7 - 0u7c14m012 guesses: 0 time: 0:10:06:35 0.10% (ETA: Mon Apr 8 07:02:49 2013) c/s: 9731 trying: 367799 - 3675906 guesses: 0 time: 0:10:07:09 0.10% (ETA: Mon Apr 8 16:29:29 2013) c/s: 9731 trying: 3561040 - 355tied616 Session aborted
[/codesyntax]
And then this one without the rules option enabled (I will update this with hashcat after this completes….and yes, that is in at least X more days because the value of X is unknown / estimated right now). This one was started on February 12 and says it will end on Feb 20, 8 days:
[codesyntax lang=”bash”]
ewiget@TSPH4GD:/pentest/passwords/john-1.7.9-jumbo-5/run$ ./john --wordlist=/pentest/passwords/wordlists/eds.passwd.list --shells=sh,csh,tcsh,bash /home/ewiget/mypasswds Loaded 20 password hashes with 20 different salts (FreeBSD MD5 [SSE2i 12x]) guesses: 0 time: 0:00:10:24 0.09% (ETA: Mon Feb 20 11:02:26 2012) c/s: 9346 trying: Pan-scandinavia - Pantheian guesses: 0 time: 0:01:10:32 0.63% (ETA: Mon Feb 20 05:02:39 2012) c/s: 9317 trying: SPECIOUS - SPITBOL
[/codesyntax]
Leave a Reply
You must be logged in to post a comment.