Feb 112012

You might also want to see my article Installing JTR On Backtrack for Multiprocessor Cores

I am too lazy to restore the old version of this file from my old website (it was hosted for years on mambo and I am just too lazy to do the db conversion).  Anyways, this website serves a couple of purposes, first is to keep some of my own notes handy and second to help others.  With that in mind, here is a collection of tips on using john the ripper:

Prepare Linux Shadow Passwords

umask 077
./unshadow /etc/passwd /etc/shadow > mypasswds

Default Modes – This will try “single crack” mode first, then use a wordlist with rules, and finally go for “incremental” mode.

./john mypasswds

Show Passwords

john --show mypasswds

Specify Modes

john --single mypasswds

Multiple Files Containing Hashes

john --single passwd1 passwd2 mypasswds
or use a wildcard
john --single passwd* mypasswds

To use a wordlist

john --wordlist=/path/to/password.lst mypasswds

To mangle words from the wordlist, use the –rules option

john --wordlist=/path/to/password.lst --rules mypasswds

To run in the background and specify a session in case the session is interupted, use the session option

john --session=mysessionname --wordlist=/path/to/password.lst --rules mypasswds &

See the status of a session

john --status=mysessionname

To restore a session by name

john --restore=mysessionname

If cracking linux shadow files, to only crack passwords with valid shells

john --wordlist=/path/to/password.lst --rules --shells=sh,csh,tcsh,bash mypasswds

To exclude cracking specific users

john --wordlist=/path/to/passwords.lst --rules --users=-root,me mypasswds

Incremental Passwords – this takes forever but has a higher rate of obtaining passwords that are not common words

This will use the default “incremental” mode parameters, which are defined in the configuration file’s section named either [Incremental:All] (for most hash types) or [Incremental:LanMan] (for Windows LM hashes). By default, the [Incremental:All] parameters are set to use the full printable US-ASCII character set (95 characters) and to try all possible password lengths from 0 to 8. [Incremental:LanMan] is similar, except that it takes advantage of LM hashes being case-insensitive and of their halves limited to 7 characters each.  You should see Modes at the openwall web site.

john --incremental mypasswds


A few regular visitors of my website also on my twitter send me some messages and asked about speed.  I think that speed is important of course, and you likely won’t see the speed of gpu cracking with john, but you will see decent speeds.  What I decided to do was to take my own personal dictionary file and run it through both john and hashcat against a password list I have some personal information about.

Below I am using my own custom password list file.  It is very large and I often use it when I am not enabling rules option of john.  If I am enabling rules, I use a much smaller list that keeps the time more manageable.  Info about this list:

ewiget@TSPH4GD:/pentest/passwords/wordlists$ wc -l eds.passwd.list
310,261,848 eds.passwd.list

Here are the results….first with john and the rules option used, which is pretty much guaranteed to get the most passwords cracked….but I aborted this because I mostly wanted to show that it was going to take a very long time – from February 10 to April 8th, estimated:

ewiget@TSPH4GD:/pentest/passwords/john-1.7.9-jumbo-5/run$ ./john --wordlist=/pentest/passwords/wordlists/eds.passwd.list --rules --shells=sh,csh,tcsh,bash /home/ewiget/mypasswds
Loaded 20 password hashes with 20 different salts (FreeBSD MD5 [SSE2i 12x])
guesses: 0  time: 0:00:00:15 0.00%  c/s: 8489  trying: 0u75pi7 - 0u7c14m012
guesses: 0  time: 0:10:06:35 0.10% (ETA: Mon Apr  8 07:02:49 2013)  c/s: 9731  trying: 367799 - 3675906
guesses: 0  time: 0:10:07:09 0.10% (ETA: Mon Apr  8 16:29:29 2013)  c/s: 9731  trying: 3561040 - 355tied616
Session aborted

And then this one without the rules option enabled (I will update this with hashcat after this completes….and yes, that is in at least X more days because the value of X is unknown / estimated right now). This one was started on February 12 and says it will end on Feb 20, 8 days:
ewiget@TSPH4GD:/pentest/passwords/john-1.7.9-jumbo-5/run$ ./john --wordlist=/pentest/passwords/wordlists/eds.passwd.list --shells=sh,csh,tcsh,bash /home/ewiget/mypasswds
Loaded 20 password hashes with 20 different salts (FreeBSD MD5 [SSE2i 12x])
guesses: 0  time: 0:00:10:24 0.09% (ETA: Mon Feb 20 11:02:26 2012)  c/s: 9346  trying: Pan-scandinavia - Pantheian
guesses: 0  time: 0:01:10:32 0.63% (ETA: Mon Feb 20 05:02:39 2012)  c/s: 9317  trying: SPECIOUS - SPITBOL

  One Response to “Backtrack: John The Ripper Tips & Examples”

  1. […] If you already have jtr installed, you may want to see my john tips article. […]

This site uses Akismet to reduce spam. Learn how your comment data is processed.