You might also want to see my article Installing JTR On Backtrack for Multiprocessor Cores
I am too lazy to restore the old version of this file from my old website (it was hosted for years on mambo and I am just too lazy to do the db conversion). Anyways, this website serves a couple of purposes, first is to keep some of my own notes handy and second to help others. With that in mind, here is a collection of tips on using john the ripper:
Prepare Linux Shadow Passwords
umask 077
./unshadow /etc/passwd /etc/shadow > mypasswds
Default Modes – This will try “single crack” mode first, then use a wordlist with rules, and finally go for “incremental” mode.
./john mypasswds
Show Passwords
john --show mypasswds
Specify Modes
john --single mypasswds
Multiple Files Containing Hashes
john --single passwd1 passwd2 mypasswds
john --single passwd* mypasswds
To use a wordlist
john --wordlist=/path/to/password.lst mypasswds
To mangle words from the wordlist, use the –rules option
john --wordlist=/path/to/password.lst --rules mypasswds
To run in the background and specify a session in case the session is interupted, use the session option
john --session=mysessionname --wordlist=/path/to/password.lst --rules mypasswds &
See the status of a session
john --status=mysessionname
To restore a session by name
john --restore=mysessionname
If cracking linux shadow files, to only crack passwords with valid shells
john --wordlist=/path/to/password.lst --rules --shells=sh,csh,tcsh,bash mypasswds
To exclude cracking specific users
john --wordlist=/path/to/passwords.lst --rules --users=-root,me mypasswds
Incremental Passwords – this takes forever but has a higher rate of obtaining passwords that are not common words
This will use the default “incremental” mode parameters, which are defined in the configuration file’s section named either [Incremental:All] (for most hash types) or [Incremental:LanMan] (for Windows LM hashes). By default, the [Incremental:All] parameters are set to use the full printable US-ASCII character set (95 characters) and to try all possible password lengths from 0 to 8. [Incremental:LanMan] is similar, except that it takes advantage of LM hashes being case-insensitive and of their halves limited to 7 characters each. You should see Modes at the openwall web site.
john --incremental mypasswds
Speed
A few regular visitors of my website also on my twitter send me some messages and asked about speed. I think that speed is important of course, and you likely won’t see the speed of gpu cracking with john, but you will see decent speeds. What I decided to do was to take my own personal dictionary file and run it through both john and hashcat against a password list I have some personal information about.
Below I am using my own custom password list file. It is very large and I often use it when I am not enabling rules option of john. If I am enabling rules, I use a much smaller list that keeps the time more manageable. Info about this list:
ewiget@TSPH4GD:/pentest/passwords/wordlists$ wc -l eds.passwd.list
310,261,848 eds.passwd.list
Here are the results….first with john and the rules option used, which is pretty much guaranteed to get the most passwords cracked….but I aborted this because I mostly wanted to show that it was going to take a very long time – from February 10 to April 8th, estimated:
ewiget@TSPH4GD:/pentest/passwords/john-1.7.9-jumbo-5/run$ ./john --wordlist=/pentest/passwords/wordlists/eds.passwd.list --rules --shells=sh,csh,tcsh,bash /home/ewiget/mypasswds
Loaded 20 password hashes with 20 different salts (FreeBSD MD5 [SSE2i 12x])
guesses: 0 time: 0:00:00:15 0.00% c/s: 8489 trying: 0u75pi7 - 0u7c14m012
guesses: 0 time: 0:10:06:35 0.10% (ETA: Mon Apr 8 07:02:49 2013) c/s: 9731 trying: 367799 - 3675906
guesses: 0 time: 0:10:07:09 0.10% (ETA: Mon Apr 8 16:29:29 2013) c/s: 9731 trying: 3561040 - 355tied616
Session aborted
And then this one without the rules option enabled (I will update this with hashcat after this completes….and yes, that is in at least X more days because the value of X is unknown / estimated right now). This one was started on February 12 and says it will end on Feb 20, 8 days:
ewiget@TSPH4GD:/pentest/passwords/john-1.7.9-jumbo-5/run$ ./john --wordlist=/pentest/passwords/wordlists/eds.passwd.list --shells=sh,csh,tcsh,bash /home/ewiget/mypasswds
Loaded 20 password hashes with 20 different salts (FreeBSD MD5 [SSE2i 12x])
guesses: 0 time: 0:00:10:24 0.09% (ETA: Mon Feb 20 11:02:26 2012) c/s: 9346 trying: Pan-scandinavia - Pantheian
guesses: 0 time: 0:01:10:32 0.63% (ETA: Mon Feb 20 05:02:39 2012) c/s: 9317 trying: SPECIOUS - SPITBOL
[…] If you already have jtr installed, you may want to see my john tips article. […]