jump to navigation

How to crack Linux passwords with JTR “John the Ripper” January 17, 2011

Posted by Tournas Dimitrios in Linux admin tools.

John the Ripper is password cracking software. Initially developed for the UNIX operating system, it currently runs on fifteen different platforms. It is one of the most popular password testing/breaking programs as it combines a number of password crackers into one package, autodetects, and includes a customisable cracker. The encrypted password formats which it can be run against include various DES formats, RSA, MD4 and MD5, Kerberos AFS, and Windows LM hash. Additional modules have extended its ability to include passwords stored in LDAP, MySQL and others.

This article will just outline the basic usage of JTR with some practical examples . New Linux administrators on CentOs 5.x will get a good foundation to get started , but the concepts remain the same and can be applied on windows machines to .

John is designed to discover weak passwords from the encrypted information in system files. It operates by taking text strings (usually from a file containing words found in a dictionary), encrypting it in the same format as the password being examined, and comparing the output to the encrypted string. It also offers a brute-force mode.

In computer science, a brute-force search consists of systematically enumerating every possible solution of a problem until a solution is found, or all possible solutions have been exhausted. For example, an anagram problem can be solved by enumerating all possible combinations of words with the same number of letters as the desired phrase, and checking one by one whether the words make a valid anagram.

JTR in not provided from any  repository of CentOs , fortunately for us , other websites provide us an ready made rpm package . I have made an test installation on an old Pentium III , and worked perfectly , so follow these steps :

  • Go to this website and download the package for your architecture .
    Alternatively use the wget utility :
    wget  ” http://packages.sw.be/john/john-1.7.6-1.el5.rf.i386.rpm
  • Install the package :  rpm -ivh  john-1.7.x.x.x.x.x.ixxx.rpm
  • First use the unshadow command , it combines the /etc/passwd and /etc/shadow files so John can use them :
    /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
  • To check weak password (crack password), enter the following command:
    $ john /tmp/crack.password.db
    The procedure of cracking can take a while , depending on amount and how strong the passwords are . At the end of the process the terminal window will show all the cracked passwords
  • The cracked passwords will be printed to the terminal and saved in the file called $JOHN/john.pot ( /root/.john/john.pot on CentOs 5 )  .This file is also userd to not load passwords hashes that you already cracked when you run JTR the next time
    john -show /tmp/crack.password.db

The default operation of JTR (no command line switches) uses brute-force ~ CPU-time consuming password cracking techniques , more efficient mode of operations is the wordlist cracking technique .

JTR can work on different modes :

–Bruteforce attack —

All this mode does is try every possibly combination of letters(both upper and lowercase), numbers, symbols or any combination of the three until it finds the password.   There is a big problem with this type of attack though and that is that it can take extremely long and no one wants to wait long periods of time if they don’t have to. You can stop the process at any time by pressing “ctrl+C”. Also John the Ripper doesn’t show the progress but you can check the progress by pressing any key(assume the key wont do something to interrupt the program; just use enter or an arrow key or something)

–Bruteforce Attack with conditions–

One way you can shorten things up is by choosing if you only want to use letters or numbers to crack the password. So if you think the password only contains letters you can use the command “john -i:alpha password.db”, if you think the password only contains numbers you can use the command “john -i:digits password.db”, you can also use the command “john -i:all password.db” to guess the password which uses both the letters and numbers.

–Dictionary Attack-

Now when passwords get long even this method can be a long task. So another type of attack you can do is called a dictionary attack. What a dictionary attack does is it takes a wordlist (a text document full of words, be it an actual dictionary or more) and checks each word in that list until it finds a match. This is a much faster way that the bruteforcing methods above. However, the only way this type of attack will work is if the decrypted hash is among the words in the wordlist. For this example the wordlist I will use will be called “wordlist.txt”. To do a dictionary attack, type in this command: john -w:wordlist.txt   password.db

When John the Ripper is done cracking the password and comes back with an answer it will display the password on screen (at least it does for me). However, if it doesn’t(or if you want to go back and look at it in the future) there are two ways you can view the password. One is using the command “john -show password.db” which will display the cracked hash on screen and the other is “john.pot” (or you can manually open it with your favorite editor vs vim) .

At the end of this articles you will find links to some repositories that provide free wordlist files

John can work in the following modes:

  • Wordlist : John will simply use a file with a list of words that will be checked against the passwords. See RULES for the format of wordlist files.
  • Single crack : In this mode, john will try to crack the password using the login/GECOS information as passwords.
  • Incremental (default mode ) : This is the most powerful mode. John will try any character combination to resolve the password. Details about these modes can be found in the MODES file in john’s documentation, including how to define your own cracking methods.

Practical example  on CentOs 5.x

  1. unshadow     /etc/passwd     /etc/shadow    >   passwd.db
  2. john   passwd.db
  3. john   -show passwd.db

A more efficient way is to crack with the help of a word list :

  1. unshadow     /etc/passwd     /etc/shadow    >   passwd.db
  2. john   – – wordfile=wordlist_file     passwd.db
  3. john   -show passwd.db


JTR ‘s documentation

According TO the official site these documentation are installed on your box and must be read in the exact order :

  1. /usr/share/doc/john-xxxx/INSTALL
  2. /usr/share/doc/john-xxxx/OPTIONS
  3. /usr/share/doc/john-xxxx/MODES
  4. /usr/share/doc/john-xxxx/CONFIG
  5. /usr/share/doc/john-xxxx/RULES
  6. /usr/share/doc/john-xxxx/EXTERNAL
  7. /usr/share/doc/john-xxxx/EXAMPLES
  8. /usr/share/doc/john-xxxx/FAQ

More reading :



No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s