John the ripper

Main folder

~/.john

  1. Cracked passwords: ~/.john/john.pot

Basic usage

$ john  <text_file_containing_hash_to_crack>
$ john --format=[format] --wordlist=[wordlist] <text_file_containing_hash_to_crack>
$ john --format=[format] --wordlist=[wordlist] --rules=[rule]  <text_file_containing_hash_to_crack>
# show cracked passwords
$ john --show <text_file_containing_hash_to_crack>

Hash formats

John The Ripper Hash Formatspentestmonkey

Rules

The --rules flag allows specification of rules to be applied to values in a word list, in order to generate possible password variations.

The instructions/format for the rules can be found in the /etc/john/john.conf file under a specific header in the format [List.Rules:rule_format]. A few examples include single or wordlist.

Single

[List.Rules:Single] (/etc/john/john.conf)

Uses information from a given set of data consisting of user-specific information such as username, passwords used in other applications, private information such as pet's name, etc. to generate variations of the initial supplied data.

Eg. Information have been gathered about a target, and the following word list have been generated - consisting of the username/passwords used on other sites (leaked or hacked via means) and pet's name.

The single ruleset may generate variations of these data such as: thundere@gle, j@rrett, etc.

Wordlist

[List.Rules:Wordlist] (/etc/john/john.conf)

A rule will be applied to each word from the supplied wordlist to generate additional variations. For example, it could append numbers to the value, capitalize them, etc.

The wordlist ruleset may generate variations of these data such as: weakpass12,12weakpass etc.

Overview

  • --rules=single: Best used to generate password guesses based on data related to a target user: usernames, passwords, etc. and apply simple transformations.

  • --rules=wordlist: Best used to apply transformations to every word in a wordlist to generate variatons.

Printing results to stdout without cracking hashes

The --stdout flag can be used to print the generated results without actually using it to crack any hashes

Suppose you would like to apply certain rules (eg. single) to a word list and save it to an output file, without cracking any hashes.

Additional modules

  1. unshadow

  1. Conversion of data format or password protected media to a format that john can crack.

Eg. Conversion of password protected PDF file to john understandable format:

  • /usr/share/john/pdf2john.pl

  • /usr/bin/pdf2john

  • /opt/pdf2john.pl

  • ...

Given a .pdf file named private.pdf

Now, john can be ran on the pdf.hash file

Examples

1. Brute-forcing NTLM hash (SAM database)

Load the single NTLM hash value or the whole line of entry from the SAM database into a .txt file. Eg. retrieved from TryHackMe practice room:

jchambers:1114:aad3b435b51404eeaad3b435b51404ee:69596c7aa1e8daee17f8e78870e25a5c:::

LogoMetasploit: MeterpreterTryHackMe
PreviousHydraNextHashcat

Last updated