John the ripper

Main folder

~/.john

  1. Cracked passwords: ~/.john/john.pot

Basic usage

$ john  <text_file_containing_hash_to_crack>
$ john --format=[format] --wordlist=[wordlist] <text_file_containing_hash_to_crack>
$ john --format=[format] --wordlist=[wordlist] --rules=[rule]  <text_file_containing_hash_to_crack>
# show cracked passwords
$ john --show <text_file_containing_hash_to_crack>

Hash formats

John The Ripper Hash Formatspentestmonkey

Rules

The --rules flag allows specification of rules to be applied to values in a word list, in order to generate possible password variations.

The instructions/format for the rules can be found in the /etc/john/john.conf file under a specific header in the format [List.Rules:rule_format]. A few examples include single or wordlist.

Single

[List.Rules:Single] (/etc/john/john.conf)

Uses information from a given set of data consisting of user-specific information such as username, passwords used in other applications, private information such as pet's name, etc. to generate variations of the initial supplied data.

Eg. Information have been gathered about a target, and the following word list have been generated - consisting of the username/passwords used on other sites (leaked or hacked via means) and pet's name.

$ cat user.txt
thundereagle
jarrett
jarrettgoh
qwerty
qwerty123

The single ruleset may generate variations of these data such as: thundere@gle, j@rrett, etc.

$ john --rules=single --wordlist=user.txt --format=[format] hash.txt

Wordlist

[List.Rules:Wordlist] (/etc/john/john.conf)

A rule will be applied to each word from the supplied wordlist to generate additional variations. For example, it could append numbers to the value, capitalize them, etc.

$ cat long_wordlist.txt # eg. rockyou.txt
weakpass1
weakpass2
1weakpass
2weakpass
...

The wordlist ruleset may generate variations of these data such as: weakpass12,12weakpass etc.

Overview

  • --rules=single: Best used to generate password guesses based on data related to a target user: usernames, passwords, etc. and apply simple transformations.

  • --rules=wordlist: Best used to apply transformations to every word in a wordlist to generate variatons.

Printing results to stdout without cracking hashes

The --stdout flag can be used to print the generated results without actually using it to crack any hashes

$ john ...options --stdout

Suppose you would like to apply certain rules (eg. single) to a word list and save it to an output file, without cracking any hashes.

$ john --wordlist=<wordlist> --rules=single --stdout > output.txt

# extend output.txt with additional rules
$ john --wordlist=<wordlist> --rules=wordlist --stdout >> output.txt

Additional modules

  1. unshadow

$ unshadow 
Usage: unshadow PASSWORD-FILE SHADOW-FILE

# Assume a root shell on the target machine (with escalated privileges)
$ echo /etc/passwd > passwd.txt
$ echo /etc/shadow > shadow.txt
$ unshadow passwd.txt shadow.txt > password.txt


$ john password.txt
...
# OR
$ john --wordlist /usr/share/wordlists/rockyou.txt password.txt
...

  1. Conversion of data format or password protected media to a format that john can crack.

Eg. Conversion of password protected PDF file to john understandable format:

  • /usr/share/john/pdf2john.pl

  • /usr/bin/pdf2john

  • /opt/pdf2john.pl

  • ...

Given a .pdf file named private.pdf 

# Convert the private.pdf file to a john format, and save the output to pdf.hash
$ /usr/bin/pdf2john private.pdf > pdf.hash

Now, john can be ran on the pdf.hash file

# Note: the --format flag is not required as john will automatically infer the format
# The format can still be specified explicitly with the --format flag
# for some instance when john don't recognise the format accurately
$ john --rules=[rule] --wordlist=[wordlist] pdf.hash

Examples

1. Brute-forcing NTLM hash (SAM database)

Load the single NTLM hash value or the whole line of entry from the SAM database into a .txt file. Eg. retrieved from TryHackMe practice room:

jchambers:1114:aad3b435b51404eeaad3b435b51404ee:69596c7aa1e8daee17f8e78870e25a5c:::

LogoTryHackMe | Cyber Security TrainingTryHackMe
$ echo 69596c7aa1e8daee17f8e78870e25a5c > ntlm.txt
$ cat ntlm.txt
69596c7aa1e8daee17f8e78870e25a5c

$ echo jchambers:1114:aad3b435b51404eeaad3b435b51404ee:69596c7aa1e8daee17f8e78870e25a5c::: > sam_entry.txt
$ cat sam_entry.txt
jchambers:1114:aad3b435b51404eeaad3b435b51404ee:69596c7aa1e8daee17f8e78870e25a5c:::

$ john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT ntlm.txt
...
Trustno1         (jchambers)   
...

$ john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT sam_entry.txt
...
Trustno1         (jchambers)   
...
PreviousHydraNextHashcat

Last updated