John the Ripper (JTR) is a widely known and verified fast password cracker, available for Windows, DOS, BeOS, and OpenVMS and many flavours of Linux. It uses wordlists/dictionary to crack many different types of hashes including
John the Ripper: Fast Password Cracker
This password cracking tool is free and Open Source, initially developed for the Unix operating system. But today it runs on fifteen different platforms. Its primary purpose is to detect weak Unix passwords. Besides several
crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, and a lot of other hashes and ciphers in the community-enhanced version.
For those who rather use commercial version, John the Ripper is available for following platforms:
- Linux: John the Ripper Pro
- Mac OS X: John the Ripper Pro
- Windows: Hash Suite
- Android: Hash Suite Droid
John the Ripper offers two types of attacks:
- Dictionary: It takes text string samples from wordlist, which contains dictionary of real passwords that are cracked before, encrypting it in the same format as the password being examined (encryption algorithm/key), and comparing the output to the encrypted string. John can also perform word alterations.
- Brute force: It goes through all the possible plaintexts, hashing each one and then comparing it to the input hash. This method takes a long time to run, but it’s precious for cracking password that doesn’t appear in wordlist dictionary.
- Feature-rich and fast password cracking tool, with several cracking modes.
- It allows you to define a custom cracking mode using the built-in compiler supporting a subset of C.
- You can use same cracker everywhere, since John is available for different platforms, with possibility to continue a cracking session started on another platform.
- This tool supports a lot of Unix crypt(3) hash types:
BSDI extended DES-based,
Kerberos/AFS and Windows LM (DES-based),
- On Linux distributions with
glibc 2.7+, John 1.7.6+ supports
SHA-crypthashes, with optional OpenMP parallelization (requires GCC 4.2+).
- On recent versions of Solaris, John 1.7.6+ supports and autodetects
SunMD5hashes, also with optional OpenMP parallelization (requires GCC 4.2+ or recent Sun Studio).
- John the Ripper Pro adds support for Windows NTLM (MD4-based) and Mac OS X 10.4+ salted SHA-1 hashes.
- “Community enhanced” -jumbo versions add support for many more password hash types:
- Windows NTLM (
MD4-based), Mac OS X 10.4-10.6
salted SHA-1hashes, Mac OS X 10.7
salted SHA-512hashes, raw
MD5-based“web application” password hash types, hashes used by SQL database servers (MySQL, MS SQL, Oracle) and by some LDAP servers, several hash types used on OpenVMS, password hashes of the Eggdrop IRC bot, and lots of other hash types, as well as many non-hashes such as OpenSSH private keys, S/Key skeykeys files, Kerberos TGTs, PDF files, ZIP (classic PKZIP and WinZip/AES) and RAR archives.
- Windows NTLM (
- John the Ripper has its own highly optimized modules for different hash types and processor architectures.
John the Ripper’s Cracking Modes:
- Wordlist mode
- Single crack mode
- Incremental mode
- External mode
Clone it from the Github repository:
$ cd ~/src $ git clone git://github.com/magnumripper/JohnTheRipper -b bleeding-jumbo john
$ cd ~/src/john/src $ ./configure && make -s clean && make -sj4
To test your build, run:
$ ../run/john --test
Windows users can find detailed documentation on the official John the Ripper Wiki page.
To run John, firstly supply it with some password files and if you wish, specify a cracking mode:
$ john passwd
If you want to restrict it to the wordlist mode only (permitting the use of word mangling rules):
$ john --wordlist=password.lst --rules passwd
To retrieve the cracked passwords, run:
$ john --show passwd
Interrupted session can be continued with the following:
$ john --restore
Usage (1.8.0): john [OPTIONS] [PASSWORD-FILES] --single[=(SECTION[,S2,..,Sn]|:rule)] "single crack" mode --wordlist[=FILE] --stdin wordlist mode, read words from FILE or stdin --pipe like --stdin, but bulk reads, and allows rules --loopback[=FILE] like --wordlist, but extract words from a .pot file --dupe-suppression suppress all dupes in wordlist (and force preload) --prince[=FILE] PRINCE mode, read words from FILE --encoding=NAME input encoding (eg. UTF-8, ISO-8859-1). See also doc/ENCODINGS and --list=hidden-options. --rules[=(SECTION[,S2,..,Sn]|:rule)] enable word mangling rules for wordlist or PRINCE modes --incremental[=MODE] "incremental" mode [using section MODE] --mask[=MASK] mask mode using MASK (or default from john.conf) --markov[=OPTIONS] "Markov" mode (see doc/MARKOV) --external=MODE external mode or word filter --subsets[=CHARSET] "subsets" mode (see doc/SUBSETS) --stdout[=LENGTH] just output candidate passwords [cut at LENGTH] --restore[=NAME] restore an interrupted session [called NAME] --session=NAME give a new session the NAME --status[=NAME] print status of a session [called NAME] --make-charset=FILE make a charset file. It will be overwritten --show[=left] show cracked passwords [if =left, then uncracked] --test[=TIME] run tests and benchmarks for TIME seconds each --users=[-]LOGIN|UID[,..] [do not] load this (these) user(s) only --groups=[-]GID[,..] load users [not] of this (these) group(s) only --shells=[-]SHELL[,..] load users with[out] this (these) shell(s) only --salts=[-]COUNT[:MAX] load salts with[out] COUNT [to MAX] hashes --costs=[-]C[:M][,...] load salts with[out] cost value Cn [to Mn]. For tunable cost parameters, see doc/OPTIONS --save-memory=LEVEL enable memory saving, at LEVEL 1..3 --node=MIN[-MAX]/TOTAL this node's number range out of TOTAL count --fork=N fork N processes --pot=NAME pot file to use --list=WHAT list capabilities, see --list=help or doc/OPTIONS --devices=N[,..] set OpenCL device(s) (see --list=opencl-devices) --format=NAME force hash of type NAME. The supported formats can be seen with --list=formats and --list=subformats