Questi on: What does John the Ri pper do?

Answer: Decrypts DES passwords, this is the form of encryption which is used by most internet
servers web sights and universities. DES encryption is used in unix systems. DES stands for Data
Encryption Standard
-----------------1.1 Other Unix Password Crackers Cracker Jack v1.4 Guess Hades Hellfire John the
Ripper Win32 version John the Ripper *nix version Killer
Cracker Koskrack Pacec Qcrack Starcrak VCU (front ender for John the Ripper, Cracker Jack and
Xit) Viper v1.1 Xit

Password Fi l es
Create a text document with the password that you want to crack in it with the format given below
john:234abc56
Or you can just use the file in the format it is given, John the Ripper will work with either format,
this is an example of what part of a password file looks like with all the information.
john:234abc56:9999:13:John Johnson:/home/dir/john:/bin/john
To open a text document in windows go to start/programs/accessories/word pad
-----------------2.1 Broken down, this is what the above password file states:
john:234abc56:9999:13:John Johnson:/home/dir/john:/bin/john
Username: john
Encrypted Password: 234abc56
User Number: 9999
Group Number: 13
Other Information: John Johnson
Home Directory: /home/dir/john
Shell: /bin/john

John the Ri pper
Open a Dos window, then change to the directory in which the john.com file is in (using the cd
comand) then you must decide how you want to crack the file. I would recommend the following
approach single mode wordlist mode wordlist mode with rules incremental
To open a dos window go to start/programs/dos prompt

Usi ng the Si ngl e Crack Mode
Using the single crack mode is recommended as the first mode as it will break all the week
passwords. Single crack mode runs through a set of simple rules with a basic word list, this mode
is a good way to start as it is fast and will quickly break weak passwords.
john -single pass.txt
where pass.txt is your password file, information on configuring the single crack mode from the
defaults is given in the documentation that comes with John the Ripper in the RULES document

Usi ng the Wordl i st Mode
To run John the Ripper with a wordlist using the rules option, type in the Dos window
john -w:word.dic -rules pass.txt
where word.dic is your wordlist and pass.txt is your password file, a word list of 2megs is
recommended. This mode of cracking will use your specified wordlist with a set of rules and will
break most passwords as most users will chose passwords which have meaning and are easy to
remember.
Usi ng the I ncremental Mode
The incremental mode should be used after trying the single and wordlist modes.
john -i:all pass.txt goes through all characters
john -i:alpha pass.txt goes though all the letters
john -i:digits pass.txt goes through all numbers
john -i:lanman pass.txt goes through capital letters, lower case letters, numbers and a few special
characters
The incremental does as the name suggests by incrementing though all possible permiutations of
the character set. First it would try a then b then c through to zzzzzz if the minimum value was 1
and the maximum value was 6, and the character set was all lower case letters.
Usi ng an external mode
. john -external:MODE pass.txt
where pass.txt is the password file to be cracked and MODE is defined in the john.ini file in the
[list.External:MODE] section.
Tradi ng Hard-Dri ve Space for Speed
Trading hard-drive space for speed
if you use jtr and you use the incremental modes often you might want to try this.
john -stdout i:[whatever] > blah.txt
where whatever is your favorite mode for john. Then when you want to run that incremental you
would type
john -w:blah.txt
this works much faster and comes in handy if you can trade hard drive space for preformance
Customi zi ng Cracki ng Modes
Confi guri ng I ncremental Mode
Editing the john.ini file for the incremental mode can be done as shown below
1) scroll down to where it says #incremental
2) go to the
[Incremental:Alpha]
File = ~/alpha.chr
MinLen = 0
MaxLen = 8
CharCount = 26
Now you need to guess the minimum and maximum lengths so if you think that it is a 5 digit
password you would change it to look like
[Incremental:Alpha]
File = ~/alpha.chr
MinLen = 5
MaxLen = 5
CharCount = 36
Extra=1234567890
save your changes and then open your Dos windows and type
john -i:alpha pass.txt
Confi guri ng the Wordl i st Mode
Open the john.ini file and scroll down to the
[list.Rules:Wordlist]
add the rules in the order that u want them to run, for more information on how to create a rule
set refer to the RULES document that comes with John the Ripper click here for some examples.
Maki ng a Character Set
To generate a character set for use with the incremental mode.
This mode is usefull in using any characters you choose to use. Say for instance by some deceptive
means that we know the password is only made up of capitol letters and numbers. ( but you can
use any combination of upper case, lower case, a couple of special chars, any thing you want to
add).
To generate the character set follow the following instructions.
1) Open up a text editor (click here if unsure how)
2) type the characters you want preceeded by a ":" you will type this
:ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
3) then goto save as " john.pot" make sure you DONT save it as a text file so select all file types,
also make sure you save it in the same dir as your JTR program.
4) Then go to your dos prompt where you normally run JTR from and type
john -makechars:custom.chr
5) JTR will do a few calculations and it will tell you how many characters you have used - make a
note of how many.
6) then either edit john.ini or open it with your text editor. Scroll down till you see the incremental
section. Add the following lines.
[Incremental:custom]
File = ~/custom.chr
Minlen = 0
Maxlen = 8
CharCount = 36
7) You make the charcount what ever JTR calculated - obviuosly if you have the alphabet plus ten
numbers that is going to add up to 36, then save the changes made to john.ini. minlen and maxlen
can be anything you want, for values of min length under 3 is almost instantanous so you may as
well make it start at 0 just in case some sys admin was feeling easy that day. There is no sense in
making the max lenghth larger than 8 unless you have way too much time on your hands,
especially in word mode where the way JTR handles it - if it gets a match on the first 8 chars then
that will be considered a correct guess.
9) In your dos prompt or wherever you normally run JTR from type
john -i:custom pass.txt
where pass.txt is the password file to break
Cracki ng speci fi c accounts
a) ignoring a type of shell
b) choseing the shells u want to crack
c) cracking specific users in multiple accounts
d) excluding users from cracking attempt
e) loading specific users
a) If you notice that an account has a disabled shell you can make John ignore them. If the
disabled shell was /etc/expired you would type
john -show -shells:-/etc/expired password.txt
where password.txt is the encrypted file. If there are multiple shells you wish to ignore you would
type
john -show -shells:-expired,newuser password.txt
if the other shell was /etc/newuser
b) If you only want to crack accounts from shells;sh,csh,tcsh,bash you would type john -
w:dictonary.dic -rules -shells:sh,csh,tcsh,bash
you might choose this option if the other user accounts have very limited priviledges
c) To crack a specific user in multiple password files password1.txt password2.txt and
password3.txt you would type
john -w:dictonary.dic -rules -users:0 password*
that will attempt to crack root in all three files.
d) To exclude users from the cracking attempt, for example say that you know the root password
consists on 9 characters, since you wont want to waste your time trying to crack root you would
type
john -w:dictonary.dic -rules -users:-root password.txt
e) Loading specific users type john -users:[-]LOGIN|UID[,..] pass.txt for specific users john -
groups:[-]GID[,..] pass.txt for specific groups john -shells:[-]SHELL[,..] pass.txt for specific shells
with the shell option you can omit the path before a shell name, so '-shells:csh' will match both
'/bin/csh' and '/usr/bin/csh', while '-shells:/bin/csh' will only match '/bin/csh'.
Si mul taneous Cracki ng
If you have several password files you can crack them all at the same time, if your password files
are password1.txt, password2.txt and password3.txt you would type
john -single password1.txt password2.txt password3.txt or john -single password*
Defi ni ng Custom Rul es
Rules There isn't really any way that I can make all this up from scratch, so I am going to refer
heavily to the JTR documentation in this section, though I will add examples of how you could use
each option. I am unfortunately going to tell you that you must read the example rules in the
original john.ini file as these are well annotated and explain what happens to each word. I am not
going to explain the rules too simply so click here for a breakdown of what each command does.
I am going to assume you leave the -single option alone, but want to apply rules to your own
wordfile. The command to run is then :
john password.txt -w:wordfile.dic -rules
Load up the original john.ini and find this about half way down :
1. Wordlist mode rules
[list.Rules:Wordlist]
This is where you will type your rules, and where the example set are. Note that any line starting
with "#" is an annotation and ignored by JTR, and I ( and I suggest you ) comment out lines that
could be run by adding a semi-colon in front of it so that JTR skips it this time.
I suggest you delete everything that is there already - remember you can click the above link to
get them back again. Remember that in what follows, only the yellow lines would run - so comment
the others out ( best not delete them so you can refer back to them later )
<4>7
only check words that are 5 or 6 characters long
<5>7lc
only check words that are 6 long, and then lowercase and make first letter a capital
l<9/ese3
lowercase, and swap 'e' for '3'. Reject if no 'e' or longer than 8
l>2<4/isi1
lowercase, and swap 'i' for '1'. Reject if no 'i' or length not equal to 3
l<8/isi1^[0-9]
lowercase, swap 'i' for '1' and prepend 0-9 in turn. Reject if no 'i' or starting word length is 8+
'6/ese3/isi1$[0-9]
Truncate at 6 long, swap 'i' for '1' and 'e' for '3' and append one digit. Reject if no 'i' or 'e'
Word = 4 long, prepend 2 digits ( i.e. birthyear ) and swap case of second letter ( position 1 )
'7T0$[aeiou0-9]
Truncate at 7 chars, swap case of first letter, then append either a vowel or a number
i0[X]i2[Y]
Using insertion, make first char be 'X' and third 'Y' - i.e. word -> XwYord
o4[123]
Overwrite fifth character to be 1,2 or 3 - i.e. password -> pass1ord, pass2ord, pass3ord
!?ds5Y
Reject the word unless it has a number. Swap '5' for 'Y', if it has one
=0?d$6
Reject the word unless it has a digit as the first character. Then append a '6'
@?w
Delete all spaces from the word ( well, phrase here
%2x
Reject the word unless 'x' appears at least twice
Those are the main types of rule, and by mixing and matching then you can probably crack any
password that is based on a word. Instant respect to those that crack 2hqBaxh/iGPzU. I have a
91kb word.ini, which about covers everything - but with substantial cutting, pasting, searching and
replacing
The only other thing to mention is that in some circumstance ( such as if you applying very
complicated rules, or only doing a few simple one ) you can output what the rules are doing to the
words by typing :
john -w:wordfile.dic -rules -stdout > output.file
Note that no cracking is actually occuring so no password file is specified. The most useful
advantage of the above is that it enables you to check that the rules are doing what you wanted
them to do, and that you haven't gone wrong in writing john.ini. Bear in mind that JTR generates
words very quickly - mine creates a MB in just over 30 seconds. If you apply very complicated
rules to a large wordfile, you can fill up your HD so press 'space' to check on your progress. I
wouldn't go running it for more than an hour without some simple maths to check you have the
space
Savi ng and Vi ewi ng Cracked Passwords
Savi ng and restori ng mul ti pl e or si ngl e sessi ons
saving your cracking attack, push Ctrl C and john will save where it is up to, to resume type
john -restore
This will only allow you to save one file, to save more than one file you must define the session
before starting by typing
john -session:name pass.txt
where name is the name you want to give to the session and pass.txt is the password file you want
to crack. To restore the session type
john -restore:name
To view how far through a saved session you are type
john -status:name
Vi ew your cracked passwords
Type
john -show pass.txt
where pass.txt is the password file to break
Vi ewi ng the Status of a Saved or I nterrupted fi l e
If your session has been interupted (computer reset, power failure, etc) you can see how far
through the process you where by typing
john -status
this will give an output like this
guesses: 3 time: 0:00:00:50
If you have been running multiple session and have them saved using different names you can
view each one seperatly by typing
john -status:name1
john -status:name2
where name1 and name2 are two session you where running previously. Click here for information
on how to save multiple sessions.
Vi ewi ng speci fi c cracked accounts
To check if any root accounts got cracked type
john -show -users:0 password.txt
To check multiple files, password1.txt and password2.txt type
john -show -users:0 password*
To check for privileged accounts type
john -show -groups:0,1 password.txt
Pi pi ng the output
What is pipeing? Pipeing is where you can redirect the output of a dos program from the screen
into a file. This makes it possible to view all the output, where some of the output wont fit on the
screen. Another way to view all the output is using the scroll lock key, however pipeing allows you
to reference the output later. When you crack a large file all the cracked accounts will not fit on to
the screen, so to make for easy viewing you can pipe the results into a text file, for example if you
had cracked a file called pass.txt to pipe the cracked accounts into a text file you could type
john -show pass.txt > output.txt
where output.txt is the file you wish to pipe the cracked accounts into.
Speci fyi ng the Type of Encrypti on to crack
To change the type of cipher text to crack type
john -format:NAME
where name is one of the following: DES, BSDI, MD5, BF, AFS, LM
Usi ng Sal ts
The salts are used to make the encryption harder to break, to example sections of password files
are given below, try using John the Ripper with both of them and look at the different in the c/s
rj:GpZfNL9Uyz.F6 swimmer:Gpa/yCH9EN4CU cristian:GpNCyGwgDgRX. galaxyeng:GpM82aYsocajg
puppy3481:GpLz4TL.M6BeM Quinn:GpsyHfQzLfwzg tigger:GpwrQgJEC1otc boeluv:GpvLPwjqdkmJY
mbrooks:Gpkv73fL6Jh9Y eros_96:GpoQAPAFJ3FPY MEvans9321:GpGYjZZWx6lOs ROOTY:GpCmFE
5HFhmeA alant:GpwVv9cUpUOXo wickdani:Gp.0w1z7.C79M
Notice that the first two letters of each encrypted password are the same.
admin:ZUThDIlsSDhRs
szymonw:aYCHor8ozVxYg
amac0008:a3sYyPAERdgSc
wula1966:a5q2SbwGztH2s
tommbakk:a5Yf2a.GpI.mk
sundsval:adVAGtPKOFX9g
121221:aeJW.a8Mgo6zU
THEHBIC:ae2RwyRHFh9ME
THEEBIC:ahkhlQxhU0.X6
kwfish:aoeaE0bJ5RmEw
bufflo:arIBOGP3msI42
randy77:uVZ2OleOtJDu6
mxtwrestler:aQ6/Mh5xGU2xc
BUFFLO:aciTcHHepUUZY
.
Notice that when you run the second password file you will get values of around 7000 c/s where as
with the first lots of passwords you will get values around 2500000 c/s. When there are no
different salts brute forcing a - zzzzzz becomes a very feasible option.
.
the modes for using the salts are
-salts:2
-salt:-2
an example command would be
.
john password.txt -salt:1000 -i:custom
.
The 'salt' option tells it only to crack accounts if there are at least 1000 accounts with the same
salt.
Common Probl ems
Zero Passwords loaded
click here first, if you have done this step correctly try typing
john -show pass.txt
as the password may already be cracked and stored in john.pot
John opens then immediately closes
John gives you an incorrect password
If you run John and it displays a password that doesnt work or looks like
guesses: 0 time 00.00.01:13 c/s 6100 trying trypah - tuahj
This is NOT a cracked password this is a common mistake people make a cracked
password looks like this
guesses: 0 time 00.00.01:13 c/s 6100 trying trypah - tuahj
blah (blah)
Fatal Errors or Access Denied
Simply delete your copy of John the Ripper and go to the homepage and download it again