John the Ripper is the main tool for cracking encrypted password. John offers different operating modes. It is possible to perform dictionary or brute force attacks. It also automatically detects the type of encryption used by the hash.
Basic command
For use john we must have password hash saved in a file. John’s basic command is:
john filehash
With john it is also possible crack passwords of linux users. In Linux OS you can find usernames stored in “/etc/passwd” file while the relatives passwords are in “/etc/shadow” file. These two files must be combined using unshadow command:
unshadow /etc/passwd /etc/shadow > filehash
Now that filehash has been created we can use john with its basic command:
john filehash
This is its simplest command.
Unlike Linux in Windows OS for crack passwords hashes we need a SAM file. Sam is the hash file of the Windows passwords. To get it there are some way: through “meterpreter” shell (running hashdump command) or via some useful tools like pwdump, pwdump_7, SAMinside, fgdump, ophcrack, l0phtcrack, samdump2, etc…. It is also stored in registry HKEY_LOCAL_MACHINE\SAM (but this registry isn’t accessible while system is running and requires “SYSTEM” privileges).
Finally when john founds valid passwords it saves them in $JOHN/john.pot. The john.pot file isn’t human-friendly, so you should use the following command to display the cracked password:
john --show filehash
However, if the
--format=
option was used during cracking (see below), it is necessary to repeat the same format option when show option is used. Then the command will be the following:
john --show filehash --format={FORMAT}
Dictionary attack
You also can use a wordlist file to do a dictionary attack and in this case the command will be as follow:
john --wordlist=/path/to/filewordlist filehash
Format option
Another option is –format=. This tells John what format the password hash is and force to use that. An example:
john --format=NT filehash
In –format option we can put many kind of hashes format. Here are some: bf, bsdi, crypt, des, hmac-md5, krb4, krb5, LM, md4-gen, md5, mssql, mysql, mysql-sha1, netlm, nsldap, NT, ssha, raw-md5, raw-sha1, raw-sha224, ssh, and so on.
Brute force attack
--incremental
This option is for Brute Force mode.
Rules option
Another powerful john the ripper feature is the –rules option. It can be applied against a wordlist file to modify it. You can add –rules option for apply mangling rules. First you need to add [List.Rules] in the john.conf file:
[List.Rules:Reverse] r
This example rules (named “Reverse”) takes a wordlist file and reverses all the words in it. The following command do the job, showing the result on the screen:
john --rules=Reverse --wordlist=wordlistfile.txt --stdout
Another simple example is to reflect the words of a wordlist file:
[List.Rules:Reflect] f
and then the command is:
john --rules=Reflect --wordlist=wordlistfile.txt --stdout
In this example if the wordlist file had been composed from password and monkey word the result of execution would be the following:
passworddrowssap monkeyyeknom
Here is a list of useful simple rules:
