Friday, August 17, 2012

John the Ripper Tutorial

                                        John the Ripper Tutorial


Well I've decided to make a John the Ripper tutorial. John the Ripper is a pretty good password cracking tool. Here is a description from the site(displayed later) where you get it:

John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.

I'm going to go through the Windows way to use John the Ripper and I will cover some of the basic types of attacks and things you can do with John the Ripper. This article will be fairly long so I can try and explain things in a way that I hope most people can understand.

---Some Bits of Information---

DES Hashes

John the Ripper is known very well for it's ability to deal with DES hashes (and is the main one I'll be concentrating on in this article). I'm going to briefly explain a bit about what a DES hash is. DES stands for Data Encryption Standard and is a method for encrypting information like passwords. The Key length for DES is 56 bits. Well the key actually consists of 64 bits but only 56 of these are actually used by the algorithm and the other 8 bits are used solely for checking parity(error detection) and are therefore discarded. The DES hash will have 13 characters and will have a username or something on the front of it. Therefore, a DES hash will look like this: shape:CRjRYEn9g3PUc
As you can see the username "shape" is in front of the 13 character encryption and they are separated by a colon(:). If you would like to learn more about DES you can go here:

If you want to make your own DES hash just follow these steps:
- Go to this site:

- Type the text/password or whatever that you want to be encrypted in the text box
- Click on the drop-down menu and choose the option "DES Crypt (one way)"
*Note that it says one way because while this site decrypts many things, it will not decrypt a DES hash, only encrypt something into one.
- Click ok
- Copy the encrypted text and past it in notepad with username: in front of it so it looks like my above example
- Save it in the run folder of John the Ripper as a .txt file

You now have your own DES hash

As you will see further in the article, dictionary attacks use wordlists. If you want to get a wordlist you can search online through google or something and find them easily. There are many many many places that have wordlists. All a wordlist is, is a text document full of words that you place in the run folder of John the Ripper. An example of such a site is this:

Now lets start the tutorial.

---Installing on Windows---

First things first, if you don't already have John the Ripper, go here to download it:

The download you want as a windows user is John the Ripper (Windows - binaries, ZIP, 1360 KB) if you were confused.

Some tips when you install John the Ripper that will make things easier on you but you do not have to do them if you don't want to:
- Save it in the plain old C:/ location, none of that program files location or anything
- When it installs it will probably look something like C:/John/john1701/ etc. Move everything out of the john1701 folder and into the first folder. Then delete john1701.
- Now when you go into your C drive and open up the john folder, you should see both the doc and run folders instead of john1701
- In the run folder you will see the application "john-386" or "john-something". Just rename that to "john"

These few tips will make less work(not a whole lot less, but a little) when writing out the commands that are following.

When you install John the Ripper, you will not open anything in the installed folders nor would you go to Start and Programs to find it newly installed there for easy access. No, With John the Ripper you have to open it via the MS-DOS command line. I assume you already know how to open the command line but in case you don't and don't want to have to admit that to someone for fear of getting made fun of, Go Start, run, and type in cmd or command.

Once you have that open you have to go to the John the Ripper directory. If you did what I said above in the tips, the it should be in the folder "C:/john/run/". If you didn't, yet you still installed it with at least the first tip, it should look something like this "C:/john/john1701/run/". To go to the location in the command line you have to type this command: cd C:/john/run

With this command typed in the next line should look like this: C:\john\run>

Now type in "john" or "john-386" (without the quotation marks of course) depending on the name of it. You should have the program information menu come up and it should give you the list of things it can do. Now is when we will get into the types of attacks I will show you in this article.

-Bruteforce Attack-

First I will show you John the Ripper's bruteforcing mode. All this mode does is try every possibly combination of letters(both upper and lowercase), numbers, symbols or any combination of the three until it finds the password. Before I tell you how to do it, we have to take our hash (I'm going to use shape:CRjRYEn9g3PUc from above), copy and past it in notepad, and save it in the "run" directory in John the Ripper as a .txt file. I'm going to call it hash.txt. One way to do this type of attack is to type in "john hash.txt" (all commands will be without the quotation marks) and press enter. This will start trying to bruteforce the password. Another way would be to drag the hash.txt file and drop it on the john application (this will be done in the run folder). There is a big problem with this type of attack though and that is that it can take extremely long and no one wants to wait long periods of time if they don't have to. You can stop the process at any time by pressing "ctrl+C". Also John the Ripper doesn't show the progress but you can check the progress by pressing any key(assume the key wont do something to interrupt the program; just use enter or an arrow key or something)

-Bruteforce Attack with conditions-

One way you can shorten things up is by choosing if you only want to use letters or numbers to crack the password. So if you think the password only contains letters you can use the command "john -i:alpha hash.txt", if you think the password only contains numbers you can use the command "john -i:digits hash.txt", you can also use the command "john -i:all hash.txt" to guess the password which uses both the letters and numbers.

-Dictionary Attack-

Now when passwords get long even this method can be a long task. So another type of attack you can do is called a dictionary attack. What a dictionary attack does is it takes a wordlist (a text document full of words, be it an actual dictionary or more) and checks each word in that list until it finds a match. This is a much faster way that the bruteforcing methods above. However, the only way this type of attack will work is if the decrypted hash is among the words in the wordlist. For this example the wordlist I will use will be called "wordlist.txt". To do a dictionary attack, type in this command: john -w:wordlist.txt hash.txt

When John the Ripper is done cracking the password and comes back with an answer it will display the password on screen (at least it does for me). However, if it doesn't(or if you want to go back and look at it in the future) there are two ways you can view the password. One is using the command "john -show hash.txt" which will display the cracked hash on screen and the other is "john.pot" (or you can manually open it from the run folder) which will open up a powerpoint document and have the passes display on it.

-Simple Attack-

I'm not entirely sure what simple attack does so someone can correct me if I'm wrong. Through using it, it seems to me that simple attack will take your username in the hash (in mine it's "shape" remember) and only run a bruteforce using that word and add a little to it. For example it will try shape with numbers and symbols after it like shape1. It will also try the options by adding an uppercase to the first letter so it will check things like this Shape43. It appears that it will try all numbers up to 200 after the word as I tried shape320 and it would not crack it and it shows shape200 when it stops trying. It will not try for example sHapE3 though, only check the first letter with uppercase not all the letters. This should give you a basic idea of what it can do. It might be able to do more but I haven't played around with it to figure more out. Feel free to do this on your own though.

-Additional Notes-

If you get an error saying "No hash loaded" there could be a couple reasons for this. One is that the hash you entered and saved is not recognized as being a hash and you should check to make sure you copied things right. Two is that the hash has previously been cracked and you can check the john.pot file to see if it has.

Also when your doing your attacks if you want to get the answer saved to a file, you can type "> something.txt" after the command and it will save it to that text file in the "run" folder. So a full dictionary attack example would look like this: john -w:wordlist.txt hash.txt > cracked.txt

One more thing. If you didn't notice me saying it above, the quotes("...") above any of the commands above

-The "format" option attack-

Now everything I have demonstrated up until now are attacks on a DES hash. So you might be asking yourself, "Is this all John the Ripper can crack?". Well the answer to that question is no. It is capable of cracking such hashes as BSDI, MD5, BF, AFS, LM. The command you are going to use for this attack looks like this: john -format:hashtype hash.txt

So DES looks like this: john -format:des hash.txt
And MD5 looks like this: john -format:md5 hash.txt


Well this is the end of this article but don't think that this is all that John the Ripper can do because there is a lot more. These are just some of the basics and I'll leave you to figure out the rest on your own so play around with it and experiment. I hope this was a fairly good article and is able to help some people out. If anyone has any problems or questions, feel free to pm me and I will help you out if I can. I may return and add in more information if I feel like it. Also if I have any incorrect information you can pm me and I will correct it.

---Extra Resources---

I've decided to throw in something extra that may be helpful to some people.

For people who are looking for word lists, here is a great collection of links:

Here is the official documentation for John the Ripper and should be a good resource for going further into using the program:

No comments:

Post a Comment