John the Ripper is the password hash cracking tool. If you are performing any kind of pen tests and want to break into the system you first need to know the password and john makes it easy. It can be used as a password recovery tool.
It operates in 3 different modes:
- Using Wordlists: compare with a list of common password, a dictionary to brute force.
- Single crack mode: word mangling.
- Incremental mode: predicting the complexity and incrementally checking for each of them.
Wordlists: There are many wordlists available, SecLists and our infamous rockyou.txt which can be used or you can create your own list. Also, we can identify the hash type while running john the ripper which can be found using.
# john — wordlist=[path to wordlist] [path to file]
Example: john — wordlist=/usr/share/wordlists/rockyou.txt passwordhash.txt
# john — format=[format] — wordlist=[path to wordlist] [path to file]
Example: john — format=raw-md5 — wordlist=/usr/share/wordlists/rockyou.txt passwordhash.txt
Single crack mode: Ever used your username as your password with some numbers/symbols or used s as $ in your name? Well, you are not alone. And we can use the technique to crack passwords, the txt file contains with username Alice with the hash of the password.
If your username is Alice, John will try alice1, alice, aLiCe, Alice=
# john — single — format=[format] [path to file]
Example: john — single — format=raw-sha1 passwordhash.txt
Incremental mode: The password complexity rules state that we should be adding some entropy by including capital letters, symbols and numbers. And we can predict a few possibilities based on this. Many custom rules are included in /etc/john.conf , we can add rules to this by creating a name of our rule as [list.Rules:NewRules],this name will be used to call this rule. We can append, prepend, capitalize, add symbols, numbers positionally and run the command. Some of the commonly used rules are:
Az: append, A0: prepend, c: capitalizes positionally, [0–9] try numbers incrementally, [0] will test only the number 0, [A-Z] all uppercase letters, [A-z] uppercase and lowercase letters, [!@$%] symbols.
Let’s say we have to predict Alice’s password. We think of the first letter to be uppercase, a number from 0–9 and a symbol at the end, Then our rule would be:
[List:Rules:Alice]
cAz”[0–9] [!$%@]”
john — wordlist=[path to wordlist] — rule=Alice [path to file]
Q: Now, can you create a rule for user Bob who we know loves football and uses uppercase in the last letter, has a number at the beginning? Tell me in the comments.
What else can John do?
JtR can also be used to crack the password protected .zip file using zip2john or crack password protected .rar file using rar2john and thats not all. It can also crack ssh key passwords using ssh2john.
First, we get the hash of the .zip file or .rar file[output file]
# zip2john [options] [zip file] > [output file]
zip2john zipfile.zip > ziphash.txt OR rar2john rarfile.rar > rarhash.txt
Example: john — wordlist=/usr/share/wordlists/rockyou.txt ziphash.txt
There are many more capabilities and customizations that can be done to identify the password hash using this tool. But we should not be misusing it.
To conclude, some fun facts about passwords: When people are asked to include a number in a password, 87% just add a 1 or 2 at the end. The top 10 most-used password list has hardly changed in the last 5 years, the top three widely used passwords are still 123456, password, 12345678. CRAZY, right?
