John The Ripper

I borrowed this from: http://phawkq.blogspot.com/2008/04/john-ripper-tutorial.html

and they borrowed from : http://xelt.in/viewtopic.php?t=2487

Background Information

Question: What does John the Ripper do?

Answer: Decrypts DES passwords, this is the form of encryption which is used by most internet servers web sights and universities. DES encryption is used in unix systems. DES stands for Data Encryption Standard

-----------------1.1
Other Unix Password Crackers
Cracker Jack v1.4
Guess
Hades
Hellfire
John the Ripper Win32 version
John the Ripper *nix version
Killer Cracker
Koskrack
Pacec
Qcrack
Starcrak
VCU (front ender for John the Ripper, Cracker Jack and Xit)
Viper v1.1
Xit


Password Files

Create a text document with the password that you want to crack in it with the format given below

john:234abc56

Or you can just use the file in the format it is given, John the Ripper will work with either format, this is an example of what part of a password file looks like with all the information.

john:234abc56:9999:13:John Johnson:/home/dir/john:/bin/john

To open a text document in windows go to start/programs/accessories/word pad

-----------------2.1
Broken down, this is what the above password file states:

john:234abc56:9999:13:John Johnson:/home/dir/john:/bin/john

Username: john

Encrypted Password: 234abc56

User Number: 9999

Group Number: 13

Other Information: John Johnson

Home Directory: /home/dir/john

Shell: /bin/john


John the Ripper

Open a Dos window, then change to the directory in which the john.com file is in (using the cd comand) then you must decide how you want to crack the file. I would recommend the following approach
single mode
wordlist mode
wordlist mode with rules
incremental

To open a dos window go to start/programs/dos prompt


Using the Single Crack Mode

Using the single crack mode is recommended as the first mode as it will break all the week passwords. Single crack mode runs through a set of simple rules with a basic word list, this mode is a good way to start as it is fast and will quickly break weak passwords.

john -single pass.txt

where pass.txt is your password file, information on configuring the single crack mode from the defaults is given in the documentation that comes with John the Ripper in the RULES document


Using the Wordlist Mode

To run John the Ripper with a wordlist using the rules option, type in the Dos window

john -w:word.dic -rules pass.txt

where word.dic is your wordlist and pass.txt is your password file, a word list of 2megs is recommended. This mode of cracking will use your specified wordlist with a set of rules and will break most passwords as most users will chose passwords which have meaning and are easy to remember.

Using the Incremental Mode

The incremental mode should be used after trying the single and wordlist modes.

john -i:all pass.txt goes through all characters

john -i:alpha pass.txt goes though all the letters

john -i:digits pass.txt goes through all numbers

john -i:lanman pass.txt goes through capital letters, lower case letters, numbers and a few special characters

The incremental does as the name suggests by incrementing though all possible permiutations of the character set. First it would try a then b then c through to zzzzzz if the minimum value was 1 and the maximum value was 6, and the character set was all lower case letters.

Using an external mode

.
john -external:MODE pass.txt

where pass.txt is the password file to be cracked and MODE is defined in the john.ini file in the [list.External:MODE] section.

Trading Hard-Drive Space for Speed

Trading hard-drive space for speed

if you use jtr and you use the incremental modes often you might want to try this.

john -stdout i:[whatever] > blah.txt

where whatever is your favorite mode for john. Then when you want to run that incremental you would type

john -w:blah.txt

this works much faster and comes in handy if you can trade hard drive space for preformance

Customizing Cracking Modes

Configuring Incremental Mode

Editing the john.ini file for the incremental mode can be done as shown below

1) scroll down to where it says #incremental

2) go to the

[Incremental:Alpha]

File = ~/alpha.chr

MinLen = 0

MaxLen = 8

CharCount = 26

Now you need to guess the minimum and maximum lengths so if you think that it is a 5 digit password you would change it to look like

[Incremental:Alpha]

File = ~/alpha.chr

MinLen = 5

MaxLen = 5

CharCount = 36

Extra=1234567890

save your changes and then open your Dos windows and type

john -i:alpha pass.txt

Configuring the Wordlist Mode

Open the john.ini file and scroll down to the

[list.Rules:Wordlist]

add the rules in the order that u want them to run, for more information on how to create a rule set refer to the RULES document that comes with John the Ripper click here for some examples.

Making a Character Set

To generate a character set for use with the incremental mode.

This mode is usefull in using any characters you choose to use. Say for instance by some deceptive means that we know the password is only made up of capitol letters and numbers.
( but you can use any combination of upper case, lower case, a couple of special chars, any thing you want to add).

To generate the character set follow the following instructions.

1) Open up a text editor (click here if unsure how)

2) type the characters you want preceeded by a ":" you will type this

:ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789

3) then goto save as " john.pot" make sure you DONT save it as a text file so select all file types, also make sure you save it in the same dir as your JTR program.

4) Then go to your dos prompt where you normally run JTR from and type

john -makechars:custom.chr

5) JTR will do a few calculations and it will tell you how many characters you have used - make a note of how many.

6) then either edit john.ini or open it with your text editor. Scroll down till you see the incremental section. Add the following lines.

[Incremental:custom]

File = ~/custom.chr

Minlen = 0

Maxlen = 8

CharCount = 36

7) You make the charcount what ever JTR calculated - obviuosly if you have the alphabet plus ten numbers that is going to add up to 36, then save the changes made to john.ini.
minlen and maxlen can be anything you want, for values of min length under 3 is almost instantanous so you may as well make it start at 0 just in case some sys admin was feeling easy that day. There is no sense in making the max lenghth larger than 8 unless you have way too much time on your hands, especially in word mode where the way JTR handles it - if it gets a match on the first 8 chars then that will be considered a correct guess.

9) In your dos prompt or wherever you normally run JTR from type

john -i:custom pass.txt

where pass.txt is the password file to break

Cracking specific accounts

a) ignoring a type of shell

b) choseing the shells u want to crack

c) cracking specific users in multiple accounts

d) excluding users from cracking attempt

e) loading specific users

a)
If you notice that an account has a disabled shell you can make John ignore them. If the disabled shell was /etc/expired you would type

john -show -shells:-/etc/expired password.txt

where password.txt is the encrypted file. If there are multiple shells you wish to ignore you would type

john -show -shells:-expired,newuser password.txt

if the other shell was /etc/newuser

b)
If you only want to crack accounts from shells;sh,csh,tcsh,bash you would type
john -w:dictonary.dic -rules -shells:sh,csh,tcsh,bash

you might choose this option if the other user accounts have very limited priviledges

c)
To crack a specific user in multiple password files password1.txt password2.txt and password3.txt you would type

john -w:dictonary.dic -rules -users:0 password*

that will attempt to crack root in all three files.

d)
To exclude users from the cracking attempt, for example say that you know the root password consists on 9 characters, since you wont want to waste your time trying to crack root you would type

john -w:dictonary.dic -rules -users:-root password.txt

e)
Loading specific users type
john -users:[-]LOGIN|UID[,..] pass.txt for specific users
john -groups:[-]GID[,..] pass.txt for specific groups
john -shells:[-]SHELL[,..] pass.txt for specific shells

with the shell option you can omit the path before a shell name, so '-shells:csh' will match both '/bin/csh' and '/usr/bin/csh', while '-shells:/bin/csh' will only match '/bin/csh'.

Simultaneous Cracking

If you have several password files you can crack them all at the same time, if your password files are password1.txt, password2.txt and password3.txt you would type

john -single password1.txt password2.txt password3.txt
or
john -single password*

Defining Custom Rules

Rules
There isn't really any way that I can make all this up from scratch, so I am going to refer heavily to the JTR documentation in this section, though I will add examples of how you could use each option. I am unfortunately going to tell you that you must read the example rules in the original john.ini file as these are well annotated and explain what happens to each word. I am not going to explain the rules too simply so click here for a breakdown of what each command does.

I am going to assume you leave the -single option alone, but want to apply rules to your own wordfile. The command to run is then :

john password.txt -w:wordfile.dic -rules

Load up the original john.ini and find this about half way down :

  1. Wordlist mode rules

[list.Rules:Wordlist]

This is where you will type your rules, and where the example set are. Note that any line starting with "#" is an annotation and ignored by JTR, and I ( and I suggest you ) comment out lines that could be run by adding a semi-colon in front of it so that JTR skips it this time.

I suggest you delete everything that is there already - remember you can click the above link to get them back again. Remember that in what follows, only the yellow lines would run - so comment the others out ( best not delete them so you can refer back to them later )

<4>7

only check words that are 5 or 6 characters long

<5>7lc

only check words that are 6 long, and then lowercase and make first letter a capital

l<9/ese3

lowercase, and swap 'e' for '3'. Reject if no 'e' or longer than 8

l>2<4/isi1

lowercase, and swap 'i' for '1'. Reject if no 'i' or length not equal to 3

l<8/isi1^[0-9]

lowercase, swap 'i' for '1' and prepend 0-9 in turn. Reject if no 'i' or starting word length is 8+

'6/ese3/isi1$[0-9]

Truncate at 6 long, swap 'i' for '1' and 'e' for '3' and append one digit. Reject if no 'i' or 'e'

Word = 4 long, prepend 2 digits ( i.e. birthyear ) and swap case of second letter ( position 1 )

'7T0$[aeiou0-9]

Truncate at 7 chars, swap case of first letter, then append either a vowel or a number

i0[X]i2[Y]

Using insertion, make first char be 'X' and third 'Y' - i.e. word -> XwYord

o4[123]

Overwrite fifth character to be 1,2 or 3 - i.e. password -> pass1ord, pass2ord, pass3ord

!?ds5Y

Reject the word unless it has a number. Swap '5' for 'Y', if it has one

=0?d$6

Reject the word unless it has a digit as the first character. Then append a '6'

@?w

Delete all spaces from the word ( well, phrase here

%2x

Reject the word unless 'x' appears at least twice

Those are the main types of rule, and by mixing and matching then you can probably crack any password that is based on a word. Instant respect to those that crack 2hqBaxh/iGPzU. I have a 91kb word.ini, which about covers everything - but with substantial cutting, pasting, searching and replacing

The only other thing to mention is that in some circumstance ( such as if you applying very complicated rules, or only doing a few simple one ) you can output what the rules are doing to the words by typing :

john -w:wordfile.dic -rules -stdout > output.file

Note that no cracking is actually occuring so no password file is specified. The most useful advantage of the above is that it enables you to check that the rules are doing what you wanted them to do, and that you haven't gone wrong in writing john.ini. Bear in mind that JTR generates words very quickly - mine creates a MB in just over 30 seconds. If you apply very complicated rules to a large wordfile, you can fill up your HD so press 'space' to check on your progress. I wouldn't go running it for more than an hour without some simple maths to check you have the space

Saving and Viewing Cracked Passwords

Saving and restoring multiple or single sessions

saving your cracking attack, push Ctrl C and john will save where it is up to, to resume type

john -restore

This will only allow you to save one file, to save more than one file you must define the session before starting by typing

john -session:name pass.txt

where name is the name you want to give to the session and pass.txt is the password file you want to crack. To restore the session type

john -restore:name

To view how far through a saved session you are type

john -status:name

View your cracked passwords

Type

john -show pass.txt

where pass.txt is the password file to break

Viewing the Status of a Saved or Interrupted file

If your session has been interupted (computer reset, power failure, etc) you can see how far through the process you where by typing

john -status

this will give an output like this

guesses: 3 time: 0:00:00:50

If you have been running multiple session and have them saved using different names you can view each one seperatly by typing

john -status:name1

john -status:name2

where name1 and name2 are two session you where running previously. Click here for information on how to save multiple sessions.

Viewing specific cracked accounts

To check if any root accounts got cracked type

john -show -users:0 password.txt

To check multiple files, password1.txt and password2.txt type

john -show -users:0 password*

To check for privileged accounts type

john -show -groups:0,1 password.txt

Piping the output

What is pipeing? Pipeing is where you can redirect the output of a dos program from the screen into a file. This makes it possible to view all the output, where some of the output wont fit on the screen. Another way to view all the output is using the scroll lock key, however pipeing allows you to reference the output later.
When you crack a large file all the cracked accounts will not fit on to the screen, so to make for easy viewing you can pipe the results into a text file, for example if you had cracked a file called pass.txt to pipe the cracked accounts into a text file you could type

john -show pass.txt > output.txt

where output.txt is the file you wish to pipe the cracked accounts into.

Specifying the Type of Encryption to crack

To change the type of cipher text to crack type

john -format:NAME

where name is one of the following: DES, BSDI, MD5, BF, AFS, LM

Using Salts

The salts are used to make the encryption harder to break, to example sections of password files are given below, try using John the Ripper with both of them and look at the different in the c/s

rj:GpZfNL9Uyz.F6
swimmer:Gpa/yCH9EN4CU
cristian:GpNCyGwgDgRX.
galaxyeng:GpM82aYsocajg
puppy3481:GpLz4TL.M6BeM
Quinn:GpsyHfQzLfwzg
tigger:GpwrQgJEC1otc
boeluv:GpvLPwjqdkmJY
mbrooks:Gpkv73fL6Jh9Y
eros_96:GpoQAPAFJ3FPY
MEvans9321:GpGYjZZWx6lOs
ROOTY:GpCmFE5HFhmeA
alant:GpwVv9cUpUOXo
wickdani:Gp.0w1z7.C79M

Notice that the first two letters of each encrypted password are the same.

admin:ZUThDIlsSDhRs

szymonw:aYCHor8ozVxYg

amac0008:a3sYyPAERdgSc

wula1966:a5q2SbwGztH2s

tommbakk:a5Yf2a.GpI.mk

sundsval:adVAGtPKOFX9g

121221:aeJW.a8Mgo6zU

THEHBIC:ae2RwyRHFh9ME

THEEBIC:ahkhlQxhU0.X6

kwfish:aoeaE0bJ5RmEw

bufflo:arIBOGP3msI42

randy77:uVZ2OleOtJDu6

mxtwrestler:aQ6/Mh5xGU2xc

BUFFLO:aciTcHHepUUZY

.

Notice that when you run the second password file you will get values of around 7000 c/s where as with the first lots of passwords you will get values around 2500000 c/s. When there are no different salts brute forcing a - zzzzzz becomes a very feasible option.

.

the modes for using the salts are

-salts:2

-salt:-2

an example command would be

.

john password.txt -salt:1000 -i:custom

.

The 'salt' option tells it only to crack accounts if there are at least 1000 accounts with the same salt.

Common Problems

Zero Passwords loaded

click here first, if you have done this step correctly try typing

john -show pass.txt

as the password may already be cracked and stored in john.pot

John opens then immediately closes

John gives you an incorrect password

If you run John and it displays a password that doesnt work or looks like

guesses: 0 time 00.00.01:13 c/s 6100 trying trypah - tuahj

This is NOT a cracked password this is a common mistake people make a cracked

password looks like this

guesses: 0 time 00.00.01:13 c/s 6100 trying trypah - tuahj

blah (blah)

Fatal Errors or Access Denied

Simply delete your copy of John the Ripper and go to the homepage and download it again

Taken from : http://xelt.in/viewtopic.php?t=2487

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-Share Alike 2.5 License.