John The Ripper

I borrowed this from:

and they borrowed from :

Background Information

Question: What does John the Ripper do?

Answer: Decrypts DES passwords, this is the form of encryption which is used by most internet servers web sights and universities. DES encryption is used in unix systems. DES stands for Data Encryption Standard

Other Unix Password Crackers
Cracker Jack v1.4
John the Ripper Win32 version
John the Ripper *nix version
Killer Cracker
VCU (front ender for John the Ripper, Cracker Jack and Xit)
Viper v1.1

Password Files

Create a text document with the password that you want to crack in it with the format given below


Or you can just use the file in the format it is given, John the Ripper will work with either format, this is an example of what part of a password file looks like with all the information.

john:234abc56:9999:13:John Johnson:/home/dir/john:/bin/john

To open a text document in windows go to start/programs/accessories/word pad

Broken down, this is what the above password file states:

john:234abc56:9999:13:John Johnson:/home/dir/john:/bin/john

Username: john

Encrypted Password: 234abc56

User Number: 9999

Group Number: 13

Other Information: John Johnson

Home Directory: /home/dir/john

Shell: /bin/john

John the Ripper

Open a Dos window, then change to the directory in which the file is in (using the cd comand) then you must decide how you want to crack the file. I would recommend the following approach
single mode
wordlist mode
wordlist mode with rules

To open a dos window go to start/programs/dos prompt

Using the Single Crack Mode

Using the single crack mode is recommended as the first mode as it will break all the week passwords. Single crack mode runs through a set of simple rules with a basic word list, this mode is a good way to start as it is fast and will quickly break weak passwords.

john -single pass.txt

where pass.txt is your password file, information on configuring the single crack mode from the defaults is given in the documentation that comes with John the Ripper in the RULES document

Using the Wordlist Mode

To run John the Ripper with a wordlist using the rules option, type in the Dos window

john -w:word.dic -rules pass.txt

where word.dic is your wordlist and pass.txt is your password file, a word list of 2megs is recommended. This mode of cracking will use your specified wordlist with a set of rules and will break most passwords as most users will chose passwords which have meaning and are easy to remember.

Using the Incremental Mode

The incremental mode should be used after trying the single and wordlist modes.

john -i:all pass.txt goes through all characters

john -i:alpha pass.txt goes though all the letters

john -i:digits pass.txt goes through all numbers

john -i:lanman pass.txt goes through capital letters, lower case letters, numbers and a few special characters

The incremental does as the name suggests by incrementing though all possible permiutations of the character set. First it would try a then b then c through to zzzzzz if the minimum value was 1 and the maximum value was 6, and the character set was all lower case letters.

Using an external mode

john -external:MODE pass.txt

where pass.txt is the password file to be cracked and MODE is defined in the john.ini file in the [list.External:MODE] section.

Trading Hard-Drive Space for Speed

Trading hard-drive space for speed

if you use jtr and you use the incremental modes often you might want to try this.

john -stdout i:[whatever] > blah.txt

where whatever is your favorite mode for john. Then when you want to run that incremental you would type

john -w:blah.txt

this works much faster and comes in handy if you can trade hard drive space for preformance

Customizing Cracking Modes

Configuring Incremental Mode

Editing the john.ini file for the incremental mode can be done as shown below

1) scroll down to where it says #incremental

2) go to the


File = ~/alpha.chr

MinLen = 0

MaxLen = 8

CharCount = 26

Now you need to guess the minimum and maximum lengths so if you think that it is a 5 digit password you would change it to look like


File = ~/alpha.chr

MinLen = 5

MaxLen = 5

CharCount = 36


save your changes and then open your Dos windows and type

john -i:alpha pass.txt

Configuring the Wordlist Mode

Open the john.ini file and scroll down to the


add the rules in the order that u want them to run, for more information on how to create a rule set refer to the RULES document that comes with John the Ripper click here for some examples.

Making a Character Set

To generate a character set for use with the incremental mode.

This mode is usefull in using any characters you choose to use. Say for instance by some deceptive means that we know the password is only made up of capitol letters and numbers.
( but you can use any combination of upper case, lower case, a couple of special chars, any thing you want to add).

To generate the character set follow the following instructions.

1) Open up a text editor (click here if unsure how)

2) type the characters you want preceeded by a ":" you will type this


3) then goto save as " john.pot" make sure you DONT save it as a text file so select all file types, also make sure you save it in the same dir as your JTR program.

4) Then go to your dos prompt where you normally run JTR from and type

john -makechars:custom.chr

5) JTR will do a few calculations and it will tell you how many characters you have used - make a note of how many.

6) then either edit john.ini or open it with your text editor. Scroll down till you see the incremental section. Add the following lines.


File = ~/custom.chr

Minlen = 0

Maxlen = 8

CharCount = 36

7) You make the charcount what ever JTR calculated - obviuosly if you have the alphabet plus ten numbers that is going to add up to 36, then save the changes made to john.ini.
minlen and maxlen can be anything you want, for values of min length under 3 is almost instantanous so you may as well make it start at 0 just in case some sys admin was feeling easy that day. There is no sense in making the max lenghth larger than 8 unless you have way too much time on your hands, especially in word mode where the way JTR handles it - if it gets a match on the first 8 chars then that will be considered a correct guess.

9) In your dos prompt or wherever you normally run JTR from type

john -i:custom pass.txt

where pass.txt is the password file to break

Cracking specific accounts

a) ignoring a type of shell

b) choseing the shells u want to crack

c) cracking specific users in multiple accounts

d) excluding users from cracking attempt

e) loading specific users

If you notice that an account has a disabled shell you can make John ignore them. If the disabled shell was /etc/expired you would type

john -show -shells:-/etc/expired password.txt

where password.txt is the encrypted file. If there are multiple shells you wish to ignore you would type

john -show -shells:-expired,newuser password.txt

if the other shell was /etc/newuser

If you only want to crack accounts from shells;sh,csh,tcsh,bash you would type
john -w:dictonary.dic -rules -shells:sh,csh,tcsh,bash

you might choose this option if the other user accounts have very limited priviledges

To crack a specific user in multiple password files password1.txt password2.txt and password3.txt you would type

john -w:dictonary.dic -rules -users:0 password*

that will attempt to crack root in all three files.

To exclude users from the cracking attempt, for example say that you know the root password consists on 9 characters, since you wont want to waste your time trying to crack root you would type

john -w:dictonary.dic -rules -users:-root password.txt

Loading specific users type
john -users:[-]LOGIN|UID[,..] pass.txt for specific users
john -groups:[-]GID[,..] pass.txt for specific groups
john -shells:[-]SHELL[,..] pass.txt for specific shells

with the shell option you can omit the path before a shell name, so '-shells:csh' will match both '/bin/csh' and '/usr/bin/csh', while '-shells:/bin/csh' will only match '/bin/csh'.

Simultaneous Cracking

If you have several password files you can crack them all at the same time, if your password files are password1.txt, password2.txt and password3.txt you would type

john -single password1.txt password2.txt password3.txt
john -single password*

Defining Custom Rules

There isn't really any way that I can make all this up from scratch, so I am going to refer heavily to the JTR documentation in this section, though I will add examples of how you could use each option. I am unfortunately going to tell you that you must read the example rules in the original john.ini file as these are well annotated and explain what happens to each word. I am not going to explain the rules too simply so click here for a breakdown of what each command does.

I am going to assume you leave the -single option alone, but want to apply rules to your own wordfile. The command to run is then :

john password.txt -w:wordfile.dic -rules

Load up the original john.ini and find this about half way down :

  1. Wordlist mode rules


This is where you will type your rules, and where the example set are. Note that any line starting with "#" is an annotation and ignored by JTR, and I ( and I suggest you ) comment out lines that could be run by adding a semi-colon in front of it so that JTR skips it this time.

I suggest you delete everything that is there already - remember you can click the above link to get them back again. Remember that in what follows, only the yellow lines would run - so comment the others out ( best not delete them so you can refer back to them later )


only check words that are 5 or 6 characters long


only check words that are 6 long, and then lowercase and make first letter a capital


lowercase, and swap 'e' for '3'. Reject if no 'e' or longer than 8


lowercase, and swap 'i' for '1'. Reject if no 'i' or length not equal to 3


lowercase, swap 'i' for '1' and prepend 0-9 in turn. Reject if no 'i' or starting word length is 8+


Truncate at 6 long, swap 'i' for '1' and 'e' for '3' and append one digit. Reject if no 'i' or 'e'

Word = 4 long, prepend 2 digits ( i.e. birthyear ) and swap case of second letter ( position 1 )


Truncate at 7 chars, swap case of first letter, then append either a vowel or a number


Using insertion, make first char be 'X' and third 'Y' - i.e. word -> XwYord


Overwrite fifth character to be 1,2 or 3 - i.e. password -> pass1ord, pass2ord, pass3ord


Reject the word unless it has a number. Swap '5' for 'Y', if it has one


Reject the word unless it has a digit as the first character. Then append a '6'


Delete all spaces from the word ( well, phrase here


Reject the word unless 'x' appears at least twice

Those are the main types of rule, and by mixing and matching then you can probably crack any password that is based on a word. Instant respect to those that crack 2hqBaxh/iGPzU. I have a 91kb word.ini, which about covers everything - but with substantial cutting, pasting, searching and replacing

The only other thing to mention is that in some circumstance ( such as if you applying very complicated rules, or only doing a few simple one ) you can output what the rules are doing to the words by typing :

john -w:wordfile.dic -rules -stdout > output.file

Note that no cracking is actually occuring so no password file is specified. The most useful advantage of the above is that it enables you to check that the rules are doing what you wanted them to do, and that you haven't gone wrong in writing john.ini. Bear in mind that JTR generates words very quickly - mine creates a MB in just over 30 seconds. If you apply very complicated rules to a large wordfile, you can fill up your HD so press 'space' to check on your progress. I wouldn't go running it for more than an hour without some simple maths to check you have the space

Saving and Viewing Cracked Passwords

Saving and restoring multiple or single sessions

saving your cracking attack, push Ctrl C and john will save where it is up to, to resume type

john -restore

This will only allow you to save one file, to save more than one file you must define the session before starting by typing

john -session:name pass.txt

where name is the name you want to give to the session and pass.txt is the password file you want to crack. To restore the session type

john -restore:name

To view how far through a saved session you are type

john -status:name

View your cracked passwords


john -show pass.txt

where pass.txt is the password file to break

Viewing the Status of a Saved or Interrupted file

If your session has been interupted (computer reset, power failure, etc) you can see how far through the process you where by typing

john -status

this will give an output like this

guesses: 3 time: 0:00:00:50

If you have been running multiple session and have them saved using different names you can view each one seperatly by typing

john -status:name1

john -status:name2

where name1 and name2 are two session you where running previously. Click here for information on how to save multiple sessions.

Viewing specific cracked accounts

To check if any root accounts got cracked type

john -show -users:0 password.txt

To check multiple files, password1.txt and password2.txt type

john -show -users:0 password*

To check for privileged accounts type

john -show -groups:0,1 password.txt

Piping the output

What is pipeing? Pipeing is where you can redirect the output of a dos program from the screen into a file. This makes it possible to view all the output, where some of the output wont fit on the screen. Another way to view all the output is using the scroll lock key, however pipeing allows you to reference the output later.
When you crack a large file all the cracked accounts will not fit on to the screen, so to make for easy viewing you can pipe the results into a text file, for example if you had cracked a file called pass.txt to pipe the cracked accounts into a text file you could type

john -show pass.txt > output.txt

where output.txt is the file you wish to pipe the cracked accounts into.

Specifying the Type of Encryption to crack

To change the type of cipher text to crack type

john -format:NAME

where name is one of the following: DES, BSDI, MD5, BF, AFS, LM

Using Salts

The salts are used to make the encryption harder to break, to example sections of password files are given below, try using John the Ripper with both of them and look at the different in the c/s


Notice that the first two letters of each encrypted password are the same.















Notice that when you run the second password file you will get values of around 7000 c/s where as with the first lots of passwords you will get values around 2500000 c/s. When there are no different salts brute forcing a - zzzzzz becomes a very feasible option.


the modes for using the salts are



an example command would be


john password.txt -salt:1000 -i:custom


The 'salt' option tells it only to crack accounts if there are at least 1000 accounts with the same salt.

Common Problems

Zero Passwords loaded

click here first, if you have done this step correctly try typing

john -show pass.txt

as the password may already be cracked and stored in john.pot

John opens then immediately closes

John gives you an incorrect password

If you run John and it displays a password that doesnt work or looks like

guesses: 0 time 00.00.01:13 c/s 6100 trying trypah - tuahj

This is NOT a cracked password this is a common mistake people make a cracked

password looks like this

guesses: 0 time 00.00.01:13 c/s 6100 trying trypah - tuahj

blah (blah)

Fatal Errors or Access Denied

Simply delete your copy of John the Ripper and go to the homepage and download it again

Taken from :

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-Share Alike 2.5 License.