This manual page documents briefly the john command. This manual page was written for the Debian GNU/Linux distribution because the original program does not have a manual page. john, better known as John the Ripper, is a tool to find weak passwords of users in a server. John can use a dictionary or some search pattern as well as a password file to check for passwords. John supports different cracking modes and understands many ciphertext formats, like several DES variants, MD5 and blowfish. It can also be used to extract AFS and Windows NT passwords.
To use John, you just need to supply it a password file and the desired options. If no mode is specified, john will try "single" first, then "wordlist" and finally "incremental".
Once John finds a password, it will be printed to the terminal and saved into a file called ~/.john/john.pot. John will read this file when it restarts so it doesn't try to crack already done passwords.
To see the cracked passwords, use
john -show passwd
Important: do this under the same directory where the password was cracked (when using the cronjob, /var/lib/john), otherwise it won't work.
While cracking, you can press any key for status, or Ctrl+C to abort the session, saving point information to a file ( ~/.john/john.rec by default). By the way, if you press Ctrl+C twice John will abort immediately without saving. The point information is also saved every 10 minutes (configurable in the configuration file, ~/.john/john.ini or ~/.john/john.conf ) in case of a crash.
To continue an interrupted session, run:
john -restore
Now, you may notice that many accounts have a disabled shell, you can make John ignore these (assume that shell is called /etc/expired ):
john -show -shells:-/etc/expired passwd
You might want to mail all the users who got weak passwords, to tell them to change the passwords. It's not always a good idea though (unfortunately, lots of people seem to ignore such mail, it can be used as a hint for crackers, etc), but anyway, I'll assume you know what you're doing. Get a copy of the 'mailer' script supplied with John, so you won't change anything that's under /usr/sbin ; edit the message it sends, and possibly the mail command inside it (especially if the password file is from a different box than you got John running on). Then run:
./mailer passwd
Anyway, you probably should have a look at /usr/share/doc/john/OPTIONS for a list of all the command line options, and at /usr/share/doc/john/EXAMPLES for more John usage examples with other cracking modes.
mailer(8), unafs(8), unique(8), unshadow(8),
The programs and the configuration files are documented fully by John's documentation, which should be available in /usr/share/doc/john or other location, depending on your system.