LinuxCommandLibrary

john

Crack passwords using dictionary or brute-force attacks

TLDR

Crack password hashes

$ john [path/to/hashes.txt]
copy

Show passwords cracked
$ john --show [path/to/hashes.txt]
copy

Display users' cracked passwords by user identifier from multiple files
$ john --show --users=[user_ids] [path/to/hashes1.txt path/to/hashes2.txt ...]
copy

Crack password hashes, using a custom wordlist
$ john --wordlist=[path/to/wordlist.txt] [path/to/hashes.txt]
copy

List available hash formats
$ john --list=formats
copy

Crack password hashes, using a specific hash format
$ john --format=[md5crypt] [path/to/hashes.txt]
copy

Crack password hashes, enabling word mangling rules
$ john --rules [path/to/hashes.txt]
copy

Restore an interrupted cracking session from a state file, e.g. mycrack.rec
$ john --restore=[path/to/mycrack.rec]
copy

SYNOPSIS

john [OPTIONS] [PASSWORD_FILES]

Common usage examples:
john --wordlist=WORDLIST_FILE [PASSWORD_FILE]
john --incremental[=MODE] [PASSWORD_FILE]
john --single [PASSWORD_FILE]
john --show [PASSWORD_FILE]
john --format=FORMAT [PASSWORD_FILE]

PARAMETERS

--wordlist=FILE
    Specifies a wordlist file for dictionary attacks.

--rules[=NAME]
    Applies wordlist rules (e.g., appending numbers, changing case) during dictionary attacks.

--incremental[=MODE]
    Enables incremental (brute-force) mode. MODE defines the character set and attack strategy (e.g., ASCII, ALNUM, DIGITS).

--single
    Enables single crack mode, attempting permutations based on user information.

--format=NAME
    Specifies the hash format to use (e.g., crypt, raw-MD5, nt, sha512crypt). Use --list=formats to see available options.

--session=NAME
    Assigns a name to the current cracking session for later resumption.

--restore[=NAME]
    Restores a previously saved cracking session.

--show
    Displays all successfully cracked passwords for the specified input files.

--stdout
    Outputs generated candidate passwords to standard output instead of cracking.

--stdin
    Reads candidate passwords from standard input for cracking.

--mask=MASK
    Enables mask mode, a flexible brute-force attack with fixed parts and unknown characters.

--dev=TYPE
    Specifies the OpenCL/CUDA device to use for GPU-accelerated cracking.

--fork=N
    Forks N processes for parallel cracking on multi-core CPUs.

--test
    Performs a benchmark of supported hashing algorithms on the current system.

--pot=FILE
    Specifies the location of the john.pot file, where cracked passwords are stored.

DESCRIPTION

John the Ripper (JtR) is a free and open-source password cracking software tool. Its primary purpose is to detect weak system passwords, supporting hundreds of hash and cipher types, including various network protocols and encrypted filesystems.

JtR combines several password cracking modes, such as dictionary attacks (using wordlists), brute-force attacks (incremental mode), and single crack mode (using user information). It can automatically detect hash types and features session saving/restoring, allowing long cracking sessions to be paused and resumed.

Widely used by security professionals for auditing password strength and by penetration testers to uncover weak credentials, JtR is often used with other tools to extract hashes from various sources like `/etc/shadow` or encrypted archives. The Jumbo version extends its capabilities with even more hash types and features.

CAVEATS

Ethical Use: John the Ripper is a powerful security auditing tool. Its use should be strictly limited to systems where explicit permission has been granted, as misuse can have severe legal consequences.

Performance: Cracking speed is highly dependent on hash complexity, password strength, and available hardware (CPU/GPU). Longer and more complex passwords require significantly more time and computational resources.

Hash Pre-processing: Often, password hashes need to be extracted and converted into a format John the Ripper understands using helper utilities like unshadow, zip2john, or rar2john.

EXTERNAL UTILITIES

John the Ripper is often used in conjunction with a suite of specialized helper utilities designed to extract password hashes from various file types or system formats. These include tools like zip2john, rar2john, pdf2john, office2john, ssh2john, and wpapsk2john, which convert archives, documents, or network captures into a format consumable by JtR.

POT FILE (JOHN.POT)

The john.pot file, by default located in JtR's run directory, serves as a crucial database where all successfully cracked password hashes and their corresponding plaintexts are stored. This prevents John from re-cracking the same hash multiple times and allows users to easily review all recovered credentials from past sessions.

HISTORY

John the Ripper was originally created by Solar Designer (Alexander Peslyak) in 1996, primarily for auditing weak Unix crypt(3) hashes. Over the years, its capabilities have vastly expanded to support hundreds of hash types and cracking modes. The Jumbo community-enhanced version, which includes numerous additional features and formats, has gained significant popularity and is widely maintained and used today, making JtR a cornerstone tool in password security auditing.

SEE ALSO

hashcat(1), unshadow(1), pwunconv(8), passwd(1), crypt(3)

Copied to clipboard