It is a tool best suited to crack a large number of passwords (based on different algorithms), using dictionary attacks and brute-force (offline attacks). In order to understand the options that this tool offers you should use following command and analyze them in detail:
john --help
JtR is essentially used for attacks on offline files that contain some type of passwords. Imagine a scenario where you obtain a file with a set of passwords (which are protected in some way) and you want to find out (crack) the original passwords - this is a task for JtR.
This tool can take advantage of extra hardware in the machine, such as GPUs, to speed up the password discovery process.
Using JtR to crack passwords on a Linux system
In this case, let us try to find out the passwords of users on a Linux system. The first we need to do (for demo purposes) is to get the passwords and save them to a file (we can do this on the Kali Linux system):
The passwords on a Linux system are usually encrypted using an algorithm called crypt. Therefore this information is important for the JtR tool.
Using a brute-force approach
To do a brute-force attack we can simply do:
john --format=crypt allpasswords
--format indicates the format of the passwords on the file (allpasswords)
As you may notice, this will take a looooong time! Look at the CPU consumption and check the ETA...
Using default input encoding: UTF-8
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 0 for all loaded hashes
Cost 2 (algorithm specific iterations) is 1 for all loaded hashes
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:09 19.19% 1/3 (ETA: 11:16:13) 0g/s 100.8p/s 100.8c/s 100.8C/s Useronel..Uusery
0g 0:00:00:23 38.12% 1/3 (ETA: 11:16:26) 0g/s 98.67p/s 98.67c/s 98.67C/s Muser..SUser
0g 0:00:01:07 85.71% 1/3 (ETA: 11:16:45) 0g/s 92.22p/s 92.22c/s 92.22C/s Ouser11111..oneuser111111
0g 0:00:01:14 94.22% 1/3 (ETA: 11:16:44) 0g/s 92.82p/s 92.82c/s 92.82C/s ouser2023..oneuser1964
Session aborted
Using a dictionary approach
In order to save time, we may try to use a dictionary attack instead. In order to do that we need to do the following, using a dictionary (passwords.txt):
john --format=crypt --wordlist=passwords.txt allpasswords
If the word list contains a password we obtain a result really fast.
Using default input encoding: UTF-8
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 0 for all loaded hashes
Cost 2 (algorithm specific iterations) is 1 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 8 candidates left, minimum 96 needed for performance.
password (user)
1g 0:00:00:00 DONE (2022-11-08 11:22) 7.692g/s 61.53p/s 61.53c/s 61.53C/s 123456
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Note: if nothing is refered, the discovered passwords are stored in the ~/.john/john.pot file. If we like to specify any other pot location, we need to use the --pot option.
Cracking MD5 password files
Now we are going to use larger dimension files, to explore JtR funcionalities. First we are going to download the Rockyou password file (rockyou.txt). We can download this file from here.
So lets try to find some passwords using JtR to do a dictionary attack:
john --format=raw-md5 --wordlist=rockyou.txt hashes-9.raw-md5.txt -pot=found.pot
And lets cross our fingers. Here are the results:
Using default input encoding: UTF-8
Loaded 3413 password hashes with no different salts (Raw-MD5 [MD5 256/256 AVX2 8x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
confused (reddych)
firetruck (aascott)
outcast (chrism)
everyone (tadams)
bigballer (jthomas)
blacksmith (lauraw)
fellowship (bobj)
baking (seanj)
Miller (kim.harris)
firsttime (bhill)
pig (maxa)
afterwards (whiteco)
winwinwin (bradl)
one (gajohnston)
fountains (hlopez)
Vernon (raybe)
Unfaithful (wirahman)
semicolon (hughesli)
phantom01 (thomasm)
here (jamieg)
sorcery (smithd)
interbank (lewisa)
defensive (court.miller)
Tomas (brjackson)
All the dicovered passwords are recorded to the found.pot file - as specified in the command. Look at its content:
Another important issue to consider when using a dictionary attack is to look at word mangling rules that JtR can use to do combinations with the words in the dictionary. For more information about this, please check this and this, and then try to use.
We can also use a brute force approach for this. In order to do that we can do the following:
john --incremental cmiyc_2012_password_hash_files/hashes-9.raw-md5.txt
But this will take a very long time!!!
Cracking password protected files
Another useful feature that JtR offers is the possibility to crack a password of a file, namely zip files. So lets try to do that.
First we need a password-protected zip file. Either you can create your own file, or you can use this file, that I've prepared previously (logo.zip).
The first thing we need to do is to extract the hash part of the file that contains the password. To to that we'll use the following command:
Next, we'll use a dictionary attack to try to find the password. The dictionary that we'll use is the rockyou.txt file. The command is as follows:
john --wordlist=rockyou.txt file.hash -pot=found.pot
And lets look at what we've found.
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
password (logo.zip)
1g 0:00:00:00 DONE (2022-11-08 19:27) 100.0g/s 6400p/s 6400c/s 6400C/s 123456..charlie
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
