(JtR) is that can be used to attack password-based systems.
It is a tool best suited to crack a large number of passwords (based on different algorithms), using dictionary attacks and brute-force (offline attacks). In order to understand the options that this tool offers you should use following command and analyze them in detail:
john --help
JtR is essentially used for attacks on offline files that contain some type of passwords. Imagine a scenario where you obtain a file with a set of passwords (which are protected in some way) and you want to find out (crack) the original passwords - this is a task for JtR.
This tool can take advantage of extra hardware in the machine, such as GPUs, to speed up the password discovery process.
Using JtR to crack passwords on a Linux system
In this case, let us try to find out the passwords of users on a Linux system. The first we need to do (for demo purposes) is to get the passwords and save them to a file (we can do this on the Kali Linux system):
--format indicates the format of the passwords on the file (allpasswords)
As you may notice, this will take a looooong time! Look at the CPU consumption and check the ETA...
Using default input encoding: UTF-8
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 0 for all loaded hashes
Cost 2 (algorithm specific iterations) is 1 for all loaded hashes
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:09 19.19% 1/3 (ETA: 11:16:13) 0g/s 100.8p/s 100.8c/s 100.8C/s Useronel..Uusery
0g 0:00:00:23 38.12% 1/3 (ETA: 11:16:26) 0g/s 98.67p/s 98.67c/s 98.67C/s Muser..SUser
0g 0:00:01:07 85.71% 1/3 (ETA: 11:16:45) 0g/s 92.22p/s 92.22c/s 92.22C/s Ouser11111..oneuser111111
0g 0:00:01:14 94.22% 1/3 (ETA: 11:16:44) 0g/s 92.82p/s 92.82c/s 92.82C/s ouser2023..oneuser1964
Session aborted
Using a dictionary approach
In order to save time, we may try to use a dictionary attack instead. In order to do that we need to do the following, using a dictionary (passwords.txt):
john --format=crypt --wordlist=passwords.txt allpasswords
If the word list contains a password we obtain a result really fast.
Using default input encoding: UTF-8
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 0 for all loaded hashes
Cost 2 (algorithm specific iterations) is 1 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 8 candidates left, minimum 96 needed for performance.
password (user)
1g 0:00:00:00 DONE (2022-11-08 11:22) 7.692g/s 61.53p/s 61.53c/s 61.53C/s 123456
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Note: if nothing is refered, the discovered passwords are stored in the ~/.john/john.pot file. If we like to specify any other pot location, we need to use the --pot option.
Cracking MD5 password files
Uncompress the file:
tar -xf cmiyc_2012_password_hash_files.tar.bz2
From all the files that are extracted, we are going to use this one:
hashes-9.raw-md5.txt
This file contains raw MD5 passwords and has the following format:
So lets try to find some passwords using JtR to do a dictionary attack:
john --format=raw-md5 --wordlist=rockyou.txt hashes-9.raw-md5.txt -pot=found.pot
And lets cross our fingers. Here are the results:
Using default input encoding: UTF-8
Loaded 3413 password hashes with no different salts (Raw-MD5 [MD5 256/256 AVX2 8x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
confused (reddych)
firetruck (aascott)
outcast (chrism)
everyone (tadams)
bigballer (jthomas)
blacksmith (lauraw)
fellowship (bobj)
baking (seanj)
Miller (kim.harris)
firsttime (bhill)
pig (maxa)
afterwards (whiteco)
winwinwin (bradl)
one (gajohnston)
fountains (hlopez)
Vernon (raybe)
Unfaithful (wirahman)
semicolon (hughesli)
phantom01 (thomasm)
here (jamieg)
sorcery (smithd)
interbank (lewisa)
defensive (court.miller)
Tomas (brjackson)
All the dicovered passwords are recorded to the found.pot file - as specified in the command. Look at its content:
Next, we'll use a dictionary attack to try to find the password. The dictionary that we'll use is the rockyou.txt file. The command is as follows:
john --wordlist=rockyou.txt file.hash -pot=found.pot
And lets look at what we've found.
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
password (logo.zip)
1g 0:00:00:00 DONE (2022-11-08 19:27) 100.0g/s 6400p/s 6400c/s 6400C/s 123456..charlie
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
References/Additional information
This will save the passwords in a file (allpasswords). Lets open the file and check its content (if you can't get the file, ).
The passwords on a Linux system are usually encrypted using an algorithm called . Therefore this information is important for the JtR tool.
Now we are going to use larger dimension files, to explore JtR funcionalities. First we are going to download the Rockyou password file (rockyou.txt). We can this file from .
After this, we are going to download some files from the "" page.
We this page we can .
Another important issue to consider when using a dictionary attack is to look at word mangling rules that JtR can use to do combinations with the words in the dictionary. For more information about this, please check and , and then try to use.
First we need a password-protected zip file. Either you can create your own file, or , that I've prepared previously (logo.zip).
