John
John (aka John the Ripper) is a fast password cracker, currently available for many flavors of Unix, macOS, Windows, DOS, BeOS, and OpenVMS
Link: https://github.com/magnumripper/JohnTheRipper
Simple usage
JTR password cracking
john --wordlist=/usr/share/wordlists/rockyou.txt hashes
JTR forced descrypt cracking with wordlist
john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt
JTR forced descrypt brute force cracking
john --format=descrypt hash --show
Display formats:
john --list=formats
Type and mask:
iron@kali2:/tmp$ sudo john lm.txt --mask=?l?l?l?l --format=lm
mask
Create a mask:
example:
root@attackdefense:~# john pdfhash --mask=?d?d?d?d?d?d?d?d?l
?d = digit
?l = lower-case ASCII letters
?u = upper-case ASCII letters example with numbers in the middle:
root@attackdefense:~# john pdfhash --mask=?d?d?d?d19?d?d?u
Using default input encoding: UTF-8
Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
01021980D (/root/encrypted.pdf)
1g 0:00:00:05 DONE (2019-10-31 10:10) 0.1721g/s 530466p/s 530466c/s 530466C/s 01021980D
Use the "--show" option to display all of the cracked passwords reliably
Session completed A mask may consist of:
- Static letters.
- Ranges in [aouei] or [a-z] syntax. Or both, [0-9abcdef] is the same as
[0-9a-f].
- Placeholders that are just a short form for ranges, like ?l which is
100% equivalent to [a-z].
- ?l lower-case ASCII letters
- ?u upper-case ASCII letters
- ?d digits
- ?s specials (all printable ASCII characters not in ?l, ?u or ?d)
- ?a full 'printable' ASCII. Note that for formats that don't recognize case
(eg. LM), this only includes lower-case characters which is a tremendous
reduction of keyspace for the win.
- ?B all 8-bit (0x80-0xff)
- ?b all (0x01-0xff) (the NULL character is currently not supported by core).
- ?h lower-case HEX digits (0-9, a-f)
- ?H upper-case HEX digits (0-9, A-F)
- ?L lower-case non-ASCII letters
- ?U upper-case non-ASCII letters
- ?D non-ASCII "digits"
- ?S non-ASCII "specials"
- ?A all valid characters in the current code page (including ASCII). Note
that for formats that don't recognize case (eg. LM), this only includes
lower-case characters which is a tremendous reduction of keyspace.
- Placeholders that are custom defined, so we can e.g. define ?1 to mean [?u?l]
?1 .. ?9 user-defined place-holder 1 .. 9
Placeholders for Hybrid Mask mode:
?w is a placeholder for the original word produced by the parent mode in
Hybrid Mask mode.
?W is just like ?w except the original word is case toggled (so PassWord
becomes pASSwORD). Windows
C:\Users\David\Documents\Tools\john-1.9.0-jumbo-1-win64\run>john.exe ..\test.txt --format=raw-MD5
Formats
Common formats:
Type
John Format
Hash Example
MD5
raw-md5
fc16ea469c37da07bac3ddbbdbfb3945
LM
lm
299BD128C1101FD6
NTLM
nt
B4B9B02E6F09A9BD760F388B67351E2B
NTLMv1
netntlm
netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c
NTLMv2
netntlmv2
admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030
Cisco Type 5
Md5crpy
enable_secret_level_2:$1$WhZT$YYEI3f0wwWJGAXtAayK/Q.
All Formats:
descrypt, bsdicrypt, md5crypt, md5crypt-long, bcrypt, scrypt, LM, AFS,
tripcode, AndroidBackup, adxcrypt, agilekeychain, aix-ssha1, aix-ssha256,
aix-ssha512, andOTP, ansible, argon2, as400-des, as400-ssha1, asa-md5,
AxCrypt, AzureAD, BestCrypt, bfegg, Bitcoin, BitLocker, bitshares, Bitwarden,
BKS, Blackberry-ES10, WoWSRP, Blockchain, chap, Clipperz, cloudkeychain,
dynamic_n, cq, CRC32, sha1crypt, sha256crypt, sha512crypt, Citrix_NS10,
dahua, dashlane, diskcryptor, Django, django-scrypt, dmd5, dmg, dominosec,
dominosec8, DPAPImk, dragonfly3-32, dragonfly3-64, dragonfly4-32,
dragonfly4-64, Drupal7, eCryptfs, eigrp, electrum, EncFS, enpass, EPI,
EPiServer, ethereum, fde, Fortigate256, Fortigate, FormSpring, FVDE, geli,
gost, gpg, HAVAL-128-4, HAVAL-256-3, hdaa, hMailServer, hsrp, IKE, ipb2,
itunes-backup, iwork, KeePass, keychain, keyring, keystore, known_hosts,
krb4, krb5, krb5asrep, krb5pa-sha1, krb5tgs, krb5-17, krb5-18, krb5-3,
kwallet, lp, lpcli, leet, lotus5, lotus85, LUKS, MD2, mdc2, MediaWiki,
monero, money, MongoDB, scram, Mozilla, mscash, mscash2, MSCHAPv2,
mschapv2-naive, krb5pa-md5, mssql, mssql05, mssql12, multibit, mysqlna,
mysql-sha1, mysql, net-ah, nethalflm, netlm, netlmv2, net-md5, netntlmv2,
netntlm, netntlm-naive, net-sha1, nk, notes, md5ns, nsec3, NT, o10glogon,
o3logon, o5logon, ODF, Office, oldoffice, OpenBSD-SoftRAID, openssl-enc,
oracle, oracle11, Oracle12C, osc, ospf, Padlock, Palshop, Panama,
PBKDF2-HMAC-MD4, PBKDF2-HMAC-MD5, PBKDF2-HMAC-SHA1, PBKDF2-HMAC-SHA256,
PBKDF2-HMAC-SHA512, PDF, PEM, pfx, pgpdisk, pgpsda, pgpwde, phpass, PHPS,
PHPS2, pix-md5, PKZIP, po, postgres, PST, PuTTY, pwsafe, qnx, RACF,
RACF-KDFAES, radius, RAdmin, RAKP, rar, RAR5, Raw-SHA512, Raw-Blake2,
Raw-Keccak, Raw-Keccak-256, Raw-MD4, Raw-MD5, Raw-MD5u, Raw-SHA1,
Raw-SHA1-AxCrypt, Raw-SHA1-Linkedin, Raw-SHA224, Raw-SHA256, Raw-SHA3,
Raw-SHA384, ripemd-128, ripemd-160, rsvp, Siemens-S7, Salted-SHA1, SSHA512,
sapb, sapg, saph, sappse, securezip, 7z, Signal, SIP, skein-256, skein-512,
skey, SL3, Snefru-128, Snefru-256, LastPass, SNMP, solarwinds, SSH, sspr,
Stribog-256, Stribog-512, STRIP, SunMD5, SybaseASE, Sybase-PROP, tacacs-plus,
tcp-md5, telegram, tezos, Tiger, tc_aes_xts, tc_ripemd160, tc_ripemd160boot,
tc_sha512, tc_whirlpool, vdi, OpenVMS, vmx, VNC, vtp, wbb3, whirlpool,
whirlpool0, whirlpool1, wpapsk, wpapsk-pmk, xmpp-scram, xsha, xsha512, ZIP,
ZipMonster, plaintext, has-160, HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, HMAC-SHA512, dummy, crypt Cracking examples
Cracking /etc/shadow
sudo /usr/sbin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
john /tmp/crack.password.db
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x]) Cracking pdf protected password
pdf2john encrypted.pdf >> hash
john hash --mask=?d?d?d?d?d?d?d?d?l
pdftotext -upw PASSWORD encrypted.pdf Cracking ssh key
root@attackdefense:~# ssh2john id_rsa >> hash
root@attackdefense:~# cat hash
id_rsa:$ssh2$2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a50726f632d547970653a20342c454e435259505445440a44454b2d496e666f3a204145532d3132382d4342432c33333746334342463743413243453338413837383243464632453735423446440a0a4843694443447343745856372b2b49683178544971376b73467a375549517858796f45754f6d395a43516d416541736a7961535973634e42654b536974526d490a41423947586a7a7a796f336249584f47706e2f46695535312b784b4c45575678484261797856424e502f4d2b7237306b374869594766556571573064324c2b630a3749705633505865656e2b77455831314963316859683265696179716b6b384572626c6579616e386f63714d345331486d456642744d39356b395135714535310a5a6233686e585853304a44586774467134545147395538336b764b59596a5849546f4849474f34746e4f30754a4f57653670634b334e62517a47316a696c55350a774d5279545a796b2b36696a524f516565685a374b6c68644a373339446e494a5169675a3669706837585a666f65467a6e6533626975434f79514d76677349790a476b7750514a6b65454b2b6a424f6573536b592b6850546242576a3738316b553576436b5477666b64546b3979726d526a615433586375346532636d51456a430a6d6679375154773152475666595769505933304b64695841366e3652594550355149566544352b54363356473636357030734a45717952366479616f35436d480a78552f65586c47326f7a3135616c69647a373268776a4a454d706a4a374369727075667135355466527231465570365a535a325573754b7355503958707a4c670a62547a3846796c50434c62426942795665696d434d4a75456b6d6a2b4731615242414a2b444f626c54544d393150594f5245582b2b6744466c6b504230564e750a6d77412b32635a466b675537524a6b683653354e773141793957774b48454a2f6c754f4942555a4d4b586439316d56514c6853794755385146316f663861794b0a36696a6871315a6253353067427036556f2b746d3075515776444a596d417a764b4b717571414f533633693378666a684171626e626b4259527462316b73597a0a745a6d356f744a4f5668386d4335664663636f4c69743049645948773868563847696454754844546c69344c6164504a4c3166494a3777555552467a434667710a74357743486467664a447832794d785131754c4e65515364614742573758656a6355446f303669314a6a2f39586c734b537556574766524c6e6155636b41364b0a666a4b6f6f3877394c6842474f464653737257735533453543482b613674724655356761594d384a4f366132576b6c714155394f6f436548324f506854656d6f0a797a704e4344323744384543786e3474335049726a4c697a4b717245536e77595077323731725a47752f2b634c38554a4c6d46316234782b6f4e2b67616741350a694769544a54586470302f706d372f4a59376977344f71592f5675793248317559554d5357444367586f45766479326a64503653696f564d485654484f6c72370a6369643762322b546877697578326e304f393855684d563832434e5639527438364b6774774f322f4c37694c54417459487a4a75442f4a48474634543630446e0a766977755068627339774d2b326f2f6b6f6631503932716d376c614e355634426f78706c7174303273776c4d43346279683778657475346b633952686b4733510a366970726f6c6e465a4c712b4867546a47626a6751624c514734784372616470626870774f43427876547667434a5075592f487578393874725244535845744c0a586f76486b4a48482f452f762b495768734c7637784a724c396d575068646a507157654d4c3536634e537a34394e7653624e593647656c4b786d3566517772380a75334c4e6e7236363030763069774a7461323467506e766e71572b6c517176777a36396f45502b65653252756734717369433433784d304233316f584d5363510a4539684c345a5a5a6e4d666642377a2f704239644d2f4b5755325477746c736762576d6d6f4a34674e50544c455372344959707141546a3451634c72616b6d610a765048684e6b504a4d77544a78487431623159384b42652b486c796273364e325430695171636f714443373070635a754c4b447037532f6c325553536776522f0a4a7a474355704532584d6b4a336a2f4371724f483143785477594b525a4445432b2b70564576582f65563765707647566e74614d48697032776f52536378654d0a2f597267515830536a4f573261774667575347564537764e383167544a567462756841736b754e657a5355734a4d71745848456473435677654256766d61546b0a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a*1766*0 MD5 wordlist
root@attackdefense:~# for x in $(cat wordlists/100-common-passwords.txt); do echo -n $x | md5sum >> wordlist.txt; done
root@attackdefense:~# cat wordlist.txt | cut -d' ' -f1 >> new
root@attackdefense:~# john hash --wordlist=new John cheat sheet
https://countuponsecurity.files.wordpress.com/2016/09/jtr-cheat-sheet.pdf
Last updated
Was this helpful?