John
John the Ripper is a fast password cracker, currently available for many flavors of Unix, macOS, Windows, DOS, BeOS, and OpenVMS (the latter requires a contributed patch). Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos/AFS and Windows LM hashes, as well as DES-based tripcodes, plus hundreds of additional hashes and ciphers in “-jumbo” versions.
Usage
Usage: john [OPTIONS] [PASSWORD-FILES]
| Option | Description |
|---|---|
--single[=SECTION[,..]] | ”single crack” mode, using default or named rules |
--single=:rule[,..] | Same, using “immediate” rule(s) |
--wordlist[=FILE] | Wordlist mode, read words from FILE |
--stdin | Wordlist mode, read words from stdin |
--pipe | Like --stdin, but bulk reads, and allows rules |
--loopback[=FILE] | Like --wordlist, but extract words from a .pot file |
--dupe-suppression | Suppress all dupes in wordlist (and force preload) |
--prince[=FILE] | PRINCE mode, read words from FILE |
--encoding=NAME | Input encoding (e.g., UTF-8, ISO-8859-1). See doc/ENCODINGS and --list=hidden-options |
--rules[=SECTION[,..]] | Enable word mangling rules (for wordlist or PRINCE modes), using default or named rules |
--rules=:rule[;..] | Same, using “immediate” rule(s) |
--rules-stack=SECTION[,..] | Stacked rules, applied after regular rules or to modes that otherwise don’t support rules |
--rules-stack=:rule[;..] | Same, using “immediate” rule(s) |
--incremental[=MODE] | ”Incremental” mode [using section MODE] |
--mask[=MASK] | Mask mode using MASK (or default from john.conf) |
--markov[=OPTIONS] | ”Markov” mode (see doc/MARKOV) |
--external=MODE | External mode or word filter |
--subsets[=CHARSET] | ”Subsets” mode (see doc/SUBSETS) |
--stdout[=LENGTH] | Just output candidate passwords [cut at LENGTH] |
--restore[=NAME] | Restore an interrupted session [called NAME] |
--session=NAME | Give a new session the NAME |
--status[=NAME] | Print status of a session [called NAME] |
--make-charset=FILE | Make a charset file. It will be overwritten |
--show[=left] | Show cracked passwords [if =left, then uncracked] |
--test[=TIME] | Run tests and benchmarks for TIME seconds each |
| `—users=[-]LOGIN | UID[,..]` |
--groups=[-]GID[,..] | Load users [not] of this (these) group(s) only |
--shells=[-]SHELL[,..] | Load users with[out] this (these) shell(s) only |
--salts=[-]COUNT[:MAX] | Load salts with[out] COUNT [to MAX] hashes |
--costs=[-]C[:M][,...] | Load salts with[out] cost value Cn [to Mn] |
--save-memory=LEVEL | Enable memory saving, at LEVEL 1..3 |
--node=MIN[-MAX]/TOTAL | This node’s number range out of TOTAL count |
--fork=N | Fork N processes |
--pot=NAME | Pot file to use |
--list=WHAT | List capabilities (see --list=help or doc/OPTIONS) |
--devices=N[,..] | Set OpenCL device(s) (see --list=opencl-devices) |
--format=NAME | Force hash of type NAME (see --list=formats and --list=subformats) |
Examples
To run John, you need to supply it with some password files and optionally specify a cracking mode, like this, using the default order of modes and assuming that “passwd” is a copy of your password file:
john passwdor, to restrict it to the wordlist mode only, but permitting the use of word mangling rules:
john --wordlist=password.lst --rules passwdCracked passwords will be printed to the terminal and saved in the file called $JOHN/john.pot (in the documentation and in the configuration file for John, $JOHN refers to John’s “home directory”; which directory it really is depends on how you installed John). The $JOHN/john.pot file is also used to not load password hashes that you already cracked when you run John the next time.
To retrieve the cracked passwords, run:
john --show passwdWhile cracking, you can press any key for status, or ‘q’ or Ctrl-C to abort the session saving its state to a file ($JOHN/john.rec by default). If you press Ctrl-C for a second time before John had a chance to complete handling of your first Ctrl-C, John will abort immediately without saving. By default, the state is also saved every 10 minutes to permit for recovery in case of a crash.
To continue an interrupted session, run:
john --restoreThese are just the most essential things you can do with John. For a complete list of command line options and for more complicated usage examples you should refer to the man pages.
Hash Extraction
There are various utilities for extracting a password hash for john to use from a file:
- 1password2john
- 7z2john
- DPAPImk2john
- adxcsouf2john
- aem2john
- aix2john
- andotp2john
- androidbackup2john
- androidfde2john
- ansible2john
- apex2john
- applenotes2john
- aruba2john
- axcrypt2john
- bestcrypt2john
- bitcoin2john
- bitlocker2john
- bitshares2john
- bitwarden2john
- bks2john
- blockchain2john
- ccache2john
- cisco2john
- cracf2john
- dashlane2john
- deepsound2john
- diskcryptor2john
- dmg2john
- eapmd5tojohn
- ecryptfs2john
- ejabberd2john
- electrum2john
- encfs2john
- enpass2john
- ethereum2john
- filezilla2john
- geli2john
- gpg2john
- hccap2john
- hccapx2john
- htdigest2john
- ibmiscanner2john
- ikescan2john
- ios7tojohn
- itunes_backup2john
- iwork2john
- kdcdump2john
- keepass2john
- keychain2john
- keyring2john
- keystore2john
- kirbi2john
- known_hosts2john
- krb2john
- kwallet2john
- lastpass2john
- ldif2john
- libreoffice2john
- lion2john
- lotus2john
- luks2john
- mac2john
- mcafee_epo2john
- monero2john
- money2john
- mozilla2john
- multibit2john
- neo2john
- network2john
- office2john
- openbsd_softraid2john
- openssl2john
- padlock2john
- pcap2john
- pdf2john
- pem2john
- pfx2john
- pgpdisk2john
- pgpsda2john
- pgpwde2john
- prosody2john
- ps_token2john
- pse2john
- putty2john
- pwsafe2john
- racf2john
- radius2john
- rar2john
- sap2john
- signal2john
- sipdump2john
- ssh2john
- sspr2john
- staroffice2john
- strip2john
- telegram2john
- tezos2john
- truecrypt2john
- uaf2john
- vdi2john
- vmx2john
- vncpcap2john
- wpapcap2john
- zip2john