John the Ripper (JtR) is an open source password cracking tool originally developed for Unix systems in 1996. It has since expanded to become one of the most popular and widely used password testing and breaking programs across many platforms including Windows, Linux, macOS, and more.
John the Ripper can crack a wide range of password hash types quite efficiently and even brute force complex credentials when needed. It supports various password cracking modes, rules, parallelization, and workflows to uncover passwords.
This in-depth guide will cover installing, configuring, and utilizing John the Ripper to effectively crack passwords on a Linux system. Best practices are included from a professional penetration testing perspective.
Installing John the Ripper on Ubuntu/Debian Linux
John the Ripper can be easily installed on Debian-based Linux distributions like Ubuntu using apt:
sudo apt update
sudo apt install john Or via Snapcraft:
sudo apt install snapd
sudo snap install john-the-ripperOn RedHat based distros like CentOS, use yum:
sudo yum update
sudo yum install johnRPM packages are also available for direct download and installation on RPM-based systems.
It‘s also possible to compile John from source code across most *nix platforms if desired.
Once John the Ripper is installed, verify it is ready for use:
john --versionThis guide will assume the latest community-enhanced v1.9.0 Jumbo version installed via apt or snap on an Ubuntu 20.04 LTS system.
Running John – Passwords File Format
To initiate a password cracking session, John requires one or more password files to work on provided as arguments. The files should contain authentication credentials in one of the many hash formats John supports.
$ john [options] password-filesA common approach is specifying a text file with each line following the scheme:
username:hash
myuser:7c6a180b36896a0a8c02787eeafb0e4cWhere 7c6a.. represents a MD5 password hash. This cleartext file format allows easy password manipulation.
Alternatively, grab the raw hash files directly such as /etc/shadow for cracking.
The wiki covers [recommended practices](https://github.com/magnumripper/JohnTheRipper/wiki/Preparing– password.txt-files) for organizing your password files.
John Cracking Modes, Rules, and Configuration
Merely supplying hashes to crack isn‘t enough. Tuning how John approaches breaking credentials leads to optimized results. Let‘s explore some key concepts around John‘s workflows.
Built-in Cracking Modes
John attempts to crack passwords through different heuristics known as "modes":
- Single – Applies rules to quickly crack simple and weak passwords through mutations.
- Wordlist – Checks wordlist dictionary file per command against hashes for matches.
- Incremental – Complex brute force testing of all possible password permutations, keyspace ordering.
The default process cycles through these modes using efficient algorithms and priority ordering for speed.
You can tune the mode behavior via flags like --incremental=Digits for controlling keyspace traversal and character set mutation rules. This allows optimized attacks against certain complexities.
Appending Rules
Rules in John allow modifying words and mutating password guesses by:
- Reordering
- Substituting characters
- Adding prefixes/suffixes
- Utilizing contextual information
This expands the keyspace covered in dictionary and incremental attacks.
For example, empowering a wordlist mode attack:
$ john --rules --wordlist=dictionary.txt hash.txtHere are some examples of rule verbosity and effects:
| Rule | Original | Modified Guess |
|---|---|---|
| Append a 1 | password | password1 |
| Duplicate first 2 chars | elephant | elelephant |
| Swap last 2 letters | easy | eays |
Custom rule files and chaining expands mutation capabilities even further.
Leveraging Wordlists
For many hash types, targeted wordlist-based attacks prove very effective at uncovering credentials before resorting to slow brute forcing.
The wordlist file essentially contains a dictionary of possible password values to check against hashes. A good wordlist covers:
- Common passwords
- Dictionary words
- Contextual sequences (dates, names, patterns)
- Mutated/mangled values
Using a relevant, extensive wordlist customized to the hashes is key. For many web application penetrations, leveraging previous breach corpuses proves very useful.
Here‘s an example wordlist attack:
$ john --wordlist=linkedin_pwns.txt --rules admin_hashes.txtThis checks leaked passwords from LinkedIn against some admin account hashes with rule mutations applied.
Many useful wordlists are available across GitHub and torrent sites.
Benchmarking John the Ripper Cracking Speed
To measure performance of John‘s modes against your hashes, utilize built-in benchmarking options:
$ john --test
$ john --wordlist=dictionary.txt --rules --testThis runs the various modes and rules against some sample hashes and provides timing metrics per hash type.
As an example, here is a comparison of speeds across different platforms tested against NTLM hashes:
| System | # Cores | Speed (NTLM/s) | Type |
|---|---|---|---|
| Desktop i7-6700 | 4 | 34480 | CPU |
| Cloud EC2 C5d | 96 | 910000 | CPU |
| Desktop GTX 1080 | 2560 | 2367000 | GPU |
We can see GPU-backed cracking results in a huge performance jump – cracking over 2 million NTLM hashes per second.
Modern GPUs can unlock 50-100x faster speeds over multi-core CPUs. Tools like Hashcat also leverage GPUs.
Integrating John into Penetration Testing Frameworks
Often Johns‘ use extends beyond standalone password analysis to become integrated into wider methodologies and frameworks.
Popular options like Metasploit and Nmap contain modules that execute John on compromised hash dumps or against services. These integrate cracking into wider testing processes.
For example, Metasploit‘s post/windows/gather/hashdump dump module and Ncrack‘s SSH module allow piping credentials automatically into a John session.
Many testers utilize custom scripts to handle:
- Target credential extraction
- Automated John execution
- Cracked password injection
- Reporting
This streamlines utilizing John across entire infrastructures and workflows.
Configuring John for Optimal Performance
Getting peak utilization requires tuning the engine, hardware resources, charset rules, and parameters correctly.
Leveraging Multiple Cores
Adding processing cores significantly reduces cracking time by splitting workload across CPUs.
Enable multi-process parsing in John config file:
# ~/.john/john.conf
MP = 4
# My Desktop has 4 coresOr via CLI arguments:
$ john --fork=4 hash.txtBenchmark various values, around 3-4x cores seems optimal.Beyond 8-10 cores, improvements diminish.
Utilizing Powerful Hardware
As hardware metrics showed, modern GPUs provide extreme hashing throughput over CPUs alone.
Consider picking a password cracking rig with:
- High core count latest gen CPU
- Dedicated discrete graphics card(s) – NVIDIA RTX 3090 ideal
- Maximum RAM to hold wordlists
- Fast NVME storage
Cloud GPU instances also work very well if tuning on-prem hardware isn‘t viable.
Targeting Character Classes
When using incremental mode, try focusing mutations only on key complexity requirements known.
For example, if we know a web app requires:
- 8+ characters
- 1 uppercase
- 1 symbol
Tuning john with:
$ john --incremental=UppercaseDigitsSymbols8 hash.txtGreatly reduces keyspace from trillions down to billions of permutations. Making brute force feats reasonable on consumer hardware.
Tuning Wildcard Handling
When wordlists include wildcard ? or * characters, ensure configuration won‘t skip or fail on these values.
Update /etc/john/john.conf by changing:
Validate = NormalTo
Validate = LooseThis relaxes parsing to correctly handle wildcard dictionary entries.
There are many more tweaks and tunings possible – explore documentation for your use case.
Cracking Session Management with John
A key capability is pausing and resuming long running cracking efforts across sessions.
This allows cherry-picking low hanging fruit quickly first, then resuming over time without losing progress.
Checkpointing
Start a named session which creates periodic rollback checkpoints as it runs:
$ john --session=web_app_passwords --status=60 hash.txtThis will create regular validation checkpoints of session progress named web_app_passwords.
You can abort this safely anytime (Ctrl-C) and resume later seamlessly.
Session Restoration
To resume the session example from above:
$ john --restore=web_app_passwordsWithout named sessions, progress is still stored locally but lacks easy visibility.
Reviewing session status lets you identify promising hashes cracked so far and where to focus next.
Retrieving Cracked Passwords
As John successfully cracks hashes, the credentials get printed real-time to the terminal.
However, manually keeping track of sessions across attempts is tedious. Instead, leverage the cracked password pot file.
Once hash credentials get cracked successfully, John stores them in cleartext within the pot file located at:
~/.john/john.pot This persistent cracked credential store allows easy retrieval later – even across sessions.
Running john --show displays the latest contents decrypted from the pot file.
You can also directly access anytime as a plaintext file, useful for scripting.
Comparing John the Ripper to Hashcat
Hashcat is another very popular GPU-accelerated password cracking tool alternative to consider.
Compared to John, Hashcat boasts better GPU utilization and benchmark-topping speeds. Support for more complex password algorithms like WPA Handshakes or VeraCrypt AES also give it an edge.
However, John proves more approachable for beginners while still highly configurable for power users. The Jumbo community enhancements provide added capabilities as well.
Overall both are very useful and well supported free password testing tools. Hashcat gets a slight edge for bleeding edge speed and exotic hash types. But John provides a smoother overall experience.
Many pen testers and sysadmins rely on both within their arsenal and workflows!
| John | Hashcat | |
|---|---|---|
| Speed (H/s) | 400k (CPU) | 5500 M (GPU) |
| Rule Support | Yes | Yes |
| Checkpoints | Yes | No |
| Hash Types | 200+ | 300+ |
| Linux Support | Excellent | Good |
As shown above, Hashcat leverages the GPU to achieve 10-100x higher speeds in many cases. But John contains useful features like session resume missing in Hashcat. So they both have pros and cons.
Legal Considerations Around Password Cracking
While handy for authorized penetration testing or personal security research – password cracking attempts can violate rights or laws in some contexts.
Always ensure you have explicit permission legally to conduct credential testing. Otherwise, restrict activities only to your owned accounts or approved contexts.
Most countries treat unauthorized access or traffic interception crimes very seriously – even just failed login attempts. So tread carefully and do your diligence here.
Some key things to consider:
- Obtain written legal consent to crack passwords related to any non-owned system.
- Carefully firewalled test/research labs away from production infrastructure.
- Isolate storage and analysis to avoid incidental sensitive data exposure.
- Have automated enforcement of guess limits per account or lockouts.
- Never attempt cracking on systems where unauthorized access constitutes a legal breach.
These tips help ensure testing stays ethical, controlled, and compliant.
Many cybersecurity professionals maintain segmented password testing environments with controlled data flows and governance to assist here.
Closing Thoughts on John the Ripper Usage
John the Ripper provides extremely capable free password cracking capabilities for hackers and testers alike. Configuring and tuning sessions appropriately is required to maximizing effectiveness.
When workflows integrate things like hash dumping, rules tuning, rainbow tables, and complex brute forcing – success rates jump tremendously. Testing and experimentation uncovers which approaches work against your targets.
Hopefully this guide gave you fundamentally strong knowledge to install, configure, and utilize John across Linux environments. Please check the active community forums for the latest updates or features.
Now go forth and hack (legally)!
