John the ripper zip windows

Perhaps you need a quick overview on how to use the password-cracking tool John the Ripper, or you may be a beginner and wondering why you haven’t been able to get it to work. If that’s you, you’ve come to the right place. We’ve prepared a straightforward tutorial on how to use John the Ripper for you.

A must-have in the pentester’s toolkit, John the Ripper cracks passwords using a rainbow table approach: comparing them with an inbuilt table of hashes. We’ll review John the Ripper’s three major password-cracking modes and several usage examples, with short exercises for those new to this ruthless tool.

But be warned: We don’t condone using John the Ripper for malicious purposes. With great power comes great responsibility.

Without further ado, let’s get cracking.

What Is John the Ripper?

Jack the Ripper was a murderer in 1888 in London, England. Just as people exposed to Jack the Ripper died, passwords exposed to John the Ripper are no longer secret.

You can deploy John the Ripper inside Kali Linux with the following terminal command instantly:

john

Hence, for simplicity, we’ll call John the Ripper “John” from this point onward. John’s various options help you customize your experience uncovering passwords:

john -h

Modes for Cracking Passwords

John the Ripper offers three main password-cracking modes: Single, Wordlist, and Incremental.

Single Crack Mode

Our example here is a username-password pair based on the 1986 Tom Cruise movie, which released its sequel in 2022.

In Single Crack Mode, John takes a string and generates variations of that string to generate a set of passwords. For example, you can use this Mode to generate password variations of the username “topgun” with the corresponding password “Topgun” (or TopGun, ToPgUn, tOpGuN, and so on).

Use the --format flag to specify the hash type and the --single (-si) flag to let John know we want to use the Single Crack Mode.

Afterward, we’ll crack more complex passwords with John’s Wordlist Mode.

Картинка с сайта: www.stationx.net

Try this exercise

1. Designate a short string (topgun) as a username and variations on its capitalization as the password (such as Topgun).
2. Show the output of the SHA-256-hashed password: echo -n 'Topgun' | sha256sum
3. Create a new text file (simple.txt) to store the username and the password hash value from prior steps: echo -n 'topgun:4558ce5abe3b1e70bbadc3b95f2ff84f54d0a5c30fb524ceebfd401f8233fda7' > simple.txt
4. Run simple.txt through John the Ripper’s Single Crack Mode (change the --format argument as you see fit): john --single --format=raw-sha256 simple.txt
5. Get results.

Картинка с сайта: www.stationx.net

A self-contained tutorial on generating a password for Single Crack Mode

Oops: If you hash your desired password with the following wrong command instead, you’ll hash an unintended line break at the end:

echo Topgun | sha256sum # wrong command

Wordlist Mode

In Wordlist Mode, we’ll provide John with a list of passwords. John will generate hashes for them in real-time and compare them with our password hash. In this example, we will use the well-known RockYou wordlist, which you can preview at

cat /usr/share/wordlists/rockyou.txt | less

Feel free to copy it to your current working directory to simplify the commands using the --wordlist (-w) flag:

cp /usr/share/wordlists/rockyou.txt rockyou

Now let’s pass text files containing password hashes through John:

Картинка с сайта: www.stationx.net

Try this exercise

1. Pipe a hash based on one or more dictionary words (optionally with numbers) to SHA-256: echo -n 'password1234' | sha256sum
2. Write your username, a colon (:), and the hash as a single long string into a new text file (crack.txt): echo user01:b9c950640e1b3740e98acb93e669c65766f6670dd1609ba91ff41052ba48c6f3>>crack.txt
3. Repeat Steps 1 and 2 to generate as many username-password pairs as desired and append them to crack.txt.
4. Run crack.txt through John the Ripper’s Wordlist Mode: john --wordlist=rockyou --format=raw-sha256 crack.txt
5. Get results.

Картинка с сайта: www.stationx.net

Left: John the Ripper Wordlist Mode in action

Right: Generating hashes for three simple passwords

John finds these three passwords rapidly. The weaker the password is, the faster John cracks them.

Let’s move on to John’s final Incremental Mode.

Incremental Mode

In Incremental Mode, John tries all possible character combinations as passwords. This process can be time-consuming if the password is too long or if alphanumeric characters and symbols comprise the password.

You won’t use this Mode unless you don’t have any other options. Typically, a combination of social engineering attacks and Wordlist Mode will help you uncover most passwords.

The syntax for Incremental Mode is:

Let’s break down each flag:

Картинка с сайта: www.stationx.net

Try this exercise

1. Pipe a hash on a simple alphanumeric password to SHA-256: echo -n 'passw0rd' | sha256sum
2. Write your username, a colon (:), and the hash as a single long string into a new text file (inc.txt): echo user02:8f0e2f76e22b43e2855189877e7dc1e1e7d98c226c95db247cd1d547928334a9>>inc.txt
3. Run inc.txt through John the Ripper’s Wordlist Mode: john --incremental --format=raw-sha256 inc.txt
4. Get results.

Картинка с сайта: www.stationx.net

Generated password hashes

Картинка с сайта: www.stationx.net

Cracking password hashes in Incremental Mode

Now that we know how to use John the Ripper, we shall move on to specific use cases.

Cracking Passwords With John the Ripper

Now that we know the different modes, let’s examine some real-world examples of when and how to crack passwords with John.

Choosing a Wordlist

John’s default Wordlist is a file located in /usr/share/john/password.lst in Kali Linux, but its power is finite compared with custom wordlists such as those found by John’s developer OpenWall https://www.openwall.com/wordlists/. 

Apart from RockYou, the Wordlists all.lst (downloadable as all.gz) and huge.lst are good candidates for the --wordlist flag.

Edit the Wordlist by amending the following line in /usr/share/john/john.conf:

Wordlist = $JOHN/password.lst

To make John work more efficiently, remove duplicate entries from and sort the contents of your chosen Wordlist file.

Cracking ZIP files

John has a utility called zip2john. zip2john helps us to get the hash from zip files. Other “2john” utilities exist, such as the rar2john utility for cracking a RAR file.

To crack a password-protected ZIP file, we first get the hash of the ZIP file’s password:

zip2john file.zip > zip.hashes

This command gets the hash from the ZIP file and stores it in the zip.hashes file.

Now you can crack the hash with John:

Картинка с сайта: www.stationx.net

Try this exercise

1. Create a password-protected ZIP archive (classified.zip) on Kali Linux: right click on a file/folder, select “Create Archive…”, choose “ZIP” as the compression method, expand “Other options” to give it a weak password, and click “Create.”
2. Export the ZIP hash to zip.hashes: zip2john classified.zip > zip.hashes
3. Run zip.hashes through John the Ripper: john zip.hashes
4. Get results.

Step 1: Create a password-protected ZIP archive on Kali Linux

Картинка с сайта: www.stationx.net

Steps 2 to 4: zip2john followed by John the Ripper usage

Картинка с сайта: www.stationx.net

Cracking SSH Keys

The ssh2john utility creates a hash from your private key file. If your private key file path is /home/kali/.ssh/id_rsa, and you want to store the hash as myHash.txt, the syntax is:

ssh2john /home/kali/.ssh/id_rsa > myHash.txt

Картинка с сайта: www.stationx.net

Картинка с сайта: www.stationx.net

Try this exercise

1. Use the following command to generate an RSA key pair with a passphrase: ssh-keygen
2. Export the hashed private key file to a new file (myHash.txt): ssh2john /home/kali/.ssh/id_rsa > myHash.txt
3. Run myHash.txt through John the Ripper: john --wordlist=rockyou myHash.txt
4. Get results

Step 1: Demo of ssh-keygen

Картинка с сайта: www.stationx.net

Cracking Linux Passwords

Linux stores password data in two files:

• /etc/passwd stores information such as username, user id, and login shell;
• /etc/shadow is the password file containing data such as hash and expiry date.

A utility bundled with John the Ripper called unshadow can combine both files for cracking. Here, we’ll name the combined file lin.txt:

unshadow /etc/passwd /etc/shadow > lin.txt

Картинка с сайта: www.stationx.net

Cracking Linux hashes is tricky; Kali Linux’s John the Ripper doesn’t readily detect the hash type of Linux (crypt), where the --wordlist flag is optional. If you omit the --format flag below, John won’t crack anything at all:

Once John has uncovered the passwords, you may view them using the command below:

john --show --format=crypt lin.txt

Картинка с сайта: www.stationx.net

Try this exercise

1. Create a new user on Kali Linux: sudo useradd user1
2. Give the new user a weak password: sudo passwd user1
3. Repeat steps 1 and 2 as desired to create two more new user accounts user2 and user3 with weak passwords.
4. Unshadow the Linux password hashes for all users: unshadow /etc/passwd /etc/shadow > lin.txt
5. Export only the usernames and passwords of the three new users to a new file (lin3.txt): tail -n -3 lin.txt > lin3.txt
6. Run it through John the Ripper: john --format=crypt --wordlist=rockyou lin3.txt
7. Get results.

Картинка с сайта: www.stationx.net

Cracking Windows Passwords

Windows stores hashed passwords in the SAM database. SAM uses the LM/NTLM hash format for passwords. As getting passwords from the SAM database is beyond the scope of this article, we suggest generating your own LM/NTLM hashes to test out this functionality and echo them to a text file, say win.txt, as shown in the demonstration:

The syntax for cracking this file containing the LM/NTLM hashes is the following, where the --wordlist flag is optional:

john --format=LM [--wordlist=rockyou] win.txt

Once John has uncovered the passwords, you may view them using the command below:

john --show --format=LM win.txt

Картинка с сайта: www.stationx.net

Try this exercise

1. Designate a short string (topgun) as a username and variations on its capitalization as the password (such as Topgun).
2. Pass the password from step 1 into an LM/NTLM hash function, such as via a website as shown below.
3. Create a new text file (ntlm.txt) to store the username and the password hash value from prior steps: echo -n 'topgun::0BA224CF1C751F31AAD3B435B51404EE:D66B0428599B168372A76C8AB73A76A2:::' > ntlm.txt
4. Run ntlm.txt through John the Ripper’s Single Crack Mode (change the --format argument as you see fit): john --format=LM --single ntlm.txt
5. Get results. The capitalization of the cracked password may differ from what you’ve intended.

Step 2:

Картинка с сайта: www.stationx.net

Step 3 and 4:

Картинка с сайта: www.stationx.net

Choosing Specific Hashes to Crack

If you want to override John’s behavior of discovering the hash independently, you may tell John which hash type you’re looking for using the --format=HASH_TYPE flag. Choices for HASH_TYPE include Raw-MD (MD5), Raw-SHA1 (SHA-1), Raw-SHA256 (SHA-256), SSH, RADIUS, TACACS-Plus (TACACS+), ZIP, and RAR.

You can find all hash formats John supports using the following commands:

Other Useful Commands

Here is a brief cheat sheet of John the Ripper commands:

Find the complete official documentation for John the Ripper here.

Conclusion

We hope learning how to use John the Ripper helps you, whether you’re exploring cyber security or aiming to become a professional hacker or penetration tester. For more resources, read our blog posts on hacking, join the StationX Master’s Program, and check out our courses below:

Frequently Asked Questions

Была ли эта статья полезной?

John the Ripper is free and Open Source software,
distributed primarily in source code form.
If you would rather use a commercial product tailored for your specific
operating system, please consider
John the Ripper Pro,
which is distributed primarily in the form of «native» packages
for the target operating systems and in general is meant to be easier to
install and use while delivering optimal performance.

This version integrates lots of contributed patches adding
GPU support (OpenCL and CUDA),
support for a hundred of additional hash and cipher types
(including popular ones such as NTLM, raw MD5, etc., and even things such as
encrypted OpenSSH private keys, ZIP and RAR archives, PDF files, etc.),
as well as some optimizations and features.
Unfortunately, its overall quality is lower than the official version’s.
Requires OpenSSL.
There are
unofficial binary builds
(by John the Ripper user community members) for
Windows,
Linux,
Solaris, and
Mac OS X.

To verify authenticity and integrity of your John the Ripper downloads, please
use our
PGP public key.

You will most likely need to download a «Windows binaries» archive above.
However, if you choose to download the source code instead
(for a specific good reason), then please refer to these pages on
how to extract John the Ripper source code from the tar.gz and tar.xz archives and
how to build (compile) it.

You may also consider the
unofficial builds
on the contributed resources list further down this page.

These and older versions of John the Ripper,
patches, unofficial builds, and many other related files
are also

available from the Openwall file archive.

You may browse the documentation for John the Ripper online,
including a
summary of changes between versions.
Also relevant is our

presentation on the history of password security.

There’s a
wiki section with John the Ripper user community resources.
The more experienced users and software developers may

browse the source code for John the Ripper online,
along with revision history information for each source file.

There’s a
collection of wordlists
for use with John the Ripper.
It includes lists of common passwords,
wordlists for 20+ human languages,
and files with the common passwords and
unique words for all the languages combined,
also with mangling rules applied and any duplicates purged.

Additionally, you may download an ISO image of
Openwall GNU/*/Linux,
which includes a pre-built copy of John the Ripper 1.8.0 ready for use
without requiring another OS and without having to install on a hard disk
(although that is supported).

An implementation of one of the modern password hashes found in
John is also available separately
for use in your software or on your servers.

There’s a
proactive password strength checking module
for PAM-aware password changing programs, which can be used to prevent
your users from choosing passwords that would be easily cracked with
programs like John.

We may help you integrate modern password hashing with
crypt_blowfish
and/or proactive password strength checking with
passwdqc
into your OS installs, please check out our services.

There’s a mailing list where you can share your experience with John the Ripper
and ask questions.

Please be sure to specify an informative message subject whenever
you post to the list
(that is, something better than «question» or «problem»).
To subscribe, enter your e-mail address below or send an empty message to
<john-users-subscribe at lists.openwall.com>.
You will be required to confirm your subscription by «replying»
to the automated confirmation request that will be sent to you.
You will be able to
unsubscribe
at any time and we will not use your e-mail
address for any other purpose or share it with a third party.
However, if you post to the list, other subscribers and those
viewing the archives may see your address(es) as specified on your message.

The list archive is available
locally and via
MARC.
Additionally, there’s a

list of selected most useful and currently relevant postings on the
community wiki.

A separate mailing list exists for John the Ripper development discussions
(that is, if you want to discuss and contribute to the source code).
Its archive is available
locally.

To subscribe, enter your e-mail address below or send an empty message to
<john-dev-subscribe at lists.openwall.com>.

Local copies of these and many other related packages are also

available from the Openwall file archive.

John the Ripper is part of
Owl,
Debian GNU/Linux, Fedora Linux, Gentoo Linux, Mandriva Linux, SUSE Linux,
and a number of other Linux distributions.
It is in the ports/packages collections of FreeBSD, NetBSD, and OpenBSD.

John the Ripper is a registered project with
Open Hub
and it is listed at
SecTools.