Password cracker.
- See Hashcat for similar tool.
- http://www.openwall.com/john/
Installation
For Windows, download it from Openwall.
sudo apt install johnHelp
john --helpjohn [OPTIONS] [PASSWORD-FILES]Performance & GPUs
Benchmark
john --testjohn --test --format=<hash type>For GPU, use a hash type ending with opencl:
john --test --format=raw-MD5-openclUse CPU cores for cracking
💡 To significantly speed up the cracking speed, use the
–fork=NUMBER option, set the number of logical CPU cores (threads) on your computer as a number. For example, if there are 16 logical cores, then you need to use the –fork=16 option. You can also try if the number of physical cores is more efficient on your system.
john --format=<hash type> --fork=16 [...]Use GPUs for cracking
❗ Not all hash algorithms support GPU cracking (OpenCL).
List OpenCL devices
john --list=opencl-devicesWindows – no OpenCL devices detected
john --list=opencl-devices
Error: No OpenCL-capable platforms were detected by the installed OpenCL driver.
Error: No OpenCL-capable devices were detected by the installed OpenCL driver.Locate the vendor’s OpenCL dll file (example with NVIDIA):
C:\Windows\System32\DriverStore\FileRepository\nvmdi.inf_amd64_ad813833cb149cd8\nvopencl64.dllEdit the the .icd file and point it to the correct vendor DLL file:
...<john folder>\etc\OpenCL\vendors\nvidia.icdCompatible hash types
Use formats ending with “opencl”. These are available in the community-enhanced “jumbo” version of John the Ripper.
john --list=formats --format=openclsha1crypt-opencl, KeePass-opencl,
oldoffice-opencl, PBKDF2-HMAC-MD4-opencl, PBKDF2-HMAC-MD5-opencl,
PBKDF2-HMAC-SHA1-opencl, rar-opencl, RAR5-opencl, TrueCrypt-opencl,
lotus5-opencl, AndroidBackup-opencl, agilekeychain-opencl, ansible-opencl,
axcrypt-opencl, axcrypt2-opencl, bcrypt-opencl, BitLocker-opencl,
bitwarden-opencl, blockchain-opencl, cloudkeychain-opencl, md5crypt-opencl,
sha256crypt-opencl, sha512crypt-opencl, dashlane-opencl, descrypt-opencl,
diskcryptor-opencl, diskcryptor-aes-opencl, dmg-opencl,
electrum-modern-opencl, EncFS-opencl, enpass-opencl, ethereum-opencl,
ethereum-presale-opencl, FVDE-opencl, geli-opencl, gpg-opencl, iwork-opencl,
keychain-opencl, keyring-opencl, keystore-opencl, krb5pa-md5-opencl,
krb5pa-sha1-opencl, krb5asrep-aes-opencl, lp-opencl, lpcli-opencl, LM-opencl,
mscash-opencl, mscash2-opencl, mysql-sha1-opencl, notes-opencl, NT-opencl,
ntlmv2-opencl, o5logon-opencl, ODF-opencl, office-opencl,
OpenBSD-SoftRAID-opencl, PBKDF2-HMAC-SHA256-opencl,
PBKDF2-HMAC-SHA512-opencl, pem-opencl, pfx-opencl, pgpdisk-opencl,
pgpsda-opencl, pgpwde-opencl, PHPass-opencl, pwsafe-opencl, RAKP-opencl,
raw-MD4-opencl, raw-MD5-opencl, raw-SHA1-opencl, raw-SHA256-opencl,
raw-SHA512-free-opencl, raw-SHA512-opencl, salted-SHA1-opencl, sappse-opencl,
7z-opencl, SL3-opencl, solarwinds-opencl, ssh-opencl, sspr-opencl,
strip-opencl, telegram-opencl, tezos-opencl, vmx-opencl, wpapsk-opencl,
wpapsk-pmk-opencl, XSHA512-free-opencl, XSHA512-opencl, ZIP-openclExample with MD5
john --format=raw-MD5-opencl --mask='?a' --min-length=1 --max-length=8 hash.txtMonitor progress
Emit a status line every N seconds.
john --progress-every=60 [...]Hash
Hash types
See John The Ripper Hash Formats (PentestMonkey).
john --list=formats
Created directory: /root/.john
descrypt, bsdicrypt, md5crypt, md5crypt-long, bcrypt, scrypt, LM, AFS, tripcode, AndroidBackup, adxcrypt, agilekeychain, aix-ssha1, aix-ssha256, aix-ssha512, andOTP, ansible, argon2, as400-des, as400-ssha1, asa-md5, AxCrypt, AzureAD, BestCrypt, bfegg, Bitcoin, BitLocker, bitshares, Bitwarden, BKS, Blackberry-ES10, WoWSRP, Blockchain, chap, Clipperz, cloudkeychain, dynamic_n, cq, CRC32, sha1crypt, sha256crypt, sha512crypt, Citrix_NS10, dahua, dashlane, diskcryptor, Django, django-scrypt, dmd5, dmg, dominosec, dominosec8, DPAPImk, dragonfly3-32, dragonfly3-64, dragonfly4-32, dragonfly4-64, Drupal7, eCryptfs, eigrp, electrum, EncFS, enpass, EPI, EPiServer, ethereum, fde, Fortigate256, Fortigate, FormSpring, FVDE, geli, gost, gpg, HAVAL-128-4, HAVAL-256-3, hdaa, hMailServer, hsrp, IKE, ipb2, itunes-backup, iwork, KeePass, keychain, keyring, keystore, known_hosts, krb4, krb5, krb5asrep, krb5pa-sha1, krb5tgs, krb5-17, krb5-18, krb5-3, kwallet, lp, lpcli, leet, lotus5, lotus85, LUKS, MD2, mdc2, MediaWiki, monero, money, MongoDB, scram, Mozilla, mscash, mscash2, MSCHAPv2, mschapv2-naive, krb5pa-md5, mssql, mssql05, mssql12, multibit, mysqlna, mysql-sha1, mysql, net-ah, nethalflm, netlm, netlmv2, net-md5, netntlmv2, netntlm, netntlm-naive, net-sha1, nk, notes, md5ns, nsec3, NT, o10glogon, o3logon, o5logon, ODF, Office, oldoffice, OpenBSD-SoftRAID, openssl-enc, oracle, oracle11, Oracle12C, osc, ospf, Padlock, Palshop, Panama, PBKDF2-HMAC-MD4, PBKDF2-HMAC-MD5, PBKDF2-HMAC-SHA1, PBKDF2-HMAC-SHA256, PBKDF2-HMAC-SHA512, PDF, PEM, pfx, pgpdisk, pgpsda, pgpwde, phpass, PHPS, PHPS2, pix-md5, PKZIP, po, postgres, PST, PuTTY, pwsafe, qnx, RACF, RACF-KDFAES, radius, RAdmin, RAKP, rar, RAR5, Raw-SHA512, Raw-Blake2, Raw-Keccak, Raw-Keccak-256, Raw-MD4, Raw-MD5, Raw-MD5u, Raw-SHA1, Raw-SHA1-AxCrypt, Raw-SHA1-Linkedin, Raw-SHA224, Raw-SHA256, Raw-SHA3, Raw-SHA384, ripemd-128, ripemd-160, rsvp, Siemens-S7, Salted-SHA1, SSHA512, sapb, sapg, saph, sappse, securezip, 7z, Signal, SIP, skein-256, skein-512, skey, SL3, Snefru-128, Snefru-256, LastPass, SNMP, solarwinds, SSH, sspr, Stribog-256, Stribog-512, STRIP, SunMD5, SybaseASE, Sybase-PROP, tacacs-plus, tcp-md5, telegram, tezos, Tiger, tc_aes_xts, tc_ripemd160, tc_ripemd160boot, tc_sha512, tc_whirlpool, vdi, OpenVMS, vmx, VNC, vtp, wbb3, whirlpool, whirlpool0, whirlpool1, wpapsk, wpapsk-pmk, xmpp-scram, xsha, xsha512, ZIP, ZipMonster, plaintext, has-160, HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, HMAC-SHA512, dummy, crypt
Wordlist
Crack hashes using a wordlist
WL=/usr/share/wordlists/rockyou.txt
# Crack Linux passwords
sudo /usr/sbin/unshadow /etc/passwd /etc/shadow > ~/passwords.txt
john --wordlist=$WL ~/passwords.txt
john --show ~/passwords.txtWord list generation
abc0 to abc9
john --mask=abc?d --stdoutMask attack
Mask: ?l (lowercase), ?u (uppercase), ?d (digits), ?s (specials), ?a (all), [aouei] (range)
8 chars: Upper + Lower*5 + Digit + Special, e.g. Abcdef1!
john --format=<hash type> --mask='?u?l?l?l?l?l?d?s' hash.txt8 chars: All characters (lower, upper, digit, special)
💡 For performance reasons, set the fork number (for using CPU) or use OpenCL hash format (for using GPUs).
john --format=<hash type> --mask='?a?a?a?a?a?a?a?a' --fork=16 hash.txtjohn --format=<hash type> --mask='?a' --length=8 --fork=16 hash.txt1 to 8 chars: All characters
john --format=<hash type> --mask='?a' --min-length=1 --max-length=8 hash.txtKerberoast Tickets
Obtain tickets using Mimikatz.
Convert tickets to John format
❗ There is an issue with kirbi2john already present in Kali, so download the latest version of Kerberoast and use that version.
cd /home/kali
git clone https://github.com/nidem/kerberoast.gitKIRBI=/home/kali/<filename>.kirbi
python3 /home/kali/kerberoast/kirbi2john.py $KIRBI > ${KIRBI}.johnCrack tickets
WL=/home/kali/wl.txt
john --wordlist=$WL ${KIRBI}.johnZIP files
ZIPFILE=file.zip
WL=/usr/share/wordlists/rockyou.txtzip2john $ZIPFILE > zip.txt
john --wordlist=${WL} zip.txtOracle
HASH=/root/hash.txt
WL=/usr/share/wordlists/rockyou.txt
# formats: oracle, oracle11, Oracle12C
john --format=oracle --wordlist=$WL $HASH
john --show $HASHUsage
SSH private keys
John the Ripper isn’t cracking the file itself (i.e. the number of bytes in the generated key doesn’t matter), JtR is just cracking the private key’s encrypted password.
❗ Bug: https://github.com/magnumripper/JohnTheRipper/issues/4069
# Create the public/private key pair with a predictable password:
ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/id_rsa_jtr_test
Enter passphrase (empty for no passphrase): password
# Create encrypted zip
cd ~/.ssh
python /usr/share/john/ssh2john.py id_rsa_jtr_test > id_rsa_jtr_test.hash
# Dictionary attack
WL=/usr/share/wordlists/rockyou.txt
john --wordlist=$WL id_rsa_jtr_test.hash
john --show id_rsa_jtr_test.hashHash types that can be cracked
locate *2john*
/usr/sbin/bitlocker2john
/usr/sbin/dmg2john
/usr/sbin/gpg2john
/usr/sbin/hccap2john
/usr/sbin/keepass2john
/usr/sbin/putty2john
/usr/sbin/racf2john
/usr/sbin/rar2john
/usr/sbin/uaf2john
/usr/sbin/vncpcap2john
/usr/sbin/wpapcap2john
/usr/sbin/zip2john
/usr/share/doc/john/README.7z2john.md
/usr/share/doc/john/pcap2john.readme.gz
/usr/share/john/1password2john.py
/usr/share/john/7z2john.pl
/usr/share/john/DPAPImk2john.py
/usr/share/john/adxcsouf2john.py
/usr/share/john/aem2john.py
/usr/share/john/aix2john.pl
/usr/share/john/aix2john.py
/usr/share/john/andotp2john.py
/usr/share/john/androidbackup2john.py
/usr/share/john/androidfde2john.py
/usr/share/john/ansible2john.py
/usr/share/john/apex2john.py
/usr/share/john/applenotes2john.py
/usr/share/john/aruba2john.py
/usr/share/john/axcrypt2john.py
/usr/share/john/bestcrypt2john.py
/usr/share/john/bitcoin2john.py
/usr/share/john/bitshares2john.py
/usr/share/john/bitwarden2john.py
/usr/share/john/bks2john.py
/usr/share/john/blockchain2john.py
/usr/share/john/ccache2john.py
/usr/share/john/cisco2john.pl
/usr/share/john/cracf2john.py
/usr/share/john/dashlane2john.py
/usr/share/john/deepsound2john.py
/usr/share/john/diskcryptor2john.py
/usr/share/john/dmg2john.py
/usr/share/john/ecryptfs2john.py
/usr/share/john/ejabberd2john.py
/usr/share/john/electrum2john.py
/usr/share/john/encfs2john.py
/usr/share/john/enpass2john.py
/usr/share/john/ethereum2john.py
/usr/share/john/filezilla2john.py
/usr/share/john/geli2john.py
/usr/share/john/hccapx2john.py
/usr/share/john/htdigest2john.py
/usr/share/john/ibmiscanner2john.py
/usr/share/john/ikescan2john.py
/usr/share/john/itunes_backup2john.pl
/usr/share/john/iwork2john.py
/usr/share/john/kdcdump2john.py
/usr/share/john/keychain2john.py
/usr/share/john/keyring2john.py
/usr/share/john/keystore2john.py
/usr/share/john/kirbi2john.py
/usr/share/john/known_hosts2john.py
/usr/share/john/krb2john.py
/usr/share/john/kwallet2john.py
/usr/share/john/lastpass2john.py
/usr/share/john/ldif2john.pl
/usr/share/john/libreoffice2john.py
/usr/share/john/lion2john-alt.pl
/usr/share/john/lion2john.pl
/usr/share/john/lotus2john.py
/usr/share/john/luks2john.py
/usr/share/john/mac2john-alt.py
/usr/share/john/mac2john.py
/usr/share/john/mcafee_epo2john.py
/usr/share/john/monero2john.py
/usr/share/john/money2john.py
/usr/share/john/mozilla2john.py
/usr/share/john/multibit2john.py
/usr/share/john/neo2john.py
/usr/share/john/office2john.py
/usr/share/john/openbsd_softraid2john.py
/usr/share/john/openssl2john.py
/usr/share/john/padlock2john.py
/usr/share/john/pcap2john.py
/usr/share/john/pdf2john.pl
/usr/share/john/pem2john.py
/usr/share/john/pfx2john.py
/usr/share/john/pgpdisk2john.py
/usr/share/john/pgpsda2john.py
/usr/share/john/pgpwde2john.py
/usr/share/john/prosody2john.py
/usr/share/john/ps_token2john.py
/usr/share/john/pse2john.py
/usr/share/john/pwsafe2john.py
/usr/share/john/radius2john.pl
/usr/share/john/radius2john.py
/usr/share/john/sap2john.pl
/usr/share/john/signal2john.py
/usr/share/john/sipdump2john.py
/usr/share/john/ssh2john.py
/usr/share/john/sspr2john.py
/usr/share/john/staroffice2john.py
/usr/share/john/strip2john.py
/usr/share/john/telegram2john.py
/usr/share/john/tezos2john.py
/usr/share/john/truecrypt2john.py
/usr/share/john/vdi2john.pl
/usr/share/john/vmx2john.py