JOHN

NAME

john − "John the Ripper" detects weak passwords like first names, common expressions etc. on your system.

SYNOPSYS

john [ OPTIONS ] <password_files>

You can list any number of password files on John’s command line, and also specify some of the following options:

        -single                         "single crack" mode
        -wordlist:FILE                  wordlist mode, read words from FILE,
                -stdin                          or from stdin
        -rules                          enable rules for wordlist mode
        -incremental[:MODE]             incremental mode [using section MODE]
        -external:MODE                  external mode or word filter
        -stdout[:LENGTH]                no cracking, write words to stdout
        -restore[:FILE]                 restore an interrupted session
        -session:FILE                   set session file name to FILE
        -status[:FILE]                  print status of a session [from FILE]
        -makechars:FILE                 make a charset, overwriting FILE
        -show                           show cracked passwords
        -test                           perform a benchmark
        -users:[-]LOGIN⎪UID[,..]        load this (these) user(s) only
        -groups:[-]GID[,..]             load this (these) group(s) only
        -shells:[-]SHELL[,..]           load this (these) shell(s) only
        -salts:[-]COUNT                 set a passwords per salt limit
        -format:NAME                    force ciphertext format NAME
        -savemem:LEVEL                  enable memory saving, at LEVEL 1..3

DESCRIPTION

John the Ripper is a password cracker, currently available for UNIX , DOS , WinNT/Win95. Its primary purpose is to detect weak UNIX passwords. It has been tested with Linux x86/Alpha/SPARC, FreeBSD x86, OpenBSD x86, Solaris 2.x SPARC and x86, Digital UNIX , AIX , HP−UX , and IRIX .

The DOS and Win32 ports are done with DJGPP and Cygnus Developer’s Kit, respectively.

EXAMPLES

To run John, you need to supply it with some password files and optionally specify a cracking mode, like this, using the default order of modes, and assuming that passwd is a copy of your password file:

        john /etc/shadow

or, to make it use a wordlist with rules only:

        john -wordlist:/var/lib/john/wordlists/all -rules /etc/shadow

Cracked passwords will be printed to the terminal and saved in file called ~/john.pot (in this text ’~’ means John’s "home directory", that is, the directory you installed John’s binary in). This file is also used not to load passwords that you already cracked, when you run John the next time. To retrieve the cracked passwords, run:

        john -show /etc/shadow

While cracking, you can press any key for status, or Ctrl+C to abort the session, saving point information to a file (~/restore by default). By the way, if you press Ctrl+C twice John will abort immediately without saving. The point information is also saved every 10 minutes (configurable in the configuration file, ~/john.ini) in case of a crash.

To continue an interrupted session, run:

        john -restore

Anyway, you probably should have a look at doc/OPTIONS for a list of all the command line options, and at doc/EXAMPLES for more John usage examples with other cracking modes.

Features and Performance

John the Ripper is designed to be both feature-rich and fast. It combines several cracking modes in one program, and is fully configurable for your particular needs (you can even define a custom cracking mode using the built-in compiler supporting a subset of C). Also, John is available for several different platforms, which enables you to use the same cracker everywhere (for example even continue a cracking session that you started on another platform).

Out of the box, John supports (and autodetects) the following Unix crypt(3) hash types: traditional and double-length DES−based, BSDI ’s extended DES−based, FreeBSD’s MD5−based (now also used on Linux and in Cisco IOS), and OpenBSD’s Blowfish−based (now also used on some Linux distributions). Also supported out of the box are Kerberos/AFS and Windows NT/2000/XP LM (DES-based) hashes.

With just one extra command (required to extract the passwords), John can crack AFS passwords and WinNT LM hashes.

Unlike other crackers, John doesn’t use a crypt(3)−style routine. Instead, it has its own highly optimized modules for different ciphertext formats and architectures. Some of the algorithms used, such as bitslice DES, couldn’t have been implemented within the crypt(3) API; they require a more powerful interface such as the one used in John. Additionally, there’re assembly language routines for several processor architectures, most importantly for x86 with MMX.

AUTHOR

Solar Designer solar AT false DOT com

SEE ALSO

The rest of documentation is located in separate files, listed here in the recommended reading order:

        INSTALL         - you’ve probably read it already
        OPTIONS         - command line options, and additional utilities
        MODES           - cracking modes: what they are
        CONFIG   (*)    - how to customize
        RULES    (*)    - wordlist rules syntax
        EXTERNAL (*)    - defining an external mode
        EXAMPLES        - usage examples -- strongly recommended
        FAQ             - guess
        NEWS            - history of changes
        CREDITS         - credits, and how to contact me
        (*) most users can safely skip these

You can find these files at /usr/share/doc/packages/john/

Happy reading!