John the Ripper explained: An essential password cracker for your hacker toolkit

One of the oldest password cracking and testing tools, John the Ripper is still an essential pen testing tool.

Binary code data flows through the cracked seal of a vault.
Phive2015 / Getty Images

John the Ripper definition 

First released in 1996, John the Ripper (JtR) is a password cracking tool originally produced for UNIX-based systems. It was designed to test password strength, brute-force encrypted (hashed) passwords, and crack passwords via dictionary attacks.

The tool comes in both GNU-licensed and proprietary (Pro) versions. An enhanced “jumbo” community release has also been made available on the open-source GitHub repo. The Pro version, designed for use by professional pen testers, has additional features such as bigger, multilingual wordlists, performance optimizations and 64-bit architecture support.

Some of the key features of the tool include offering multiple modes to speed up password cracking, automatically detecting the hashing algorithm used by the encrypted passwords, and the ease of running and configuring the tool making it a password cracking tool of choice for novices and professionals alike.

How does John the Ripper work?

Password crackers and cryptanalysis tools typically work in three different ways. The common objective in all these is ultimately to correctly guess (“crack”) a password:

  1. Dictionary attack: In this type of attack the tool tries passwords provided in a pre-fed list of large number of words, phrases and possible passwords derived from previously leaked data dumps or breaches. The tool enters every single password in the application from the list, in an attempt to find the correct one.

  2. Brute-force attack: In this type of attack, the tool asks the user to configure a few settings, for example, the minimum and maximum lengths the correct password may fall into and what types of characters it could possibly consist of (e.g., letters only, letters and numbers, or special characters) and at what positions (say, for every password it generates, first four would be alphabets followed by two digits and two special characters). It takes a bit of guesswork and expertise to find the ideal brute-forcing configuration. The tool then guesses every combination of password possible within this range and specified by the criteria.

    On a successful match, user is notified of the correct password. The process can be effective but excruciatingly slow. For example, a nine-character password comprising a mix of upper- and lowercase letters along with digits and special characters will take over nine years to be guessed by a computer, making it virtually uncrackable. This is why you hear security professionals suggest all the time to choose a long and complex password that consists of a combination of different character types.

  3. Rainbow tables: Because mission-critical and security-oriented applications seldom store passwords in plaintext and instead store their fixed-length hashes, rainbow tables can be efficient especially if a large list of hashed passwords is available (for example, from a leaked data dump). In this case, a pre-computed list of password hashes (derived from commonly set passwords) is compared against an existing data dump to find the correct password in its plaintext form. Using rainbow tables is faster than brute-forcing as the hashed data is precalculated.

    A rainbow table will be ineffective when password hashes are salted and salt values are too large, all of which increases the overall complexity. That is also why salting is used a security defense in addition to storing hashed user passwords in databases. Salting when done correctly ensures even if a password database is leaked, it would be virtually impossible for a hacker to reverse user passwords to their original plaintext form.

John the Ripper modes

JtR provides at least three modes along with an “external” mode, which is basically letting a user define a customized mode via a configuration file.

  1. Single crack mode: JtR creators recommend running this mode first as it’s considered the quickest. Single crack mode uses information from UNIX passwd files -- users' full names, usernames, etc. -- as present in GECOS fields within UNIX passwd/shadow files to “guess” passwords. This can be helpful in cases when a user has set a password for an account based on commonly available information or phrase in the username (e.g. admin:admin, michael:michael123).
  2. Wordlist mode: Akin to dictionary attack, this mode relies on the user providing a text file with a list of passwords, ideally one per line and no duplicates. JtR does not sort the passwords provided in the wordlist. However, this can be done trivially beforehand by the user, if needed. The command recommended by JtR guide to sort a wordlist is:

    tr A-Z a-z < SOURCE | sort -u > TARGET

    The application also comes with a set of default wordlist(s), with Pro version offering more.
  1. Incremental mode: JtR’s equivalent of brute-force is the most powerful cracking mode, but is so time consuming that for a password complex enough, it may never be able to complete in practical course of time and never terminate. The guide reads: “It is assumed that cracking with this mode will never terminate because of the number of combinations being too large (actually, it will terminate if you set a low password length limit or make it use a small charset), and you'll have to interrupt it earlier.”

John the Ripper usage examples

A detailed example use-case on John the Ripper’s website focuses on cracking a UNIX “shadow” file, which contains hashed passwords for user and system accounts. In newer UNIX-based distros, a list of users (usernames) along with other information is stored in the /etc/passwd file, whereas the password hashes corresponding to each user account are stored in a separate /etc/shadow file(s).

Because passwd/shadow files are regarded highly confidential for obvious reasons (and stored with restrictive file permissions, 644), the first step is combining these two files into a single file that JtR will work on. This can be done by running the following command:

umask 077
unshadow /etc/passwd /etc/shadow > mypasswd 

Running umask 077 beforehand ensures the newly created “mypasswd” file (or whatever you want to call it) is created with more relaxed permissions and can be used by JtR. Once the “mypasswd” file is created with suitable permissions, the simplest way is to let JtR execute on autopilot by running: john mypasswd

This will first run the “single crack” mode on your newly created mypasswd file, followed by the more extensive wordlist mode with default settings and lists, and if all that fails, JtR will resort to the powerful yet slow incremental mode.

Should you wish to terminate a session by killing the application (e.g., via the Ctrl+C interrupt signal) and resume it later, you can do so by running: john --restore.

A complete list of usage examples is available, whereas the manual pages for the application can easily be accessed by running: man john .

In a real-world scenario, before running any of the examples on practical data sets, it would be a good idea to set some of the options in the configuration files. For example, these options could be used to specify the text file you’d want JtR to use during the wordlist mode, or the range of password lengths (minimum and maximum) along with character sets the tool should be using when running under incremental mode.

Overall, JtR is one of the oldest yet most familiar tools that professional pen testers still use when cracking passwords or checking password strengths. Its wide popularity, choice of free and open-source versions, as well as community support make it easily adoptable as a part of a hacker’s toolkit.

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies