John the Ripper - Cardboard Iguana Security

# John the Ripper ```bash john --format=$HASH_FORMAT \ --wordlist=$WORDLIST $PASSWORD_HASH_FILE ``` Using the `--format` option is recommended, as many different hash formats have the same basic appearance, which make's john's attempt to guess the hash format without this information somewhat unreliable. John can only crack one type of hash at a time - no mixing-and-matching of hash formats. Use `--list=formats` to see available formats. John the Ripper can accept the output of hashdump from Metasploit (use `--format=NT`). > [!important] > John the Ripper records cracked hash:password tuples in ~/.john/john.pot, and then references this file to avoid cracking known hashes. It *doesn't* output these passwords again (instead simply declaring "\[n\]o password hashes left to crack"), so if you get no output then you'll want to just [[grep]] for your hash in john.pot. ## Single crack mode John's "single crack mode" (`--single`) is just about exploiting bad password practice - basing passwords off of the username, or details of the operating system. It can be used over "unshadowed" UNIX-style passwords (in which case it will exploit not only the username, but data from other GECOS fields), or on single hashes (in which case the hash must be written as USERNAME:HASH so that John has something to go off of). Obviously, a wordlist is not required in single crack mode. ## Custom rules People typically add "complexity" to a password by appending or prepending the required numbers and symbols (capital letters generally live on either the beginning or end of the password). John's rules can be used to construct additional permutations of a wordlist to cover these cases. The rule syntax is weird, but close enough to regexps to be vaguely readable. Examples can be found in /etc/john/john.conf (the comments make for interesting reading), and a given ruleset from this file can be specified with `--rules`. Rulesets are particularly useful when expanding a wordlist or (potential) password list of the sort that can be generated by [[cewl]] or [[CUPP]]. ```bash john --wordlist=$WORD_LIST \ --rules=$RULE_SET \ --stdout > $OUTFILE ``` %% Specifically: ![[Generate a word list with John the Ripper]] %% When in doubt, `--rules=KoreLogic` is a solid choice. ## Helper applications `hash-identifier` will indicate what hash types match the data in `$PASSWORD_HASH_FILE`. Use this + information about the province of the hashes to choose a likely format. Also useful in conjunction with [[Hashcat]]. (Note that the hash names used by `hash-identifier` do *not* correspond to those used by [[John the Ripper]].) `unshadow` transforms [[UNIX password hashes|/etc/passwd + /etc/shadow]] files (or matching subsets of these files) into a format John understands (note that `--format` is not generally necessary when having John crack the output on `unshadow`, as [[UNIX password hashes]] already specify their type). `zip2john` extracts information from encrypted zip files in a format suitable for John to ingest. `rar2john` extracts information from encrypted rar files in a format suitable for John to ingest. `python2 /usr/share/john/ssh2john.py` extracts information from encrypted [[SSH]] key files in a format suitable for John to ingest. Note that John is susceptible to false positives when cracking [[SSH]] keys, and will thus try the entire provided wordlist (just in case!).