Advanced John the Ripper Command Line Options

Introduction

John the Ripper is a fast password cracker, available for many flavors of Unix, macOS, Windows, and DOS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Kerberos AFS and Windows LM hashes, in addition to hundreds of other hash and cipher types in the community-enhanced version.

In this lab, you will dive deeper into John the Ripper's capabilities by exploring some of its advanced command-line options. Understanding these options will allow you to fine-tune your password cracking attempts, manage long-running sessions, and redirect output for further analysis. You will learn how to specify hash formats, apply custom rules, manage cracking sessions, and use the --stdout option for generating wordlists.

Explore --format Option in Detail

In this step, you will learn how to use the --format option in John the Ripper. This option is crucial when dealing with various types of password hashes, as it tells John which hash type to expect and how to process it. John the Ripper supports a wide array of hash formats, from traditional Unix crypt hashes to modern application-specific hashes.

First, let's list the available hash formats that John the Ripper supports. This will give you an idea of the versatility of the tool.

john --list=formats

You will see a long list of formats. For example, crypt for traditional Unix hashes, raw-md5 for plain MD5 hashes, nt for Windows NT hashes, and many more.

Now, let's try to crack a password from our passwords.txt file, specifically targeting a known format. We have a user user1 with a SHA512 crypt hash. We can explicitly tell John to use the sha512crypt format.

john --format=sha512crypt /home/labex/project/passwords.txt --wordlist=/home/labex/project/wordlist.txt

If the password for user1 (which is password123 in our setup) is in the wordlist, John will crack it.

Next, let's try cracking an LM hash (user5) and an NT hash (user6) from the passwords.txt file. John can often auto-detect formats, but explicitly specifying them with --format can be faster and more reliable, especially when dealing with mixed hash types or less common formats.

john --format=lm /home/labex/project/passwords.txt --wordlist=/home/labex/project/wordlist.txt
john --format=nt /home/labex/project/passwords.txt --wordlist=/home/labex/project/wordlist.txt

You might see output similar to this, indicating the cracking process:

Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2])
Press 'q' or Ctrl-C to abort, almost any other key for status
password123      (user1)
1g 0:00:00:00 DONE (2023-10-27 10:00) 100% (ETA: 10:00) 1.000g/s 1.000p/s 1.000c/s 1.000C/s password123
Session completed

This step demonstrates the importance of the --format option for efficient and accurate password cracking.

Utilize --rules Option with Custom Rules

In this step, you will explore the --rules option, which allows John the Ripper to apply a set of predefined or custom rules to words from a wordlist. Rules are powerful transformations that can be applied to words, such as appending numbers, changing case, or duplicating characters, significantly increasing the chances of cracking passwords that are variations of common words.

John comes with several built-in rule sets, such as Wordlist (default), Single, and Jumbo. You can list the available rule sets using:

john --list=rules

This command will output a list of rule sets.

Now, let's use a custom rule file. We created a simple custom rule file named custom_rules.txt in the setup, which contains rules like :$[0-9] (append a digit) and Az (capitalize the first letter).

Let's try to crack user1 again, but this time using our custom rules. Assume user1's password was Password123 (capital P, then 123). Our wordlist only contains password. The Az rule will capitalize the first letter, and :$[0-9] will append a digit.

john --wordlist=/home/labex/project/wordlist.txt --rules=/home/labex/project/custom_rules.txt /home/labex/project/passwords.txt --format=sha512crypt

This command will apply the rules from custom_rules.txt to each word in wordlist.txt before trying them against the hashes. For example, password might become Password, password0, password1, etc., and then Password0, Password1, etc.

You can also combine rules with the --stdout option (which we will cover in the next step) to see what words are generated by your rules:

john --wordlist=/home/labex/project/wordlist.txt --rules=/home/labex/project/custom_rules.txt --stdout

This command will print all the words generated by applying custom_rules.txt to wordlist.txt to your terminal. This is useful for debugging your rule sets.

The --rules option is a powerful feature for extending the effectiveness of wordlist attacks by generating common password variations.

Understand --session and --restore Options

In this step, you will learn about the --session and --restore options, which are vital for managing long-running password cracking tasks. Cracking complex passwords can take hours, days, or even weeks. These options allow you to save the current state of a cracking session and resume it later without losing progress.

When John the Ripper runs, it automatically creates a session file (usually john.rec in the run directory) to save its state. However, using the --session option allows you to specify a custom name for this session file, which is useful when running multiple cracking tasks concurrently or when you want to keep specific session logs.

Let's start a cracking session for user1 and specify a session name:

john --session=my_cracking_session /home/labex/project/passwords.txt --wordlist=/home/labex/project/wordlist.txt --format=sha512crypt

Let the cracking run for a few seconds, then press Ctrl+C to interrupt it. You will see a message indicating that the session was saved.

Now, list the files in your current directory to see the session file:

ls -l /home/labex/project/

You should see a file named my_cracking_session.rec (or similar, depending on John's version and configuration).

To resume the interrupted session, use the --restore option with the session name:

john --restore=my_cracking_session

John will pick up exactly where it left off. This is incredibly useful for managing large-scale cracking operations or when your system needs to be rebooted.

If you don't specify a session name with --session, John will use a default session file. Using --restore without a session name will attempt to restore the default session.

john --restore

This step highlights how to effectively manage and resume your password cracking efforts, ensuring that no progress is lost.

Experiment with --stdout for Output Redirection

In this step, you will learn about the --stdout option, which is extremely useful for generating wordlists or testing rule sets without actually performing a cracking attempt. When used with --stdout, John the Ripper will output the generated candidate passwords to standard output, which can then be redirected to a file or piped to another tool.

This is particularly powerful when combined with wordlists and rules. You can use John to create highly customized wordlists based on existing ones and specific rules.

Let's generate a wordlist by applying our custom_rules.txt to wordlist.txt and redirect the output to a new file called generated_wordlist.txt:

john --wordlist=/home/labex/project/wordlist.txt --rules=/home/labex/project/custom_rules.txt --stdout > /home/labex/project/generated_wordlist.txt

After executing the command, check the content of the newly created file:

cat /home/labex/project/generated_wordlist.txt

You should see words like password, Password, password0, password1, etc., generated by the rules.

You can also use --stdout to generate permutations of a single word. For example, to generate variations of the word "test":

echo "test" | john --pipe --rules=/home/labex/project/custom_rules.txt --stdout

Here, echo "test" | john --pipe pipes the word "test" into John's standard input, and --pipe tells John to read from standard input. The --stdout then outputs the rule-applied variations.

The --stdout option is a versatile feature for pre-processing wordlists, creating custom dictionaries for other cracking tools, or simply understanding how your rules transform words.

Discover Other Useful Command Line Flags

In this final step, you will briefly explore a few other useful command-line flags that can enhance your John the Ripper usage. While we won't go into deep detail for each, knowing they exist can help you in various scenarios.

1. --show: This option displays the cracked passwords from a previous session. After cracking passwords, John stores them in its john.pot file. You can view them using:

   john --show /home/labex/project/passwords.txt
   

   This will show any passwords that John has successfully cracked from the passwords.txt file.

2. --incremental: This is a powerful mode for brute-force attacks. John will generate passwords based on character sets and lengths. You can specify a mode (e.g., alnum, digits, all).

   ## This command will run for a long time, so we'll just demonstrate its usage.
   ## DO NOT let it run for too long. Press Ctrl+C to stop it after a few seconds.
   john --incremental=digits /home/labex/project/passwords.txt --format=raw-md5
   

   This command attempts to crack passwords by generating combinations of digits.

3. --fork=<N>: This option allows John to use multiple CPU cores or threads for cracking, where <N> is the number of forks (processes) to use. This can significantly speed up cracking on multi-core systems.

   john --fork=2 /home/labex/project/passwords.txt --wordlist=/home/labex/project/wordlist.txt --format=sha512crypt
   

   This will attempt to crack passwords using 2 CPU cores.

4. --mask: This option allows you to perform mask attacks, where you define a specific pattern for the password. For example, ?l?l?l?d?d would try all 3-letter, 2-digit combinations.

   ## This command will run for a long time, so we'll just demonstrate its usage.
   ## DO NOT let it run for too long. Press Ctrl+C to stop it after a few seconds.
   john --mask=?l?l?l?d?d /home/labex/project/passwords.txt --format=raw-md5
   

   This command attempts to crack passwords that fit the specified mask.

These are just a few of the many advanced options available in John the Ripper. Exploring the man john page or john --help will reveal even more possibilities for specialized password auditing and cracking tasks.

Summary

In this lab, you have gained hands-on experience with several advanced command-line options for John the Ripper. You learned how to precisely specify hash formats using --format, apply powerful transformations to wordlists with --rules and custom rule files, and manage long-running cracking sessions using --session and --restore. Furthermore, you explored the versatility of --stdout for generating custom wordlists and briefly touched upon other useful flags like --show, --incremental, --fork, and --mask.

Mastering these options will significantly enhance your ability to perform effective password auditing and cracking, making you more proficient in using John the Ripper for various security tasks. Continue exploring John's extensive documentation to uncover even more advanced features and techniques.