Introduction
In this lab, you will explore the essential features of John the Ripper (JtR) for managing password cracking sessions. Effective session management is crucial for long-running cracking tasks, allowing you to pause and resume operations, recover from unexpected interruptions, and keep track of your progress. You will learn how to start a cracking session, gracefully pause and resume it, understand the role of session files, and even recover a session after a simulated crash. Finally, you will learn how to clean up old session files to maintain a tidy working environment.
Start a John the Ripper Cracking Session
In this step, you will start a basic John the Ripper cracking session. We will use a simple MD5 hash and a small wordlist to demonstrate the process. John the Ripper automatically creates a session file when you start a cracking process, which is essential for managing the session.
First, let's create a simple wordlist file named wordlist.txt in your ~/project directory.
echo -e "test\npassword\n123456\nadmin" > ~/project/wordlist.txt
Now, start John the Ripper to crack the passwords.txt file using the wordlist.txt. We will use the --session option to give our session a specific name, which makes it easier to manage.
john --format=raw-md5 --wordlist=~/project/wordlist.txt --session=my_first_session ~/project/passwords.txt
You should see John the Ripper starting the cracking process. It will likely find the password quickly since our wordlist is small and contains the correct password.
Example output:
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5])
Cost 1 (iterations) is 10000 for Raw-MD5
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password (user1)
1g 0:00:00:00 DONE (2023-10-27 08:30) 100.0g/s 100.0p/s 100.0c/s 100.0C/s user1:password
Session completed
After the session completes, you can view the cracked passwords using the --show option.
john --show ~/project/passwords.txt
Example output:
user1:password
1 password hash cracked, 0 left
Pause and Resume a Cracking Session
In this step, you will learn how to pause an ongoing John the Ripper session and then resume it. This is particularly useful for long cracking tasks that you might need to interrupt and continue later.
First, let's create a larger dummy wordlist to ensure the cracking process takes some time, allowing us to pause it.
seq 1000000 | sed "s/$/password/" > ~/project/large_wordlist.txt
Now, start a new John the Ripper session using this large wordlist. We'll name this session long_session.
john --format=raw-md5 --wordlist=~/project/large_wordlist.txt --session=long_session ~/project/passwords.txt
Once the cracking starts, immediately press Ctrl+C to pause the session. John the Ripper will save its current state to the session file.
Example output after pressing Ctrl+C:
...
Press 'q' or Ctrl-C to abort, almost any other key for status
^C
Session aborted.
To resume the session, use the --restore option with the session name.
john --restore=long_session
John the Ripper will pick up exactly where it left off. You can let it run until it finds the password or press Ctrl+C again to pause it.
Example output after resuming:
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5])
Cost 1 (iterations) is 10000 for Raw-MD5
Will run 4 OpenMP threads
...
password (user1)
1g 0:00:00:00 DONE (2023-10-27 08:35) 100.0g/s 100.0p/s 100.0c/s 100.0C/s user1:password
Session completed
Understand Session Files
In this step, you will examine the session files created by John the Ripper. These files store the state of your cracking sessions, allowing for pausing, resuming, and recovery.
John the Ripper typically stores session files in the ~/.john directory. Let's list the contents of this directory to see the session files you've created.
ls -l ~/.john/
You should see files like my_first_session.rec and long_session.rec. The .rec extension indicates a recovery file.
Example output:
total 16
-rw------- 1 labex labex 8192 Oct 27 08:30 my_first_session.rec
-rw------- 1 labex labex 8192 Oct 27 08:35 long_session.rec
You can also view the contents of a session file, though it's mostly binary data. However, you can use strings to extract readable strings from it, which might show some session information.
strings ~/.john/long_session.rec | head -n 10
Example output (may vary):
JtR session file
long_session
raw-md5
/home/labex/project/passwords.txt
/home/labex/project/large_wordlist.txt
These session files are crucial for John the Ripper's ability to manage and recover cracking processes.
Recover from a Crashed Session
In this step, you will learn how to recover a John the Ripper session that might have crashed unexpectedly. This is similar to resuming a paused session, as John the Ripper automatically saves its state periodically.
First, let's simulate a crash. Start a new session, but this time, we will kill the process abruptly instead of gracefully pausing it.
john --format=raw-md5 --wordlist=~/project/large_wordlist.txt --session=crash_test ~/project/passwords.txt &
Note the & at the end, which runs the command in the background. This will allow us to kill it.
Now, find the process ID (PID) of the john process.
pgrep john
Example output (PID will vary):
12345
Now, kill the john process using its PID. Replace YOUR_PID with the actual PID you found.
kill YOUR_PID
You might see a message like Terminated or Killed. This simulates an unexpected crash.
Now, try to restore the crash_test session. John the Ripper should be able to pick up from where it left off, even after an abrupt termination.
john --restore=crash_test
Example output:
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5])
Cost 1 (iterations) is 10000 for Raw-MD5
Will run 4 OpenMP threads
...
password (user1)
1g 0:00:00:00 DONE (2023-10-27 08:40) 100.0g/s 100.0p/s 100.0c/s 100.0C/s user1:password
Session completed
This demonstrates John the Ripper's robust recovery capabilities, which are vital for long-duration cracking operations.
Clean Up Old Session Files
In this step, you will learn how to clean up old John the Ripper session files. While these files are useful for recovery, they can accumulate over time, especially if you run many sessions.
To remove a specific session file, you can use the --remove option with the session name. Let's remove the my_first_session file.
john --remove=my_first_session
You will be prompted to confirm the removal. Type y and press Enter.
Example output:
Remove session file ~/.john/my_first_session.rec? y
Now, verify that the file has been removed by listing the contents of the ~/.john directory again.
ls -l ~/.john/
You should no longer see my_first_session.rec.
Example output:
total 16
-rw------- 1 labex labex 8192 Oct 27 08:35 long_session.rec
-rw------- 1 labex labex 8192 Oct 27 08:40 crash_test.rec
You can also manually delete the .rec files if you prefer, but using john --remove is the recommended way as it ensures proper cleanup.
rm ~/.john/long_session.rec
rm ~/.john/crash_test.rec
Finally, verify that all session files are removed.
ls -l ~/.john/
Example output:
total 0
Keeping your session files organized helps in managing your cracking tasks efficiently.
Summary
In this lab, you have gained practical experience in managing John the Ripper cracking sessions. You learned how to initiate a session, effectively pause and resume it, and understand the critical role of session files in maintaining cracking progress. Furthermore, you explored how to recover a session from an unexpected crash, highlighting John the Ripper's resilience. Finally, you practiced cleaning up old session files to keep your working environment tidy. These skills are fundamental for anyone performing long-duration password auditing or cracking tasks with John the Ripper.


