Introduction
John the Ripper is a popular open-source password cracking tool. When performing password audits or cracking attempts, understanding its output and status is crucial for monitoring progress, identifying cracked passwords, and troubleshooting issues. This lab will guide you through interpreting John the Ripper's various output messages, checking its real-time cracking status, viewing the results of a cracking session, understanding its performance statistics, and logging its output for later analysis.
Interpret John the Ripper Output Messages
In this step, you will learn to understand the various messages John the Ripper displays during a cracking session. These messages provide insights into its progress, the cracking mode, and any issues encountered.
First, let's start a simple cracking session using a wordlist. We will use the passwords.txt file created in the setup and a small wordlist.txt.
Execute the following command in your terminal:
john --wordlist=wordlist.txt passwords.txt
You will see output similar to this:
Using default input encoding: UTF-8
Loaded 3 password hashes with no different salts to the same type of crypt (sha512crypt, crypt(3) $6$)
Remaining 3 password hashes with no different salts
Press 'q' or Ctrl-C to abort, almost any other key for status
user1 (user1)
user2 (user2)
user3 (user3)
3g 0:00:00:00 DONE (2023-10-27 08:00) 100.0% 3.000g/s 18.00p/s 18.00c/s 18.00C/s user1 user2 user3
Session completed
Let's break down the key parts of this output:
Using default input encoding: UTF-8: Indicates the character encoding John is using.Loaded 3 password hashes...: Shows how many hashes were loaded from the input file.Press 'q' or Ctrl-C to abort, almost any other key for status: This is an important prompt. It tells you how to interact with John during a session.user1 (user1): This is a cracked password.user1is the username (or hash identifier), and(user1)is the cracked password. John will display each cracked password as it finds them.3g 0:00:00:00 DONE ...: This is the summary line.3g: Number of hashes cracked (3 guesses).0:00:00:00 DONE: The time elapsed and that the session is complete.100.0%: Percentage of the cracking process completed.3.000g/s: Guesses per second.18.00p/s: Passwords per second (number of candidate passwords tested).18.00c/s: Crypts per second (number of hash computations).18.00C/s: Candidates per second (number of unique candidate passwords generated).user1 user2 user3: The last few cracked passwords.
Session completed: Confirms that the cracking session has finished.
Understanding these messages helps you monitor the progress and results of your John the Ripper operations.
Check Cracking Status During a Session
In this step, you will learn how to check the real-time status of a John the Ripper cracking session. This is particularly useful for long-running sessions to monitor progress without interrupting the process.
First, let's clean up the previous session's state so John starts fresh.
john --session=test_session --restore=NONE --wordlist=wordlist.txt passwords.txt --force-load-hashes
Now, start a new cracking session. This time, we'll use a slightly larger wordlist to ensure the session runs long enough for us to check its status. We'll use the passwords.txt file and the wordlist.txt file.
Execute the following command. Note that we are using --session=test_session to give this session a name, which is useful for restoring or checking status later.
john --session=test_session --wordlist=wordlist.txt passwords.txt
While John is running (it might finish quickly with the small wordlist, but imagine it's a large one), open a new terminal tab (or a new terminal window if you are not in the LabEx environment). In the new terminal, you can check the status of the running session.
To check the status, use the --status option with the session name:
john --session=test_session --status
You will see output similar to this (the exact numbers will vary based on progress):
Session test_session (john)
Progress: 3/3 (100%)
Speed: 3.000g/s (words), 18.00p/s (passwords), 18.00c/s (crypts), 18.00C/s (candidates)
Remaining: 0:00:00:00
Cracked: 3
This output provides a snapshot of the session's progress, including the number of hashes cracked, the cracking speed, and the estimated time remaining.
After checking the status, you can close the new terminal tab. The original John the Ripper session will continue to run until it completes.
If the session has already completed, the --status command will indicate that the session is done.
Session test_session (john)
Session completed
This feature is invaluable for managing long-running cracking operations.
View Cracked Passwords from a Session
After a John the Ripper session completes, the cracked passwords are saved in a file called john.pot (often located in ~/.john/john.pot). In this step, you will learn how to view these cracked passwords.
First, ensure you have a john.pot file with cracked passwords. If you followed the previous steps, it should already exist. If not, run the cracking command again:
john --wordlist=wordlist.txt passwords.txt
Once the session is complete, you can view the cracked passwords using the --show option. This option tells John to display all the cracked passwords it has stored for the given hash file.
Execute the following command:
john --show passwords.txt
You will see output similar to this:
user1:user1
user2:user2
user3:user3
3 password hashes cracked, 0 left
The output lists each cracked hash in the format username:password. The 3 password hashes cracked, 0 left line summarizes the results.
The john.pot file is a crucial component of John the Ripper, as it stores all successfully cracked passwords. John automatically checks this file before attempting to crack a hash, preventing redundant work. You can also directly inspect the john.pot file using cat:
cat ~/.john/john.pot
The content will look similar to this:
user1:user1
user2:user2
user3:user3
This step demonstrates how to retrieve and review the valuable output of your cracking efforts.
Understand John the Ripper Statistics
John the Ripper provides detailed statistics about its cracking performance. Understanding these statistics helps you evaluate the efficiency of your cracking attempts and compare different cracking strategies.
Let's run a cracking session again to generate some statistics. We'll use the same command as before.
john --wordlist=wordlist.txt passwords.txt
Observe the final summary line that appears after the session completes:
3g 0:00:00:00 DONE (2023-10-27 08:00) 100.0% 3.000g/s 18.00p/s 18.00c/s 18.00C/s user1 user2 user3
Session completed
Let's re-examine the key statistical metrics:
3g: This indicates the number of "guesses" made, which corresponds to the number of hashes successfully cracked in this context.0:00:00:00 DONE: The total time elapsed for the session. For short sessions, it might show 0.100.0%: The percentage of the cracking process completed.3.000g/s(guesses/s): The rate at which John is making guesses per second. This is often the most direct measure of cracking speed.18.00p/s(passwords/s): The number of candidate passwords tested per second. This can be higher thang/sif multiple hashes are being tested against the same candidate password.18.00c/s(crypts/s): The number of hash computations (cryptographic operations) performed per second. This is a measure of the raw computational power being utilized.18.00C/s(candidates/s): The number of unique candidate passwords generated per second. This can differ fromp/sif the same candidate is tested against multiple hashes.
These statistics are crucial for:
- Performance Evaluation: Understanding how fast John is cracking passwords.
- Resource Utilization: Gauging how much CPU power is being used for hash computations.
- Strategy Comparison: Comparing the effectiveness of different wordlists or cracking modes.
By paying attention to these numbers, you can gain valuable insights into your password auditing efforts.
Log John the Ripper Output to a File
For long-running sessions or for auditing purposes, it's often beneficial to log John the Ripper's output to a file. This allows you to review the progress and results later without having to keep a terminal open.
You can redirect John's standard output to a file using standard shell redirection (>).
First, let's clean up any previous session files to ensure a fresh start.
john --session=log_session --restore=NONE --wordlist=wordlist.txt passwords.txt --force-load-hashes
Now, run John the Ripper and redirect its output to a file named john_output.log in your ~/project directory.
john --session=log_session --wordlist=wordlist.txt passwords.txt > john_output.log
Notice that after executing this command, your terminal will appear to do nothing. This is because all the output that would normally be displayed on the screen is now being written to john_output.log.
Once the command finishes (which will be almost instantly with our small wordlist), you can view the contents of the log file using cat:
cat john_output.log
You will see the complete output of the John the Ripper session, identical to what you would have seen on the screen, but now stored in the file:
Using default input encoding: UTF-8
Loaded 3 password hashes with no different salts to the same type of crypt (sha512crypt, crypt(3) $6$)
Remaining 3 password hashes with no different salts
Press 'q' or Ctrl-C to abort, almost any other key for status
user1 (user1)
user2 (user2)
user3 (user3)
3g 0:00:00:00 DONE (2023-10-27 08:00) 100.0% 3.000g/s 18.00p/s 18.00c/s 18.00C/s user1 user2 user3
Session completed
Logging output is a best practice for any long-running or critical command-line operation, providing a persistent record of events and results.
Summary
In this lab, you have gained a comprehensive understanding of how to interpret John the Ripper's output and manage its sessions. You learned to decipher the various messages displayed during a cracking session, check the real-time status of a running session, and retrieve cracked passwords from the john.pot file. Furthermore, you explored how to understand John's performance statistics and how to log its output to a file for persistent record-keeping. These skills are fundamental for effectively using John the Ripper for password auditing and security testing.
