APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

2005/03/26 John the Ripper

© March 2005 Tony Lawrence

Password security. John the Ripper attempts to crack passwords by comparing the hashed version with hashes computed from common words, permutations of common words, pointless additions ("alex123", "betty222" and the like).

On any modern system, no non-administrative user should be able to read the hashed passwords at all, so you should understand that this is not a black-hat tool used to crack your passwords (though similar tools can be used to generate brute force password guessing). If somebody can read your shadow password file, you are already in trouble.

If you have lost or forgotten your Linux password, this will help.. If it's not Linux, but SCO or some other Unix, the suggestions at Lost or Forgotten Root Password SCO Unix may help you.

No, this is a tool for administrators to test for weak passwords. For Linux shadow passwords, you use the included "unshadow" to create a file to run against:

./unshadow /etc/passwd /etc/shadow > pw1
./john pw1

and sit back to wait.. of course this is one of the few times where you (the administrator) are actually hoping that John takes a long time and finds nothing. Even if the passwords aren't all that good, John is probably going to run a goodly period of time. If you use it in incremental mode ("john -i"), it might run forever - seriously. As the docs explain:

This will use the default incremental mode parameters, which are defined
in ~/john.ini's [Incremental:All] section. In the configuration file
supplied with John these parameters are to use the full 95 character set,
and to try all possible password lengths, from 0 to 8. (By zero password
length I mean a hashed empty string, this sometimes happens.) Don't expect
this to terminate in a reasonable time (unless all the passwords were weak
and got cracked), read doc/MODES for an explanation.

You really need to read the documentation here. It isn't difficult to understand, but you need to read it.

What you DON'T want to see is something like this:

# ./john pw1
Loaded 1 password (FreeBSD MD5 [32/32])
fred123          (fred)
guesses: 1  time: 0:00:00:00 100% (1)  c/s: 625  trying: fred123

That popped back almost before my finger bounced off the ENTER key. When I ran it with -i, it took a bit longer (actually about two hours with MaxLen set to 12), but when you consider how many combinations it had to try before getting to that, it's gets there pretty darn fast. John never did crack my real passwords, though of course it would if had I left it running long enough. Don't forget to set MaxLen in john.ini if your passwords exceed its default of 8 (and they should!).

If you are curious about what John is up to, press ENTER while it is running:

guesses: 1  time: 0:00:00:31 8% (2)  c/s: 1624  trying: dexter1
guesses: 1  time: 0:00:00:32 8% (2)  c/s: 1624  trying: Mustang1
guesses: 1  time: 0:00:00:34 9% (2)  c/s: 1624  trying: Stacey1
guesses: 1  time: 0:00:00:35 9% (2)  c/s: 1625  trying: Gunner1
guesses: 1  time: 0:00:01:13 20% (2)  c/s: 1625  trying: ariel!

When John cracks a password, it gets stored in "john.pot". For example, after cracking Fred's password, john.pot contained:


The "fred123" was, in fact, the actual password used, but you have no absolute knowledge that is the case. It's pretty likely, but it is at least in the realm of possibility that two different words can hash to the same string. You are quite safe in assuming that did not happen, and would never go broke betting against it.

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> John the Ripper

1 comment

Inexpensive and informative Apple related e-books:

Sierra: A Take Control Crash Course

Take Control of Automating Your Mac

El Capitan: A Take Control Crash Course

iOS 8: A Take Control Crash Course

Take Control of iCloud

More Articles by © Tony Lawrence

Related Articles

Sun Nov 8 18:09:01 2009: 7499   TonyLawrence

At linuxquestions.org, a post asked how to determine the password a user

In the course of my reply, I posted a link here. A moderator deleted it, saying

// pcunix, the LQ Rules make it clear that this isn't the place to receive or provide help with cracking.

I'm pretty annoyed by that... all the other answers told the poster that it couldn't be done, that all he could do was change it. I don't agree with the moderator.

You need to BE root to use John the Ripper. It's a legitimate tool for administrators to detect weak passwords.

Your opinions?


Printer Friendly Version

Related Articles

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

Educate the children and it won't be necessary to punish the men. (Pythagoras)

Linux posts

Troubleshooting posts

This post tagged:


Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode