Crack Offline Password Hashes With John The Ripper

What is It?:

John the Ripper is a free password cracking software tool. Initially developed for the UNIX operating system, it currently runs on fifteen different platforms (eleven architecture-specific flavors of Unix, DOS, Win32, BeOS, and OpenVMS).

It is one of the most popular password testing and breaking programs as it combines a number of password crackers into one package, auto detects password hash types, and includes a customizable cracker.

It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix flavors (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, My SQL, and others.

John The Ripper’s Modes:

  • Wordlist : John will simply use a file with a list of words that will be checked against the passwords. See RULES for the format of wordlist files.
  • Single crack : In this mode, john will try to crack the password using the login/GECOS information as passwords.
  • Incremental : This is the most powerful mode. John will try any character combination to resolve the password. Details about these modes can be found in the MODES file in john’s documentation, including how to define your own cracking methods.

Tools Needed:

  • Copy Of Backtrack 5  (John The Ripper Is Included In Backtrack 5)
  • John The Ripper Found Here

The first thing we need to do is get a list of hashes from somewhere, for this blog and for demo purposes we are going to use one from NetForce security training. Click Here For Link! (Shown Below)

JTR1 The hash dump that we are going to be focused on in this blog is the one that has NetForce in the name and a DES encrypted hash next to it. (Shown Below) Copy and Paste it into a text document and save it in your root folder.


Next, use the unshadow command to combines the /etc/passwd and /etc/shadow files so John can use them. You might need this since if you only used your shadow file, the GECOS information wouldn’t be used by the "single crack" mode, and also you wouldn’t be able to use the -shells option.

On a normal system you’ll need to run un-shadow as root to be able to read the shadow file. So login as root or use old good sudo. Type “sudo /usr/sbin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db” without quotes and press enter.

To use John, you just need to supply it a password file created using unshadow command along with desired options. If no mode is specified, john will try "single" first, then "wordlist" and finally "incremental" password cracking methods.
type “john /tmp/crack.password.txt” and press enter (make sure to change the directory to wherever your password hash file is located.

Our output looks like this:

john /tmp/crack.password.txt Loaded 1 password (FreeBSD MD5 [32/32] Cracking the hashes will take time, so please be patient!…

To see the crack passwords after complete type “john –show /tmp/crack.password.txt” without quotes. (Shown Below)

2 passwords cracked, 1 left

That’s it! I hope you enjoyed reading, and as always don’t be evil!

Nullset (30 Posts)

David Rucilez, aka Nullset, is the owner and operator of Nullset Computer Co. in Reno Nevada. His company focuses on supporting small and large business networking contracts. David graduated from Wright State University Ohio with a BS in Computer Science, and also holds the MCSE and CCNA certifications.

One Response to Crack Offline Password Hashes With John The Ripper

  • Simon says:

    “various encrypted password formats including several crypt password hash types most commonly found on various Unix flavors (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash.”

    You have to be really careful with this, because this is inaccurate as stated. There is a conflation here of hash and encryption. Encryption does not equal hash. A hash is a one-way function (mapping), and encryption is a two-way function (it is reversible with the key).

    In your list you mix the two together: MD5 and LM are hashes (lousy ones). Blowfish (Bruce Schneier said in 2007 that he was amazed anyone still uses Blowfish, due to its algorithmic weaknesses. These days (post 2007) it is recommended that you use Twofish or AES etc.) and DES (which has not been considered secure for probably near a decade) are encryption algorithms. Kerberos is a network authentication scheme based on tickets and symmetric or public-key crypto.

    I am sorry but you can’t just lop all that together under the term encrypted password formats. Encryption has a very specific meaning, and so does hashing. Modern OSes tend to use hashing algorithms like PMDK2-HMAC-SHA-512 (OS 10.8), Salted SHA-512, Bcrypt, Scrypt etc. Some use encrypted passwords using algorithms like AES 256 bit (I think windows 8 does that). If I recall correctly, hashing is still considered to be the best password security. Bcrypt actually uses Blowfish to balloon the computation time.

    You may also want to consider using modern algorithms for such demonstrations. At least use SHA-256bit, the ability to break MD-5 and LM is just not impressive, or interesting in the security community. DES is not considered interesting either.

Subscribe to me on YouTube