Crack Offline Password Hashes With John The Ripper

Blog, Video 1 Comment on Crack Offline Password Hashes With John The Ripper 1043

What is It?:

John the Ripper is a free password cracking software tool. Initially developed for the UNIX operating system, it currently runs on fifteen different platforms (eleven architecture-specific flavors of Unix, DOS, Win32, BeOS, and OpenVMS).

It is one of the most popular password testing and breaking programs as it combines a number of password crackers into one package, auto detects password hash types, and includes a customizable cracker.

It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix flavors (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, My SQL, and others.

John The Ripper’s Modes:

  • Wordlist : John will simply use a file with a list of words that will be checked against the passwords. See RULES for the format of wordlist files.
  • Single crack : In this mode, john will try to crack the password using the login/GECOS information as passwords.
  • Incremental : This is the most powerful mode. John will try any character combination to resolve the password. Details about these modes can be found in the MODES file in john’s documentation, including how to define your own cracking methods.

Tools Needed:

  • Copy Of Backtrack 5  (John The Ripper Is Included In Backtrack 5)
  • John The Ripper Found Here

The first thing we need to do is get a list of hashes from somewhere, for this blog and for demo purposes we are going to use one from NetForce security training. Click Here For Link! (Shown Below)

JTR1 The hash dump that we are going to be focused on in this blog is the one that has NetForce in the name and a DES encrypted hash next to it. (Shown Below) Copy and Paste it into a text document and save it in your root folder.


Next, use the unshadow command to combines the /etc/passwd and /etc/shadow files so John can use them. You might need this since if you only used your shadow file, the GECOS information wouldn’t be used by the "single crack" mode, and also you wouldn’t be able to use the -shells option.

On a normal system you’ll need to run un-shadow as root to be able to read the shadow file. So login as root or use old good sudo. Type “sudo /usr/sbin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db” without quotes and press enter.

To use John, you just need to supply it a password file created using unshadow command along with desired options. If no mode is specified, john will try "single" first, then "wordlist" and finally "incremental" password cracking methods.
type “john /tmp/crack.password.txt” and press enter (make sure to change the directory to wherever your password hash file is located.

Our output looks like this:

john /tmp/crack.password.txt Loaded 1 password (FreeBSD MD5 [32/32] Cracking the hashes will take time, so please be patient!…

To see the crack passwords after complete type “john –show /tmp/crack.password.txt” without quotes. (Shown Below)

2 passwords cracked, 1 left

That’s it! I hope you enjoyed reading, and as always don’t be evil!



David Rucilez, aka Nullset, is the owner and operator of Nullset Computer Co. in Reno Nevada. His company focuses on supporting small and large business networking contracts. David graduated from Wright State University Ohio with a BS in Computer Science, and also holds the MCSE and CCNA certifications.

Related Articles

Back to Top