# Intro to John the Ripper - AKA Jtr or john is  well-known penetration testing tool used for cracking passwords through various attacks including brute-force and dictionary - The "jumbo" variant is recommended for our uses, as it has performance optimizations, additional features such as multilingual word lists, and support for 64b architectures - John includes various tools for converting different types of files and hashes into formats that are usable by john like `zip2john` ## Cracking Modes ### Single crack mode - rule-based cracking technique that is most useful when targeting Linux credentials - this technique generates password candidates based on the victim's username, home directory name, and [GECOS](https://en.wikipedia.org/wiki/Gecos_field) values, which are located in the `/etc/passwd` file ```bash john --single passwd #where passwd is a copy of the /etc/passwd file with one entry ``` ### Wordlist mode - technique used to crack passwords with a dictionary attack, meaning it attempts all passwords in a supplied wordlist against the password hash ```bash john --wordlist=/usr/share/wordlists/rockyou.txt <hash_file> ``` ### Incremental mode -  powerful, brute-force-style password cracking mode that generates candidate passwords based on Markov chains - designed to test all character combinations defined by a specific character set, prioritizing more likely passwords based on training data - john uses predefined incremental modes specified in its configuration file (`john.conf`), which define character sets and password lengths - these defaults can be the customized to target passwords that use special characters or specific patterns - see `/etc/john/john.conf` ![[images/Pasted image 20251006090913.png]] ```bash john --incremental <hash_file> ``` ## Identifying hash modes - password hashes may appear in an unknown format, and evenjohn may not be able to identify them with complete certainty - consult [JtR's sample hash documentation](https://openwall.info/wiki/john/sample-hashes) or [this list by PentestMonkey](https://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats) to identify the hash mode ```bash hashid -j <hash> #attemnpt to identify hash mode ``` - john supports hundred of hash mode ```bash john --format=<hash_function> <hash_file> ``` ## Cracking files - multiple xxx2john tools exist for producing a hash based on an input file ![[images/Pasted image 20251006091809.png]] ```bash xxx2john <file_to_crack> > file.hash ``` - common xxx2john tools |**Tool**|**Description**| |---|---| |`pdf2john`|Converts PDF documents for John| |`ssh2john`|Converts SSH private keys for John| |`mscash2john`|Converts MS Cash hashes for John| |`keychain2john`|Converts OS X keychain files for John| |`rar2john`|Converts RAR archives for John| |`pfx2john`|Converts PKCS#12 files for John| |`truecrypt_volume2john`|Converts TrueCrypt volumes for John| |`keepass2john`|Converts KeePass databases for John| |`vncpcap2john`|Converts VNC PCAP files for John| |`putty2john`|Converts PuTTY private keys for John| |`zip2john`|Converts ZIP archives for John| |`hccap2john`|Converts WPA/WPA2 handshake captures for John| |`office2john`|Converts MS Office documents for John| |`wpa2john`|Converts WPA/WPA2 handshakes for John| # Recovering recently cracked passwords ```bash #john.pout is updated each time a password is successfully cracked cat ~/.john/john.pot john --restore #loads most recent pot file ``` ![[images/Pasted image 20251006092951.png]]