John the Ripper is a popular password cracking tool that can be used to perform brute-force attacks using different encryption technologies and helpful wordlists. It’s often what pen-testers and ethical hackers use to find the true passwords behind hashes.
This open-source package is free to download and has several modules for generating hashes from a range of file types, such as Secure Shell (SSH) keys with ssh2john, .kbdx files with keepass2john, and password-protected zip archives with zip2john. You can then use these hashes as input to find the password with John the Ripper.
Pen-testing distributions such as Kali Linux and Parrot OS usually include the full package, so you won’t need additional installations.
John the Ripper can demonstrate how easy it is to reveal weak passwords (and the seemingly more sophisticated ones) using a leaked database and a free tool.
Of course, it’s only one tool in the pen-tester’s arsenal, but it’s particularly convenient to use, and it automates lots of manual operations you would have to run otherwise.
Also read: Top Open Source Penetration Testing Tools
Setting Up Your Environment
You’ll need a proper lab to test the command lines. The easiest way is to use a virtual machine with a dedicated operating system like Kali Linux.
There are other installation modes available, for example, on Debian-based machines:
sudo apt-get install john -y
However, you may have to install additional modules manually to crack specific file types, such as zip archives. You’ll also need samples to attack, which are easy to find on platforms such as GitHub, but you can also generate your own hashes.
In terms of hardware, tutorials sometimes recommend large RAM (16GB) and a good graphics processing unit (GPU). But that would be for more advanced uses, so any recent computer will do the job correctly. For our example, we won’t need a powerful machine.
Understanding Password Cracking
Before we dive into a practical example, you have to understand the basics of password cracking. The most popular techniques associated with password cracking are brute-force and dictionary attacks. It often comes after stealing critical data, such as databases that contain credentials. In the worst-case scenario, the credentials are in plain text, but most of the time you only get a hash.
Still, if the password is short and/or weak, John the Ripper can crack such data quickly. In general, the time required to crack passwords is directly linked to the strength of the password but, above all, its length.
That’s why experts often say these kinds of attacks are about time and calculation power, but if you don’t secure your passwords, they will be found at the speed of light. Or at least a good GPU.
How to Crack Passwords with John the Ripper
The “john” command has an extensive range of options and flags you can use to run accurate sessions and match the specific format and encryption of your targeted password.
The tool has built-in wordlists that automatically apply by default, but you can specify your own with –wordlist and the path to your custom wordlist.
Using only the built-in features and the MD5 hash of a weak password (not even “123456”), I was able to retrieve the true password in seconds:
echo “4f95578c0f588e028b8e2ea441fc683b” > hash.txt
john hash.txt –format=Raw-MD5
# julien2022 (?)
If you need to crack a password-protected zip, just generate a hash with ssh2john and pass “zip” as the format argument:
john –format=zip hash-zip.txt
It’s the same method with .kbdx databases and SSH private keys. First, you generate the hash, then you pass it to John.
How to Secure Passwords against the Ripper
The best recommendation to defend against tools like John the Ripper is to have a strong password policy, which means using long and random passwords.
Again, the length is the key. It’s the most critical point you have to check. Unfortunately, bad security policies push users towards predictable strategies and sometimes prevent passwords from exceeding eight characters, but whenever you can, use long strings.
There are security products and open-source modules that can check your databases and force users to use strong passwords and update them regularly. To ease the user experience with all of those complicated passwords, use password managers to autofill credentials.
Indeed, the best password is probably the one you can’t remember, as there are known techniques to build custom wordlists based on famous songs, artists, movies and other elements, including various combinations you might find clever.
John the Ripper Review Summary
In my experience, John the Ripper deserves its reputation, with far more pros than cons.
- Easy to install
- Recommended by professionals
- Supports a large range of encryption and formats
- Intelligence: uses sessions to remember previous results and can detect multiple hash types and salts automatically
- Particularly efficient when combined with open-source wordlists like seclists
- Can be completed with Johnny for those who prefer using a graphical user interface (GUI) instead of command lines
- The one negative is it depends too much on the results of previous cyber attacks (e.g., leaks, stolen hash)