Comprehensive Guide to John the Ripper. Part 1: Introducing and Installing John the Ripper

Table of contents

1. Introducing and Installing John the Ripper

1.1 What is John the Ripper

1.2 How John the Ripper and Hashcat differ

1.3 How to install video card drivers for John the Ripper

1.3.1 Installing video drivers in Windows

1.3.2 Installing video drivers on Linux

1.4 How to compile John the Ripper on Linux from source code

1.5 How to install John the Ripper on Windows

1.6 John the Ripper check

1.7 How to use a graphics card to brute-force in John the Ripper

1.8 How to use video CPU core in JtR

1.9 How to run John the Ripper benchmark

1.10 How to set up John the Ripper

1.11 Compilation difference with AVX2 and AVX for John the Ripper

1.12 Result for the first part

2. Utilities for extracting hashes

3. How to start cracking passwords in John the Ripper (how to specify masks, dictionaries, hashes, formats, modes)

4. Practical examples of John the Ripper usage

5. Rule-based attack

6. 

7,


What is John the Ripper

John the Ripper is a popular password cracker that is capable of brute-force using both the CPU and the video card and supports many algorithms. To be more precise, this is an offline brute-forcer (online brute-forcers perform the attack by connecting to network services, and offline crackers work with captured hashes (files) to which they guess a password).

Even if you are already familiar with Hashcat (and even more so if you are NOT familiar with Hashcat), you need to learn how John the Ripper works, since they are different.

How John the Ripper and Hashcat differ

1.

Hashcat can use a video card, CPU, or both for brute-force.

John the Ripper can use one thing: either the video card, or the video core of the CPU, or only the CPU.

2.

Hashcat can use the graphics card to crack any supported algorithms.

John the Ripper for GPU Cracking only supports certain kinds of algorithms.

3.

If you have several video cards, Hashcat out of the box supports working with multiple devices at once and by default splits the task into the required number of threads and the size of each task is tied to the performance of the video card.

John the Ripper can work with multiple graphics cards, but by default, splitting a task across multiple graphics cards is only supported for one algorithm.

4.

It doesn't matter to Hashcat how you installed it: built from source or downloaded a binary file.

It is very important for John the Ripper to compile the binary himself, as the compilation takes into account the specifics of your system. As a result, during compilation, the instruction sets supported by the processor will be indicated, for example, AVX2 instead of the default AVX, which will have a very significant impact on performance – for some algorithms, this will speed up brute-forcing by 2 times! Alternatively, John's binaries compiled on newer hardware may not work on some computers.

5.

For Hashcat, you must specify the hash type.

John the Ripper determines the hash itself, or you can explicitly specify the hash format.

6.

The syntax for commands and options varies greatly.

7.

About cracking a password in John the Ripper on a video card, you need to know that brute-force on a graphics card takes a long time to launch – this is noticeable even in the benchmark. Therefore, if you need to execute many short sessions, then sometimes it is more rational to use the CPU, on which the brute-force is launched immediately.

How to install video card drivers for John the Ripper

If you want to use the GPU to crack passwords (which is many times faster than on the central processor), then you need to install the video driver.

For brute-force can be used:

  • CPU
  • video core of CPU
  • GPU

You need to choose one of these – the fastest option is a video card.

Of course, the specific configurations of computers may vary: some do not have a discrete graphics card, some do not have a video core on a CPU – I hope you can check this yourself.

Installing video drivers in Windows

In this OS, everything is simple – most likely, the video drivers for your graphics card are already installed. If not, go to the manufacturer's website, download and install the driver.

If you suddenly want to use the video core of the CPU (this is pointless if you have at least some kind of discrete video card, nevertheless – perhaps you just do not have a dedicated graphics card), then you need to install “OpenCL Runtime for Intel Core and Intel Xeon Processors”. If you really need it, you can find the links you need in this article on Hashcat, which also uses this driver.

Installing video drivers on Linux

On Kali Linux

Upgrade and reboot your Kali installation:

sudo apt update && sudo apt full-upgrade -y
reboot

Installing video drivers for NVIDIA on  Linux

sudo apt install -y ocl-icd-libopencl1 nvidia-driver nvidia-cuda-toolkit

Enabling OpenCL for Intel

If your CPU supports OpenCL, then install the following packages:

sudo apt install firmware-misc-nonfree intel-opencl-icd

On Arch Linux, BlackArch

Enabling OpenCL for NVIDIA

Remove xf86-video-nouveau there it is:

sudo pacman -R xf86-video-nouveau

Install proprietary NVIDIA driver, CUDA and other required packages:

sudo pacman -S nvidia nvidia-utils opencl-nvidia opencl-headers cuda

Enabling OpenCL for Intel

sudo pacman -S linux-firmware intel-compute-runtime pocl

Friends, I need your help – if you have a different distribution kit or AMD video card, write in the comments how you installed the video driver – I will add this information here.

How to compile John the Ripper on Linux from source code

As already mentioned, it is important to build John the Ripper yourself so that it uses all the features of your processor. Another advantage of this approach is that we get the most recent version of John the Ripper.

Installing the required dependencies in Kali Linux:

sudo apt install build-essential libssl-dev yasm libgmp-dev libpcap-dev libnss3-dev libkrb5-dev pkg-config

Installing required dependencies on Arch Linux, BlackArch:

sudo pacman -S openssl yasm gmp libpcap nss krb5 pkg-config

The following is the same in any distribution:

wget https://github.com/openwall/john/archive/bleeding-jumbo.zip
unzip bleeding-jumbo.zip
rm bleeding-jumbo.zip
cd john-bleeding-jumbo/src/
./configure && make

Please note that in the last command you can use the -j option after which specify the number of (logical) cores of your processor, for example, I have 12 logical cores, then I use:

./configure && make -j12

Now go to the run folder:

cd ../run

And run the test:

./john --test

You don't need to install John the Ripper at the system level – move the run folder to a location convenient to you and run John from there. In addition to the John the Ripper executable, the run folder contains many scripts for extracting hashes – we will talk about them later.

Remember that if you type in the terminal

john

then the version preinstalled on the system will run, not the one you compiled.

Installing John the Ripper on Debian, Linux Mint, Ubuntu

The installation should be performed exactly the same as in Kali Linux. So refer to the Installing John the Ripper on Kali Linux section. If something did not work out for you, then write here in the comments indicating your distribution kit and error.

How to install John the Ripper on Windows

We'll look at compiling John the Ripper from source on Windows sometime later. Let's use the official binary file.

Install Cygwin first – just go to the official website https://www.cygwin.com/, download the setup-x86_64.exe file and install.

Download the winX64_1_JtR.7z file from https://github.com/openwall/john-packages/releases/tag/jumbo-dev.

Unzip the contents of this archive into the C:\cygwin64\home\<USERNAME> folder, for example, my username is MiAl, so I unpack it to C:\cygwin64\home\MiAl\.

It is actually possible to run John the Ripper on Windows even without Cygwin, but in this case it will not be able to use OpenCL (video cores) for brute-force.

Now in the folder C:\cygwin64\home\<USERNAME>\JtR\run\ find cygOpenCL-1.dll file and rename it to cygOpenCL-1.dll.bac.

Then in the c:\Windows\System32 folder find the OpenCL.dll file and copy it to the C:\cygwin64\home\<USERNAME>\JtR\run\ folder.

Then, in the C:\cygwin64\home\<USERNAME>\JtR\run\ folder, rename the OpenCL.dll file to cygOpenCL-1.dll.

The file swap trick may not work for all systems – but either way, you can use the CPU or integrated graphics to hack.

Open Cygwin console to execute commands.

Run test:

~/JtR/run/john --test=0

Run your system benchmark:

~/JtR/run/john --test

Still, JtR is one of those programs that primarily targets Linux. Further you will see that we will run scripts to generate (extract) hashes from files and, for example, some of the auxiliary programs/scripts need, for example, an installed Python environment, which is present in Linux by default.

John the Ripper check

In this section, we will check what devices John the Ripper sees for use during brute force.

The options are the same on any system, but remember that on Windows, to run John the Ripper, you need to open Cygwin and specify ~/JtR/run/john as the executable file.

If you run a file installed from the standard repositories in Linux, then it is enough to write simply

john

If you run a file compiled from the source code, then go to the directory with the executable file (in the program folder this is the run directory) and specify as the executable file

./john --list=opencl-devices

As you can see, I have three devices:

1 – video core of the central processor:

Platform #0 name: Intel(R) OpenCL HD Graphics, version: OpenCL 2.1 
    Device #0 (1) name:     Intel(R) Gen9 HD Graphics NEO
    Device vendor:          Intel(R) Corporation
    Device type:            GPU (LE)
    Device version:         OpenCL 2.1 NEO 

2 – discrete video card

Platform #1 name: NVIDIA CUDA, version: OpenCL 1.2 CUDA 11.0.228
    Device #0 (2) name:     GeForce GTX 1050 Ti
    Device vendor:          NVIDIA Corporation
    Device type:            GPU (LE)
    Device version:         OpenCL 1.2 CUDA
    Driver version:         450.66 [recommended]

3 – CPU

Platform #2 name: Portable Computing Language, version: OpenCL 1.2 pocl 1.5, Release, LLVM 10.0.0, RELOC, SPIR, SLEEF, POCL_DEBUG
    Device #0 (3) name:     pthread-Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz
    Device vendor:          GenuineIntel
    Device type:            CPU (LE)
    Device version:         OpenCL 1.2 pocl HSTR: pthread-x86_64-pc-linux-gnu-znver1
    Driver version:         1.5 

Likewise on Windows:

~/JtR/run/john --list=opencl-devices

As already mentioned, John the Ripper cannot just work with any supported algorithms using OpenCL – a module must be created for them. Therefore, some algorithms can only be cracked on a CPU, while some algorithms can be cracked on a GPU or on a CPU.

The list of algorithms may vary by OS and by installed dependencies.

To see the list of supported algorithms:

./john --list=formats

The list is too big for one screen:

To see a list of algorithms for cracking on OpenCL:

./john --list=formats --format=opencl

Much smaller, but Wi-Fi is there.

How to use a graphics card to brute-force in John the Ripper

By default, JtR uses the CPU even if all the required OpenCL drivers are installed.

To enable the graphics card, you need to use the --format option and explicitly specify the algorithm that OpenCL supports.

For example, to benchmark the wpapsk algorithm on a video card:

./john --test --format=wpapsk-opencl

To hack wpapsk on the central processor, you need to run something like this:

./john --test --format=wpapsk

As you can see in the screenshots: 114975/17385 = 6.61, that is, the speed of brute-forcing passwords has increased more than 6 times.

How to use video CPU core in JtR

As you already know, OpenCL devices are discrete graphics and integrated graphics (video core of the CPU). By default, brute-force is launched on a discrete video card.

With the -dev option, you can explicitly specify the device to do the computation: gpu (discrete graphics) or cpu (integrated graphics).

Running a speed test on the video processor core:

./john --test --format=wpapsk-opencl -dev=cpu

Running a speed test on the video core of a dedicated video card (default):

./john --test --format=wpapsk-opencl -dev=gpu

How to run John the Ripper benchmark

To check the speed of brute-force passwords in JtR, use the --test option.

./john --test

This option can be used with a number – the number of seconds that the test will run.

./john --test=10

If you want to check the speed of only a certain algorithm, then use the --format option.

An example of a test of the speed of cracking a Wi-Fi password by a central processor:

./john --test=10 --format=wpapsk

An example of a test of the speed of cracking a Wi-Fi password with a discrete video card:

./john --test=10 --format=wpapsk-opencl

If you only need to check the operation of cracking of various algorithms without running a benchmark, then specify 0 as the value of the --test option:

./john --test=0

How to set up John the Ripper

John the Ripper has a settings file with a lot of options. This file is called john.conf and is located in the same folder as the john executable.

Provide good cooling; watch the temperature. If the OpenCL runtime supports this, the GPU temperature will be monitored and displayed in the status bars, and there is a user-configurable limit in john.conf that will shutdown at 95 ° C.

This setting is set by the directive:

AbortTemperature = 95

The temperature is indicated in degrees Celsius - °C.

Instead of interrupting, you can stop the program for this number of seconds to cool down the GPU when the temperature reaches the AbortTemperature value, then the program will re-check the temperature and either continue or pause. Set to 0 to just quit.

If SleepOnTemperature = 1 (one second) is specified, then no pause/resume messages will be displayed, since such a short value is interpreted as a desire to keep the temperature of the video card near the extreme value. Default directive value:

SleepOnTemperature = 1

Compilation difference with AVX2 and AVX for John the Ripper

To view build parameters use the --list=build-info option:

./john --list=build-info

Benchmark of two versions of programs:

1. This half of the screenshot is a benchmark for the latest version of JtR that I compiled from source. Since my CPU supports AVX2, John the Ripper supports that as well.

2. And I installed this one from the standard repository of my distribution – it is compiled with AVX.

The difference is significant.

Result for the first part

So, this is the first part on John the Ripper – a popular offline brute force. In it, we learned the tricks for installing JtR, and also learned how to test the speed of brute-forcing passwords, turn on the video card for use and control actions when overheating.

When running such programs (John the Ripper and Hashcat), you need to take care of proper cooling. If your computer/laptop overheats, then the brute-force speed will drop very significantly.

The next parts will be even more interesting! We'll learn how to extract password hashes and launch dictionary and mask attacks, and much more!

Recommended for you:

Leave a Reply

Your email address will not be published.