John The Ripper Windows 10 Password

[Giacometta Fritchman]

Johnthe Ripper is password cracking software used by penetration testers and cyber security experts. It is completely free. In starting it was only made for Unix operating system but now it can be used on several other platforms also like windows, mac, etc. It was first released in 1996 by OpenWall. Its latest version is 1.9.0 which was released in 2019. It has the ability to crack passwords and also it automatically detects the hash type if passwords are saved in a hash rather than plain text, it combines a number of strategies to crack passwords. It is mainly used to perform dictionary attacks and brute force attacks on any system or application.

Password crackers can be online or offline. Online password crackers, such as Hydra, are used when brute-forcing online network protocols and HTML forms. Situations where online brute forcing might be impractical include a remote system that limits the rate of sign-in attempts or a system that locks users out indefinitely after a predefined number of invalid login attempts.

In these scenarios, an offline password cracker attempts to gain access to a password where it is stored instead of using a brute-force attack strategy. Since systems and applications rarely store passwords without cryptographic protection, passwords must be cracked to make use of them.

A popular offline password cracker is John the Ripper. This tool enables security practitioners to crack passwords, regardless of encrypted or hashed passwords, message authentication codes (MACs) and hash-based MACs (HMACs), or other artifacts of the authentication process.

Editor's note: It is possible to use John the Ripper -- and any password cracker -- lawfully and unlawfully. It is up to you to ensure your usage is lawful. Get the appropriate permission and approval before attempting to crack passwords, and handle the information obtained ethically. If you are unsure whether a given usage is lawful, do not proceed until you have confirmed that it is -- for example, by discussing and validating your planned usage with your organization's counsel.

The tool is also notable for its ubiquity and accessibility. It's included in the default repositories for many Linux distributions, including Debian and Ubuntu, and installed by default in most penetration testing distributions, including Kali and BlackArch. A snap install of it is available, along with multiple container options in Docker Hub.

Simply put, John cracks passwords. It attempts to replicate the password-handling functionality of a target storage mechanism so that numerous password values can be attempted without relying on password validation.

Before using John the Ripper, one important note: We're using VMs to illustrate usage. In the case of this tool specifically, performance is important. Consider the relative advantages and disadvantages of using virtualization and the context. For example, you might find an IaaS where paying for CPU time can be an expensive proposition. Or you might get better performance running the tool on a host OS rather than a guest.

That aside, John is simple to use. At a minimum, you need to specify the stored password values you want to crack. If you provide no information other than that, the tool tries to figure out what format the stored values are in and assumes a set of constraints about what you might want to do. That said, in most cases, you should provide more information to allow the tool to operate most effectively.

While not necessary in every case, it's helpful to know the format passwords are stored in. This is because applications might manipulate formats in ways John might not expect -- a web application, for example, might Base64- or URL-encode values before storing them. It's also helpful because the built-in mechanisms used by John to determine type and format can be wrong. Consider two similar-in-format but vastly different values: an MD5 hash and an MD5 keyed hash. The outputs are identical in format, but the processes that led to the outputs are anything but. John wouldn't know the difference, unless you provide the missing information.

Figure 2 illustrates using the unshadow command. This is distributed with John the Ripper in most packages. It combines the contents of /etc/passwd and /etc/shadow on a Linux VM, in this case, Kali. Then, we used the john command and specified the format -- in this case, the crypt mechanism. Since we haven't told it what cracking mode to use, John begins with single crack and then proceeds to wordlist -- none was specified, so it used the default. Ultimately, it will move to incremental mode.

In a more complicated example, Figure 3 shows an attempt at cracking Microsoft Windows passwords. As with the Linux example, passwords must be put into a format John the Ripper can understand. To accomplish that, we used PwDump v8.2.

These values are fed into John the Ripper to crack in Figure 4. We specified wordlist mode and instructed it to use rockyou.txt, one of the built-in wordlists that comes by default with most security-focused Linux distributions. Note that you may need to extract the text file first. The passwords were set to weak values -- dictionary words in all cases -- to enable the cracking to complete quickly. These two examples demonstrate the most universally applicable and most basic usage of John the Ripper. For more advanced usage, you may need to get a little creative. Sometimes, the format of stored password values you can obtain are not in one of the formats supported by John out of the box. With a few clever modifications, however, you can convert to one of those with a little research.

I'm pentesting for a class in Kali Linux, cracking a Windows 7 password. I mounted the windows' hard drive in Kali, ran PWDUMP7 and got the hashes saved on the desktop. It's only showing some of the users, but not any that I created for testing...that's another issue by itself. The default system admin 'IEUser' should at least work, right?

It appears to not even run, and using "Show" even says that it wasn't cracked. I have absolutely no idea what's going on with this, and nobody else seems to have this problem that I can see...What am I missing?

As best as i can figure, you are mistaken about what you expect. John finished quickly because it successfully cracked the password you requested. The rest is just error in using john --show as far as i can tell. I repeated your steps as follows:

We indeed see it matches our original input in hash.txt. Now we will show all cracked passwords for john in the format of nt using our pot file (the record john keeps of cracked passwords during sessions)

John the Ripper is a password cracking tool originally produced for Unix-based systems. Its main objective is to correctly guess ("crack") a password. It uses several modes to test password strength, such as wordlist, single crack, incremental and external modes.

For Windows users, download the zip file listed here. Extract the file and open the "run" folder using the Command Prompt. Once in Command Prompt (you should see C:\john-1.9.0-jumbo-1-win64\run>), type "john" to run the application. Running C:\john-1.9.0-jumbo-1-win64\run>john will show all the options available. Information for other operating systems you can check out John the Ripper guides here.

Its huge popularity is because of its ability to detect password hash types automatically, run several types of attacks to include the classic dictionary attack as well as a brute force attack. In addition, it offers a free and open source version, as well as wide community support.

These days, this original John the Ripper source tree serves primarily as the core tree for John the Ripper -jumbo. A 1.9.0-jumbo-1 release based off this 1.9.0 core is coming shortly. Meanwhile, the bleeding-jumbo branch on GitHub is already updated to the 1.9.0 core.

While this is a major release (after almost 6 years since the 1.8.0 core release), the community's progress in development of jumbo has been so much greater that any changes I make to core are relatively small, as is core itself. Yet they are important. Besides serving as the core for jumbo, other uses of this tree include cases where core's functionality alone is still sufficient or where (cross-)compiling jumbo for a given target system is too difficult or (as a first step in) porting John the Ripper to an unusual new platform.

Please stay tuned for the 1.9.0-jumbo-1 release and announcement, which will be "the real one". There's no way I'd be able to list jumbo's changes with the above level of detail - there have been way too many - but I plan on listing the release highlights.

_____________________________

when someone asks for your username and password, and much *clickely clickely* is happening in the background, know enough that you should be worried. RE: John the ripper taking too long pansophic (MIS)6 Oct 03 08:22I generally agree with lullysing, but John is also a dictionary cracker. The dictionary that comes with it is poor at best. There are numerous dictionaries on the net, and installing them will greatly increase your speed of password recovery if people are using dictionary-based passwords.

And if you are only interested in the root password, then edit the password file to only include the user root. It will speed the cracking marginally (you only compare the hash against 1 hash, not 3).

I had to run John for 2 1/2 days on one machine to get a relatively easy root password with the default dictionary. But if you are curious if John still running, just check top. I'm sure that it will be relatively close to the top as it has a high CPU utilization.

Brute force password cracking is always possible, but it takes a long time unless the password is simple. Some of the things that you can do to improve the cracking performance involve using John's option switches to match password construction rules. If you know that a numeric or special character is required, then set those options in John. That way you won't waste time looking at all alpha passwords when they aren't even possible.

Oh, and a "salt" is an initialization vector for the hashing algorithm. It is the lack of a salt that makes Windows passwords so trivial to crack. On Unix, each machine has a salt that it uses (I don't recall how you arrive at it), so if you use the same password for two users on the same system, their hash will be the same, but if you use the same password on two different systems, the hash will likely be different.

pansophic RE: John the ripper taking too long Donboy (IS/IT--Management)(OP)10 Oct 03 23:24Thanks for all your help, guys. I feel pretty good about my passwords and my methods for logging in, but I wanted to use John as a final verification.

First, I have only one user account that is allowed to use SSH. It's an unprivlidged account and the only purpose for the account is logging in to SSH. It is not used for FTP, email, or any other purpose, so if it turns up in my logs, I will know that's its only use.

Once I have logged in using that account, I will su - to change to the root account which has a totally different password. Of course it's a royal pain having to enter 2 different usernames and passwords, but security is obviously the greater concern.

If it weren't for the fact that I need to be able to SSH from different locations all the time, I would just disable SSH completely or only allow it from select IP's but I never know where I'm going to be.

So do you think this scheme is pretty safe?? Should I be doing something else that maybe I've not considered?

I had no idea John would take so long. I've been reading "Linux Security" by Ramon J Hontanon and while it's a very good book, it didn't say anything that suggested that it might take days to run John on my /etc/passwd file.

Thanks again for your insight. RE: John the ripper taking too long Sapient2003 (TechnicalUser)14 Oct 03 14:37John the Ripper is a great *nix password cracker. It's speed isn't so bad. It checks common passwords initially, like names, words, places, etc. If the password isn't found in the initial check, it then does true brute forcing (trying all possible password combinations). This step takes some time, depending on the length of the password. Because of all of the password possibilities, obviously it is going to take a while. No password cracker will be much faster. --Sapient2003 - sap...@sapient2003.com

"The worst insecurity is believing you are too secure." googletag.cmd.push(function() googletag.display('div-gpt-ad-1406030581151-2'); ); Red Flag This PostPlease let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

CancelRed Flag SubmittedThank you for helping keep Tek-Tips Forums free from inappropriate posts.

The Tek-Tips staff will check this out and take appropriate action.

3a8082e126