John the Ripper Intro

First off, thanks to @hacktalkblog and @nberthaume with all the help they have given me with JtR and Hashcat. This post will be a basic rundown (with a couple of advanced parts) for people just starting in the world of hash cracking.

Let me start off with saying I use cygwin because I run Windows 7 since I fail and refuse to throw a linux OS as my main. Meh. You only have to slightly alter these commands, I believe, to not incorporate cygwin.

cat *dictionaryfilelocation* | ./john –stdin –format:raw-*format* –pot=*filename*.pot –session=*name* –crack-status *hashfilelocation*

The above command should be pretty simple to understand but I will break it down just in case. Everything inside the ** is what you must set yourself.

For me, I use cat /cygdrive/b/*. That means I’m catting everything on my b drive (which is reserved for my wordlists). You only need to do this if you have MULTIPLE dictionary files that you want JtR to run through and test against.

Next is –stdin which is just saying to accept that information is being piped into JtR.

Format:raw-*format* is you inputting whatever format the hashes you want to crack are in. In most cases they will be MD5 or Sha1 from what I’ve seen in the past few months from dumps.

Your pot file is where the cracked hashes will be output to. These will be put to the same directory as JtR. The output will look something like:


The session=*name* is used for a couple reasons:

  1. So that you can pause the cracking session and resume it later
  2. So that you can run multiple JtR sessions without a hassle

Crack-status will output as such:

guesses: 3  time: 0:00:07:58  c/s: 127406M  trying: EHARMONY1Wannabethe1 – EHARMONY1azreal

Lastly for this command is the *hashfilelocation*. In my case it is:

/cygdrive/c/Users/username/Desktop/Pass\ Cracking/crackme/filename.txt

I keep all of the dumps I gather in that crackme directory for ease.

There is a few other ways to run JtR. I’ll touch on running rules with the same general command above:

cat *dictionarylocation* | ./john –pipe –format:raw-*format* –pot=*filename*.pot –session=*name* –rules=*rule* –crack-status *hashfilelocation*

The change to the above command is –pipe. I’m not sure why you have to run pipe instead of stdin when running rules, but that’s the only way I’ve been able to get it to working.

Along with that, you also have the rules=*rule* command now. If you look here than you’ll see a quick rundown of rules. The easiest rule to use is of course rules=Single. I have found it extremely useful to also create your own rules based off the website name and run those. For me, I add rules to the john.ini file located in the run folder of JtR. I’ll give an example below:


# Nvidia Passwords



If you do a quick glance through the john.ini file you will see where you can add these rules. To create your own follow the same basic guide above. List.Rules:*rulename* must be put as whatever you want it to be typed as in the command. The # is of course just a comment about what the rule is. A0 is to append everything and Az prepends. What word is being played with is Nvidia. It will adjust everything with every possible combination you see per bracket. I’ll show how I did my Linkedin rules for the recent Linkedin dump:


# Linkedin Passwords



The same principal applies to the Linkedin rule we create with the above.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s