Cracking passwords with John The Ripper (JTR)

6 min readMar 22, 2020

JTR is a password cracking tool that comes stock with the Kali Linux distribution. This post will provide a very basic proof of concept for how to use JTR to crack passwords. If you don’t prefer the command line, Johnny is a graphical user interface GUI version of JTR.

Before we begin, you must have Kali Linux installed. For this demonstration, I’ll be using Kali Linux running as a virtual machine on my desktop. Additionally, you’ll need JTR, which should already be installed. If it isn’t, just use the following:

apt-get install john

Once the program is installed, you can verify its existence by typing “john” into the command line. The help page for JTR will be displayed if it is properly installed.

Creating Users and Their Passwords
In order for us to crack passwords, we need some users. For the sake of simplicity, I’ll create three users with the names user01, user02, user 03. Once they are created, I’ll manually set their passwords.

The syntax for user creation is easy: useradd <desiredUsername>. There are a couple of different ways to add users, I just chose useradd. The password <Username> command is a Linux program that provides a wizard to set a user’s password.

For these users, I set very easy passwords that I know JTR will be able to crack. This is just a proof of concept, after all. It goes without saying, but I’ll say it anyway: you shouldn’t use these passwords or passwords like these passwords.

user01:123456
user02:password
user03:qwerty

So now that we have some users with some pretty crackable passwords, lets turn to using JTR.

How JTR Works
JTR was primarily built to crack weak Unix passwords. It works against Windows LM and Kerberos hashes, although there are other tools for this sort of thing.

As mentioned, JTR is a command line tool that is invoked with the command

john <mypasswordfile>

JTR commands can accept parameters to specify a particular cracking mode. The various modes require additional parameters (most of the time) and are outside the scope of this post. If you really want to know, the different modes are described in detail on the Openwall JTR page. For this demonstration we will be using the simplest mode available: wordlist mode. In order to use wordlist mode, you must provide a password file that contains the password hash for each password (more on this later). By default, JTR will use its standard wordlist (password.lst) although the Openwall website comes with additional wordlists (for a fee). JTR will compute the hashes for the entries in its wordlist and compare them to the entries in the password file. At this point, it’s a good idea to mention that Kali Linux comes with a prepackaged wordlist that contain over a million entries. It it located in the following directory:

/usr/share/wordlists/rockyou.txt

You can set the specific wordlist using the “WORDLIST=<pathToDesiredWordlist>” parameter. For the sake of comparison, JTR’s default wordlist contains under 4k. When a match is found it’s output to the console. As always, you can redirect output of JTR cracking to a file with >.

A Digression On Password Locations
To properly crack Unix passwords, it’s important understand how passwords are stored. In Linux, a list of user accounts is stored in the /etc/passwd file, although its name would suggest otherwise. Viewing this file won’t display specific password information, but it will give you a clue as to what accounts exist on the machine as well as the user’s home directory. The /etc/shadow file is where all user passwords are stored. Root and the root group are the only users with access to read or write to this file for obvious reasons. This is important to acknowledge. Gaining access to a vanilla user will not provide you access to the /etc/shadow file. You must elevate privileges or gain access to the file another way. Each entry in this file is delimited by either a : or a $. This blog post offers a very clear and concise explanation of the various fields.

As you can see from the output below, the hashes we will need to crack are SHA-512 hashes (as indicated by the $6$).

Cracking Passwords

JTR has excellent documentation. This next bit is a rehash of the existing instructions located here.

JTR has a utility called unshadow that you can use to copy the shadow file of a resident system. Obviously, this requires that JTR is installed on the target system or that the directory of the target system’s shadow file is specified in the command. Also, this utility only works for Unix systems. JTR has other utilities to obtain password files for Windows systems.

The commands required to copy the password file are below.

umask077
unshadow /etc/passwd /etc/shadow > ~/Desktop/passcopy

Umask is a common Linux command that allows a root user to set permissions for new files created on the system. Each individual number in “077” refers to read (1), write (2), execute (4) for different groups of folks. In order, the groups are the file owner, other users in the file owner’s group, and everyone else. Adding these bits will give you the permission set for each one of those groups (i.e. 3 = 1 + 2 or write and execute). Usually, 077 would mean that the owner would have no permissions but the user’s group and everyone else would have full permissions. The parameters of the umask command specify the inverse. Umask 077 means that the file owner will have full permissions and the owner’s group and everyone else will have no permissions. This is helpful if you were going to run commands from a non-root account since if you create a file, it will automatically be set to have permissions equal to umask 077. Since I will be running all commands as root, I am not going to make this alteration. Unshadow is a command that comes with the JTR module. It combines the shadow and passwd files into a usable input for JTR. Utilizing unshadow is especially important if you want to use JTR’s advanced features. My unshadow output is shown below.

Once you have your copy of the passwd file, you can run JTR using the following syntax.

john --wordlist = /usr/share/wordlists/rockyou.txt ~/Desktop/passcopy

There you have it, the cracked passwords. As you can see, the total time it took to crack these simple passwords was under a minute. Easy, right?

The last line of the output above deserves some comment as it will explain why if you run JTR on the same file multiple times, you will not crack the same passwords as one might expect. When JTR cracks a password, it stashes it in the john.pot file. This file isn’t meant to be easily read by humans. Instead, JTR dictates the use of the show command to see which passwords have been cracked and show=left to see which passwords are left.

You can see that show will list the cracked passwords and show=left shows the remaining passwords that are uncracked.

Personally, I spent a lot of time trying to find the john.pot file to manually remove these entries as I was trying to rerun JTR multiple times for this post. If you need to rerun JTR on the same password file and you want to return the same list of passwords, you’ll need to manually remove them from john.pot.

Step one is to locate john.pot. I’ll save you the time: use the locate command.