JOHN THE RIPPER

INSTALLATION

root@oco:~$ sudo apt search john
root@oco:~$ sudo apt install john
 ...
root@oco:~$ john --help
 ...

DISPLAYING CRACKED PASSWORDS

root@oco:~$ john --format=raw-sha256 --show hash1.txt
 * john will not spend computing resources to crack an already-cracked password hash. if a password is already found from a previous session, John displays the message "No password hashes left to crack"
    - use the --show option/flag to display already cracked passwords

CRACKING HASHES

#basic cracking with John the Ripper
root@oco:~$ john --format=raw-sha256 --wordlist=/usr/share/wordlists/rockyou.txt hash1.txt
 * the --format=raw-sha256 specifies the hash format
 * the --wordlist=/usr/share/wordlists/rockyou.txt sets the wordlist for use
 * if no results are found, apply transformation rules
    - John can start from a long password list and attempt various common derivations from each of the passwords to increase its chances of success. This behaviour can be triggered through the use of rules.
 
#transformation rule cracking with John the Ripper
root@oco:$ cat /etc/john/john.conf
 [List.Rules:Wordlist] section
 ...
root@oco:~$ john --format=raw-sha256 --rules=wordlist --wordlist=/usr/share/wordlists/rockyou.txt hash1.txt
 fluffycat12      (?)  

  * adding the option --rules=wordlist to your john command line generates multiple passwords from each entry in the password list
    - appends and prepends single digits, performs substitutions such as a can be replaced with @, i can be replaced with !, and s can be replaced with $

CRACKING ENCRYPTED FILES (PDF)

the password protected file MUST be converted into the hash using john's modules IOT successfully crack the password

#convert the password protected file to john's format
root@oco:~$ find / -iname *2john* -type f 2>/dev/null
root@oco:~$ ls /opt/john/*2john*
 * display various tools John can use to convert password-protected file into a format that john can attack
 * naming style “{format}2john”

root@oco:~$ pdf2john.pl private.pdf > pdf.hash
 * this cmd creates a hash challenge of a password protected file
root@oco:~$ cat pdf.hash
 private.pdf:$pdf$2*3*128*-1028*1*16*c1e77e30a0456552cb8a5327241559bd*32*3dc175eae491edc29b937e4fdbda766c00000000000000000000000000000000*32*6a1b5158d8d6dd9e8380f87b624da6cc936075fd41dc3c76acf2d90db62e4a27

root@oco:~$ john -wordlist=/usr/share/wordlists/rockyou.txt pdf.hash
 * M4y0rM41w4r3     (private.pdf)

CRACKING ENCRYPTED FILES (ZIP)

The password protected file MUST be converted into the hash using john's modules IOT successfully crack the password

#convert the password protected file to john's format
root@oco:~$ find / -iname *2john* 2>/dev/null
 /usr/sbin/zip2john
 
 * display various tools John can use to convert password-protected file into a format that john can attack
 * naming style “{format}2john”

root@oco:~$ zip2john backup.zip > zip.hash
 Created directory: /home/str1f3/.john
 ver 2.0 efh 5455 efh 7875 backup.zip/index.php PKZIP Encr: TS_chk, cmplen=1201, decmplen=2594, crc=3A41AE06 ts=5722 cs=5722 type=8
 ver 2.0 efh 5455 efh 7875 backup.zip/style.css PKZIP Encr: TS_chk, cmplen=986, decmplen=3274, crc=1B1CCD6A ts=989A cs=989a type=8
 NOTE: It is assumed that all files in each archive have the same password.
 If that is not the case, the hash may be uncrackable. To avoid this, use
 option -o to pick a file at a time.

 * this cmd creates a hash challenge of a password protected file
 
root@oco:~$ find / -iname *rockyou* -type f 2>/dev/null
 /usr/share/wordlists/rockyou.txt.gz

root@oco:~$ john -wordlist=/usr/share/wordlists/rockyou.txt zip.hash
 Using default input encoding: UTF-8
 Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 128/128 AVX 4x])
 Cost 1 (HMAC size) is 29 for all loaded hashes
 Will run 2 OpenMP threads
 Press 'q' or Ctrl-C to abort, almost any other key for status
 XXXXXXXXXXX      (flag.zip/flag.txt)     
 1g 0:00:02:12 DONE (2025-10-03 08:26) 0.007552g/s 20696p/s 20696c/s 20696C/s winternights..wine23
 Use the "--show" option to display all of the cracked passwords reliably
 Session completed.

CRACKING: MYSQL 160BIT SHA

root@oco:~$ hash-identifier
 HASH: *6B4F89A54E2D27ECD7E8DA05B4AB8FD9D1D8B119
 Possible Hashs:
 [+] MySQL 160bit - SHA-1(SHA-1($pass))

root@oco:~$ printf '%s\n' '*6B4F89A54E2D27ECD7E8DA05B4AB8FD9D1D8B119' > hashes.txt
root@oco:~$ john --format=mysql-sha1 --wordlist=rockyou.txt hashes.txt 
 Created directory: /root/.john
 Using default input encoding: UTF-8
 Loaded 1 password hash (mysql-sha1, MySQL 4.1+ [SHA1 256/256 AVX2 8x])
 Warning: no OpenMP support for this hash type, consider --fork=4
 Press 'q' or Ctrl-C to abort, almost any other key for status
 hello            (?)     
 1g 0:00:00:00 DONE (2025-10-26 21:07) 100.0g/s 6400p/s 6400c/s 6400C/s tweety..charlie
 Use the "--show" option to display all of the cracked passwords reliably
 Session completed. 
                                                                                                                                                                                                                                           
root@oco:~$ john --format=mysql-sha1 --show hashes.txt
 ?:hello

PreviousHASH-IDENTIFIER NextHASHCAT

Last updated 4 days ago