The Complete Guide to John the Ripper. Part 1: introduction and establishment of John the Ripper

7 April 2023 15 minutes

Introduction and purpose of John the Ripper

A long time ago, a six-digit password was considered safe, especially if it contained upper and lower case letters, punctuation marks and was not based on a word from the dictionary. These rules aren’t exactly obsolete (eight characters is almost acceptable, as long as there are special characters), and many people still use hopelessly weak passwords to protect their data. John the Ripper is a password cracking tool that makes this fact crystal clear. It would be pointless to store passwords in public, so what usually happens is this: the password is passed through an appropriate hash function (eg SHA256) and the result is stored. The hash function must have certain mathematical properties (the hash must not be easily reconstructed), and when a password is entered, its hash is calculated and the result is compared to what is already stored. It is unlikely that two passwords will have the same hash, so if the hashes match, access is allowed.

Some systems will lock you out after a certain number of failed password attempts, but these rules don’t apply if you have a stolen database (for online password cracking, look up Hydra). John the Ripper is also able to use the capabilities of the GPU to verify several thousand passwords per second. In addition to random combinations of characters, John the Ripper can use dictionaries, which greatly helps in the process of cracking passwords. Not only that, but John the Ripper can use the rules of combining dictionary words with each other and with random characters, simulating the password creation process of the particularly gifted. The modern approach to creating passwords involves combining dictionary words to create a long password, rather than trying to guess by randomly combining capital letters and symbols.

What is the difference between John the Ripper and Hashcat

1. Hashcat can use the video card, the central processing unit (CPU), or both for brute force. John the Ripper can use either the video card, the video core of the CPU, or just the CPU.

2. Hashcat can use the graphics card to crack any supported algorithms. John the Ripper for video card hacking supports only some types of algorithms.

3. If you have several video cards, Hashcat “out of the box” supports working with several devices at once and by default divides tasks into the required number of threads and the size of each task is tied to the power of the video card. John the Ripper can work with several video cards, but by default, only one algorithm supports splitting the task on several video cards.

4. For Hashcat, it doesn’t matter how you installed it: you compiled it from source code or downloaded a binary file. For John the Ripper, it is very important to compile the binary, because in this case the specifics of your system are taken into account. As a result, when compiling, the instruction sets supported by the processor will be specified, for example, AVX2 instead of the default AVX, which will ultimately greatly affect performance – for some algorithms, this results in a 2-fold acceleration of the hack! Or vice versa, John executables compiled on newer hardware may not work on some computers

5. For Hashcat, you must specify the type of hash. John the Ripper determines the hash itself, or you can specify the hash format.

6. The syntax of commands and options varies greatly.

7. About cracking the password in John the Ripper on the video card, you need to know that brute force on the graphics card requires a lot of time to run – this is noticeable even for the benchmark. Therefore, if you need to perform many short sessions, then sometimes it is better to use a central processor, on which the hack starts immediately.

Advantages of John the Ripper:

1. More flexible work with hashes – even if the file with hashes contains hashes of other types, John does not terminate the operation with an error, but simply uses hashes of the type specified in the launch command. Also, hashing utilities often add lines that can cause Hashcat to get an “invalid hash” error. John the Ripper works with this form of recording.

2. A more flexible rule-based attack. John the Ripper and Hashcat are implementations of Rule-Based Attacks, and the syntax for writing rules has a lot in common. But in John the Ripper, this attack is more powerful because it has more rules and also allows character sets in the rule entry.

3. Support for non-standard hashes. Hashcat can only work with hashes provided by the developers of this program. And John the Ripper has a Dynamic mode, which allows you to specify the formula by which the hash was calculated. That is, arbitrary types of hashes can be hacked.

Installing video card drivers for John the Ripper

If you want to use the GPU to crack passwords (which is ten times faster than the CPU), you need to install the video driver. Hacking can be used:

  • central processor

  • video core of the central processing unit

  • video card

You need to choose one of these – the fastest option is a video card. Of course, specific computer configurations may vary: some don’t have a discrete video card, some don’t have a video core in the CPU – hopefully you can check this yourself.

Installing video drivers in Windows

In this OS, everything is simple – most likely, the video drivers for your graphics card are already installed. If not, go to the manufacturer’s website, download and install the driver. In order to use the CPU as an OpenCL device, you need to install the OpenCL Runtime for Intel Core and Intel Xeon Processors. You can find the necessary links in this article from Hashcat, which also uses this software.

Installing video drivers in Linux

In Kali Linux

Previous full system update and reboot:

Installing video drivers for NVIDIA on Linux

Enabling OpenCL for Intel

If your CPU supports OpenCL, then install the following packages:

In Arch Linux, BlackArch

Enabling OpenCL for NVIDIA. Remove xf86-video-nouveau is it is:

Install NVIDIA proprietary driver, CUDA and other packages:

Enabling OpenCL for Intel

Installing John the Ripper on Linux from source code

As already mentioned, it is important to build John the Ripper yourself so that it takes full advantage of your CPU. Another plus of this approach is that we will get the latest version of John the Ripper.

Installing required dependencies in Kali Linux:

Then the same in any distribution:

Note, in the last command you can use the -j option, followed by the number of (logical) cores of your processor, for example, I have 12 logical cores, then I use:

Now go to the run folder:

And run the test:

You don’t have to install John the Ripper at the system level – move the run folder to a convenient location and run John from there. In addition to the John the Ripper file, the run folder contains many scripts for extracting hashes – we will talk about them later. Remember, if you type in the terminal:  Jonh. then the version installed on the system will start, not the one you compiled.

Installing John the Ripper in Debian, Linux Mint, Ubuntu

Installation should be done in the same way as in Kali Linux. Therefore, refer to the section “Installing John the Ripper on Kali Linux”. If something did not work out for you, then write here in the comments indicating your distribution and the error.

How to install John the Ripper on Windows

Compiling John the Ripper from Windows source code will be covered later. Use the official binary. First, install Cygwin – simple go to the official site, download the file setup-x86_64.exe and install.

In Cygwin, you need to install the libOpenCL1 package, which is not present by default. The installation can be performed by running the setup-x86_64.exe file again (by which Cygwin was installed), at the stage of selecting packages in the Search field, enter libOpenCL1, in the View list, go to Not Installed ), double-click on the word Skip. As a result, the version of the package for installation will be shown, click the “Next” button and complete the installation of the package.

You may prefer another method: move the setup-x86_64.exe installation file to the C:cygwin64 folder and then open a Windows command prompt (PowerShell) and run the command:

Extract the contents of this archive into the folder C:cygwin64homeUSERNAME, for example, my user is MiAl, so I extract it into the folder C:cygwin64homeMiAl. Note that you need to create the folder and copy the files to it as a normal user, as John the Ripper will attempt to write the data to a .pot file in the same folder as the program is running. If you copied the JtR folder in an elevated file manager, the folder will be owned by the Administrator and cannot be written to or changed.

Windows can actually run John the Ripper even without Cygwin, but in that case it won’t be able to use OpenCL (kernel video) to brute force.

Now in C:cygwin64homeUSERNAMEJtRrun find cygOpenCL-1.dll and rename it to cygOpenCL-1.dll.bac.

Then, in the c:WindowsSystem32 folder, find the OpenCL.dll file and copy it to the C:cygwin64homeUSERNAMEJtRrun folder.

Then, in the C:cygwin64homeUSERNAMEJtRrun folder, rename the OpenCL.dll file to cygOpenCL-1.dll.

Next, the same procedure must be repeated for the file in the C: cygwin64 bin folder. That is, in the C:cygwin64bin folder, find cygOpenCL-1.dll and rename it to cygOpenCL-1.dll.bac. Then, in the c:WindowsSystem32 folder, find the OpenCL.dll file again and copy it to the C:cygwin64bin folder. Finally, in the C:cygwin64bin folder, rename the OpenCL.dll file to cygOpenCL-1.dll.

The file replacement trick may not work for all systems – but in any case you can use the CPU or integrated graphics to hack. To understand why we do all this, take a look at the hacking speed on the central processor:

And on the hacked speed on the video card, which became available thanks to the above actions with the replacement of files:

Open the Cygwin console to run commands.

Run the installation test:

Run your system benchmark:

But still, JtR is one of those programs that is primarily intended for Linux. Next you will see that we will run scripts to generate (extract) hashes from files and for example some of the helpers/scripts require, for example, the Python environment installed, which is present by default on Linux.

John the Ripper check

In this section, we will check what devices John the Ripper sees for use during brute force. The options are the same on any system, but remember that on Windows, to run John the Ripper, you need to open Cygwin and specify ~/JtR/run/john as the file. If you run a file installed from standard repositories in Linux, it is enough to write simply: john. If you run a file compiled from the source code, then go to the directory with the executable file (in the program folder, this is the run directory) and specify: ./john as the executable file.

To list OpenCL devices, use the –list=opencl-devices option:

As you can see, I have three devices:

1 – video core of the central processor:

2 – discrete video card

3 – central processor

Similarly in Windows:

As already mentioned, John the Ripper cannot simply work with any algorithms supported on OpenCL – it is necessary to create a module for them. Therefore, some algorithms can only be hacked on the CPU, and some algorithms can be hacked on either the graphics card or the CPU.

As already mentioned, John the Ripper cannot simply work with any algorithms supported on OpenCL – it is necessary to create a module for them. Therefore, some algorithms can only be hacked on the CPU, and some algorithms can be hacked on either the graphics card or the CPU.

The list of algorithms may differ from the OS and from the installed dependencies

To view a list of supported algorithms:

The list did not fit all:

To see a list of OpenCL hacking algorithms:

Much less, but Wi-Fi is there.

How to use a video card to hack John the Ripper

By default, JtR uses the CPU, even if all the necessary drivers for OpenCL are installed. To enable the graphics card, you need to use the –format option and explicitly specify an algorithm that OpenCL supports. For example, for the benchmark of the wpapsk algorithm on a video card:

To crack wpapsk on a CPU you need to run something like this:

As you can see on the screenshots: 114975/17385 = 6.61, that is, the speed of password retrieval has increased more than 6 times.

How to use the CPU video core in JtR

In this section, we’ll take a closer look at what computing devices JtR can use and how exactly the program chooses between them when there is an alternative. JtR can perform calculations on:

  • ordinary CPU cores

  • using OpenCL devices

The list of OpenCL devices can include:

  • video card

  • integrated CPU graphics

  • ordinary CPU cores

As you can see, even without installing the possible OpenCL environment and video drivers, JtR is able to crack passwords. Algorithms without the line “-opencl” in their name, such as wpapsk, can be brute-forced only with normal CPU cores. Algorithms with the string “-opencl” in their name, such as wpapsk-opencl, can be brute-forced to:

  • video card

  • integrated CPU graphics

  • ordinary CPU cores

To view the list of available OpenCL devices, run the command:

At number one is the CPU’s integrated graphics.

Number three is the regular CPU cores that JtR will work with as an OpenCL device.

By default (without the -dev option), JtR uses one of the OpenCL devices that the program thinks is the fastest.

The -dev option allows you to select a specific OpenCL device, the device number is in parentheses, on lines starting with Device #0, for example:

So, to run JtR on normal CPU cores, use the algorithm name without the “-opencl” line:

To run the password cracker on the first OpenCL device (I have integrated CPU graphics, the run failed):

To run password cracking on a second OpenCL device (I have a discrete video card):

To run the password cracker on a third-party OpenCL device (I have regular CPU cores):

You can also use the -dev option like this:

  • -dev=gpu

  • -dev=cpu

When using OpenCL, these options tell JtR to use only GPU device(s) or only CPU device(s).

How to run the John the Ripper benchmark

The –test option is used to test the speed of password traversal in JtR.

This option can be used with a number – the number of seconds the test will run.

If you want to test the speed of only a specific algorithm, use the –format option. An example of a Wi-Fi password cracking speed test by the central processor:

An example of a Wi-Fi password cracking speed test with a discrete video card:

If you only need to check the decryption of different algorithms without running the benchmark, then specify 0 as the value of the –test option:

How to set up John the Ripper

John the Ripper has a settings file with a lot of options. This file is called john.conf and is in the same folder as the john file. Provide good cooling; monitor the temperature. If the OpenCL runtime supports it, the GPU temperature will be monitored and displayed in the status lines, and john.conf is a user-modifiable limit that will terminate at 95 °C. Provide good cooling; watch the temperature. If the OpenCL runtime supports it, the GPU temperature will be monitored and displayed in the status lines, and there is a user-modifiable limit in john.conf that will exit at 95°C.

This setting is set by the directive:

The temperature is indicated in degrees Celsius – °C.

Instead of aborting, you can stop the program for this number of seconds to cool down the GPU when the temperature reaches the AbortTemperature value, then the program will recheck the temperature and either continue or pause. Set to 0 to exit.

If SleepOnTemperature = 1 (one second) is specified, no pause/resume messages will be displayed, because such a short value is interpreted as a desire to keep the temperature of the video card near the extreme value. The default value of the directive:

Compilation difference with AVX2 and AVX for John the Ripper

To view the build options, use the –list=build-info option:

Benchmark of two versions of the programs:

1. This half of the screenshot is a benchmark of the latest version of JtR that I compiled from source. Since my CPU supports AVX2, John the Ripper also supports it.
2. And I installed this one from the standard repository of my distribution – it is compiled with AVX. The difference is very significant.

Found an error?
If you find an error, take a screenshot and send it to the bot.