JTR - John the Ripper --------------------- Written by FoxDog, contributions by Jimeous JTR - http://www.false.com/security/john/index.html --- John the Ripper is a decrypting program for passwords. Although it has many functions we will be looking at using it as a decryper for password files you possess. We will be looking at Password Files which you have put on your Hard Disk ----------------- TABLE OF CONTENTS ----------------- - PREPARATION SHORTCUT TIP FOR WINDOWS 95 PASSWORD FILES - DECRYPTING JTR MODES SINGLE MODE WORDFILE MODE INCREMENTAL MODE ALPHA DIGITS ALL SHOW MODE - Saving the Decrypted Files - ADVANCED COMMANDS STOPPING JTR RULES SESSION and RESTORE - JTR QUICK REFERENCE - SCREEN SHOT OF A JTR SESSION -------------------- ----------- PREPARATION ----------- 1. Download the correct version of JTR, use win32 for Win 95/98 2. Extract the zip File into a Directory 3. Make sure you have your Password Files in the same directory --------------------------- SHORTCUT TIP FOR WINDOWS 95 --------------------------- 1. Right Click on the [Start] Button, and choose Open 2. Double Click on [Programs] Folder 3. Right Click and Copy, [MS-DOS Prompt] 4. Close the [Programs] Folder 5. Right Click and Paste on the Desktop, a [MS-DOS Prompt] should appear 6. Right Click on the [MS-DOS Prompt] icon and choose Properties 7. Click on the Program Tab 8. In the box next to Working (It should have C:\WINDOWS in there) Change it to the Directory of where-ever the Program JOHN.EXE has been extracted 9. Click on the [OK] button 10. Test what you have done by Double Clicking on the Icon, If you wish to rename [MS-DOS Prompt] to JTR, then do so -------------- PASSWORD FILES -------------- A. Naming I personally name my files with a p extension, some people use txt eg If i had the password file to Dannis', I would name it danni.p The reason is that p stands for password file, I then name my decrypted password files with a txt extension It is really up to you what you name your password files, just remember that the names should be less than 8 characters eg likethis.p B. Where should I put them? Always have the password files you have found in the same directory as JOHN.EXE, Its just easier to handle them that way ---------- DECRYPTING ---------- Depending on what JTR version you have downloaded, you have to change into the directory JOHN.EXE is --------- JTR MODES --------- There are 3 main modes we will be dealing with -single, -wordfile, -incremental [KEYS] [passfile] - this is the name of your password file [wordlist] - this is the name of your wordlist [output] - this is the name of the file you will name when you want to save your decrypted passwords ----------- SINGLE MODE ----------- Single Mode attempts to find the weakest of all the passwords. This is one of the fastest methods. SINGLE MODE SYNTAX john -single [passfile] or you could use john -si [passfile] Example: If you found a [passfile] and named it danni.p then you would type john -si danni.p Take a look at SCREEN SHOT OF A JTR SESSION ------------- WORDFILE MODE ------------- Wordfile Mode is the next quickest method. It requires the use of a wordlist The wordlist must be in a single wordlist and not a combo list WORDFILE SYNTAX john -wordfile:[wordlist] [passfile] or john -w:[wordlist] [passfile] Example: If you found a [passfile] and named it danni.p and you had a [wordlist] named mydict.txt then you would type john -w:mydict.txt danni.p Take a look at SCREEN SHOT OF A JTR SESSION ---------------- INCREMENTAL MODE ---------------- Incremental mode is the slowest mode and will try to decrypt every pass in your passfile, as this can take days, months even years, I would use it as a last resort There are 4 basic commands we will be dealing with digits, alpha, all, and leaving it blank DIGITS mode This will try to decrypt all the Passwords that are in numbers ALPHA mode This will try to decrypt all the Passwords that are letters only ALL mode This will try to decrypt all the Passwords, whether they are in numbers, in letters or some special characters (@!^&...etc) WITH NO MODE SELECTED This will basically do everything to try to decrypt the password file SYNTAX john -i [passfile] john -i:DIGITS [passfile] john -i:ALPHA [passfile] john -i:ALL [passfile] Example: If you found a [passfile] and named it danni.p john -i danni.p john -i:DIGITS danni.p john -i:ALPHA danni.p john -i:ALL danni.p Take a look at SCREEN SHOT OF A JTR SESSION When running in this mode, If you ever want to stop it push CTRL - C -------------------------------------- SHOW MODE - Saving the Decrypted Files -------------------------------------- Finally, once JTR has finished its decrypting process, you will be ready to enjoy the results. These you will save in a file name of your choice. SHOW SYNTAX john -show [passfile]>[output] Example: If you found a [passfile] and named it danni.p, you decide you want to name the decrypted password file or [output] to danni.txt john -show danni.p>danni.txt Now you can open danni.txt in a TEXT EDITOR You will see something like this italia:italiano makoto:makotox PADWICK:PADWICKH kelley:kelleyaj bechtel:jbechtel mequery:queryme seeeee:meeeee stevewm:stevenm 8 passwords cracked, 246 left Hopefully you will get more passwords than the example though ----------------- ADVANCED COMMANDS ----------------- Here are a few more commands which prove handy when using JTR ------------ STOPPING JTR ------------ If at anytime you wish to stop the decrypting process then Hold down the [ CTRL ] key and Push the [ C ] key ----- RULES ----- This command is used with the Wordfile Option, without it JTR will try only the words in your wordlist. When this is activated it will try variations as outlined in the john.ini file. This is also quite slow RULES SYNTAX john w:[wordlist] -rules [passfile] ------------------ SESSION & RESTORE ------------------ Decrypting by now you will notice can become a long a slow process, JTR allows you to save save and restore sessions. A session is like a snap shot of what you are decrypting. It remembers what file you used, and where you were at if you decide to stop it. session can be used with any of the main modes. SESSION & RESTORE SYNTAX john -restore john -restore:[session name] john -session:[session name] [session name] is any name you choose EXAMPLE ------- Lets say you want to decrypt a file named danni.p OK you've used the -si mode, which was quick With your trusty wordlist file named biglist.txt you next run the -w mode FINAL NOTES ----------- There are many other features that JTR uses, that are Advanced, these can be found in the DOC folder in JTR, just use a text editor to open and read them We were only concerned with getting at least 50% of the passwords. This may be achieved by SINGLE and WORDFILE modes SPEED is dependant on your CPU, If you screen looks like its frozen and doing nothing, just hit any key a couple of times, you will see a mini progress report. Speed is also dependant on the size of your password file and the number of salts, A salt can be thought of as a slightly different way to encrypt a file. As there are many ways to encrypt a single password ------------------- JTR QUICK REFERENCE ------------------- [KEYS] [passfile] - this is the name of your password file [wordlist] - this is the name of your wordlist [output] - this is the name of the file you will name when you want to save your decrypted passwords : - whenever you see a colon then use it in the command - - whenever you see a minus sign then use it in the command > - whenever you see this sign then use it in the command [] - DO NOT INCLUDE THESE IN THE COMMAND SINGLE MODE john -si [passfile] WORDFILE MODE john -w:[wordlist] [passfile] INCREMENTAL MODES john -i [passfile] john -i:ALL [passfile] john -i:DIGITS [passfile] john -i:ALPHA [passfile] SHOW MODES john -show [passfile]>[output] ------------------- SCREEN SHOT OF A JTR SESSION -------------------- Loaded 254 passwords with 85 different salts (Standard DES [32/32 BS]) italia (italiano) makoto (makotox) PADWICK (PADWICKH) kelley (kelleyaj) bechtel (jbechtel) mequery (queryme) seeeee (meeeee) stevewm (stevenm) guesses: 8 time: 0:00:01:23 100% c/s: 25771 trying: zcatcatk - zcatcatz ------------------- SCREEN SHOT OF A JTR SESSION -----------