NT Gatekeeper: Using John the Ripper

I've heard a lot of great comments about the John the Ripper (JtR) password cracker, but the tool appears to be rather complex. Can you explain how to set up JtR and how to use it for basic password quality tests?

When you download JtR (which is available for free from http://www.openwall.com/john), be sure that you download the Win32 binaries. Then, extract the complete john-16w.zip file to your computer's hard disk.

Like other password-cracking tools (such as L0phtCrack), JtR operates on the password hashes stored in the Windows NT SAM database, which resides in the \winnt\repair\sam._ file. However, JtR can't retrieve the password hashes from the SAM database. To retrieve the hashes, you need a tool such as pwdump2.exe, which you can download from the BindView Web site at http://razor.bindview.com/tools/desc/pwdump2_readme.html.

To use pwdump2.exe to extract password hashes from the SAM, first extract the pwdump2 zip file, then run the Pwdump2 command from the directory that contains pwdump2.exe. For example, the command

pwdump2 >D:\john\run\passwd.lanman

dumps all password hashes from the SAM database of the system on which you're running the tool to a file called passwd.lanman and stores the file in the D:\john\run directory. If you use Notepad to open the passwd.lanman file, you'll see output that contains one line for every user account in the SAM, as Figure 3 shows. A set of colon-separated alphanumeric values that represent the password hash follows each user account name.

Next, switch to the directory that contains the JtR executable, john.exe, which by default is in the \john-16\run directory. Before starting the password-cracking process, test whether JtR is operating properly on your system:

john -test

This command starts a JtR benchmarking test that checks the JtR cracking speed for different password-hashing formats. In addition to cracking NT password hashes, JtR can crack the password hashes on FreeBSD, OpenBSD, and other UNIX systems.

When the benchmark terminates without an error, you can start the password-cracking process. JtR can do both dictionary- and brute-forceĀ­based password cracking. By default, JtR performs a dictionary-based password crack. To start that process on the password hashes in the passwd.lanman file, type the following at the command prompt:

john passwd.lanman

To start a brute-forceĀ­based password-cracking process, use the -incremental switch:

john -incremental:all passwd.lanman

When you use the -incremental switch, you must include an incremental option (e.g., all in the above example), which specifies the brute-force cracking scheme used. For details about all the incremental options and how to configure them, see the documentation that accompanies the JtR tool.

JtR saves its results in the john.pot file. To see an overview of the cracked passwords for the passwd.lanman file, type the following at the command prompt:

john -show passwd.lanman

To speed up the password-cracking process, JtR lets you use different dictionary files, test only specific password combinations, or spread the password-cracking load across different computers. By default, JtR uses the password.lst dictionary file, which contains commonly used passwords and comes with the JtR software. You can use the -wordfile switch to specify other dictionary files. For example, the command

john -wordfile:mydict.lst passwd.lanman

uses the mydict.lst dictionary file. (To find other dictionary files, do a Google or Yahoo! search for the term dictionary file.)

To test only specific password combinations, you can specify a set of password rules in a file called conf.ini, add conf.ini to the JtR configuration file, then run the tool with the -rules switch:

john -rules passwd.lanman

For more details, see the JtR documentation.

Spreading the cracking process across multiple machines significantly speeds up the process but is rather complex to set up. Spreading the load uses a different JtR restore file for every computer that participates in the cracking process. Read the JtR documentation to learn how to set up distributed cracking.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.