JOHN(8)JOHN(8)NAMEjohn - a tool to find weak passwords of your users
SYNOPSISjohn [options] password-files
DESCRIPTION
This manual page documents briefly the john command. This manual page
was written for the Debian GNU/Linux distribution because the original
program does not have a manual page. john, better known as John the
Ripper, is a tool to find weak passwords of users in a server. John can
use a dictionary or some search pattern as well as a password file to
check for passwords. John supports different cracking modes and under‐
stands many ciphertext formats, like several DES variants, MD5 and
blowfish. It can also be used to extract AFS and Windows NT passwords.
USAGE
To use John, you just need to supply it a password file and the desired
options. If no mode is specified, john will try "single" first, then
"wordlist" and finally "incremental".
Once John finds a password, it will be printed to the terminal and
saved into a file called ~/.john/john.pot. John will read this file
when it restarts so it doesn't try to crack already done passwords.
To see the cracked passwords, use
john-show passwd
Important: do this under the same directory where the password was
cracked (when using the cronjob, /var/lib/john), otherwise it won't
work.
While cracking, you can press any key for status, or Ctrl+C to abort
the session, saving point information to a file ( ~/.john/john.rec by
default). By the way, if you press Ctrl+C twice John will abort immedi‐
ately without saving. The point information is also saved every 10
minutes (configurable in the configuration file, ~/.john/john.ini or
~/.john/john.conf ) in case of a crash.
To continue an interrupted session, run:
john-restore
Now, you may notice that many accounts have a disabled shell, you can
make John ignore these (assume that shell is called /etc/expired ):
john-show -shells:-/etc/expired passwd
You might want to mail all the users who got weak passwords, to tell
them to change the passwords. It's not always a good idea though
(unfortunately, lots of people seem to ignore such mail, it can be used
as a hint for crackers, etc), but anyway, I'll assume you know what
you're doing. Get a copy of the 'mailer' script supplied with John, so
you won't change anything that's under /usr/sbin ; edit the message it
sends, and possibly the mail command inside it (especially if the pass‐
word file is from a different box than you got John running on). Then
run:
./mailer passwd
Anyway, you probably should have a look at /usr/share/doc/john/OPTIONS
for a list of all the command line options, and at
/usr/share/doc/john/EXAMPLES for more John usage examples with other
cracking modes.
OPTIONS
All the options recognized by john start with a single dash (`-'). A
summary of options is included below.
-external:MODE
Enables an external mode, using external functions defined in
~/john.ini's [List.External:MODE] section.
-format:NAME
Allows you to override the ciphertext format detection. Cur‐
rently, valid format names are DES, BSDI, MD5, BF, AFS, LM. You
can use this option when cracking or with '-test'. Note that
John can't crack password files with different ciphertext for‐
mats at the same time.
-groups:[-]GID[,..]
Tells John to load users of the specified group(s) only.
-incremental[:MODE]
Enables the incremental mode, using the specified ~/john.ini
definition (section [Incremental:MODE], or [Incremental:All] by
default).
-makechars:FILE
Generates a charset file, based on character frequencies from
~/.john/john.pot, for use with the incremental mode. The entire
~/.john/john.pot will be used for the charset file unless you
specify some password files. You can also use an external fil‐
ter() routine with this option.
-restore[:FILE]
Continues an interrupted cracking session, reading point infor‐
mation from the specified file (~/.john/john.rec by default).
-rules Enables wordlist rules, that are read from [List.Rules:Wordlist]
in /etc/john/john.conf (or the alternative configuration file
you might specify on the command line).
This option requires the -wordlist option to be passed as well.
-salts:[-]COUNT
This feature sometimes allows you to achieve better performance.
For example you can crack only some salts using '-salts:2'
faster, and then crack the rest using '-salts:-2'. Total crack‐
ing time will be about the same, but you will get some passwords
cracked earlier.
-savemem:LEVEL
You might need this option if you don't have enough memory, or
don't want John to affect other processes too much. Level 1
tells John not to waste memory on login names, so you won't see
them while cracking. Higher levels have a performance impact:
you should probably avoid using them unless John doesn't work or
gets into swap otherwise.
-session:FILE
Allows you to specify another point information file's name to
use for this cracking session. This is useful for running multi‐
ple instances of John in parallel, or just to be able to recover
an older session later, not always continue the latest one.
-shells:[-]SHELL[,..]
This option is useful to load accounts with a valid shell only,
or not to load accounts with a bad shell. You can omit the path
before a shell name, so '-shells:csh' will match both '/bin/csh'
and '/usr/bin/csh', while ´-shells:/bin/csh' will only match
'/bin/csh'.
-show Shows the cracked passwords in a convenient form. You should
also specify the password files. You can use this option while
another John is cracking, to see what it did so far.
-single
Enables the "single crack" mode, using rules from
[List.Rules:Single].
-status[:FILE]
Prints status of an interrupted or running session. To get an up
to date status information of a detached running session, send
that copy of John a SIGHUP before using this option.
-stdin These are used to enable the wordlist mode (reading from stdin).
-stdout[:LENGTH]
When used with a cracking mode, except for "single crack", makes
John print the words it generates to stdout instead of cracking.
While applying wordlist rules, the significant password length
is assumed to be LENGTH, or unlimited by default.
-test Benchmarks all the enabled ciphertext format crackers, and tests
them for correct operation at the same time.
This option does not need any file passed as argument. Its only
function is to benchmark the system john is running on.
-users:[-]LOGIN|UID[,..]
Allows you to filter a few accounts for cracking, etc. A dash
before the list can be used to invert the check (that is, load
all the users that aren't listed).
-wordlist:FILE
These are used to enable the wordlist mode, reading words from
FILE.
MODES
John can work in the following modes:
Wordlist
John will simply use a file with a list of words that will be
checked against the passwords. See RULES for the format of
wordlist files.
Single crack
In this mode, john will try to crack the password using the
login/GECOS information as passwords.
Incremental
This is the most powerful mode. John will try any character com‐
bination to resolve the password. Details about these modes can
be found in the MODES file in john's documentation, including
how to define your own cracking methods.
FILES
/etc/john/john.conf
is where you configure how john will behave.
/etc/john/john-mail.msg
has the message sent to users when their passwords are success‐
fully cracked.
/etc/john/john-mail.conf
is used to configure how john will send messages to users that
had their passwords cracked.
SEE ALSOmailer(8), unafs(8), unique(8), unshadow(8),
The programs and the configuration files are documented fully by John's
documentation, which should be available in /usr/share/doc/john or
other location, depending on your system.
AUTHOR
This manual page was written by Jordi Mallach <jordi@debian.org> and
Jeronimo Pellegrini <pellegrini@mpcnet.com.br>, for the Debian
GNU/Linux system (but may be used by others).
John the Ripper was written by Solar Designer <solar@openwall.com>.
The complete list of contributors can be found in the CREDITS file in
the documentation directory.
john June 09, 2008 JOHN(8)
