John the Ripper (JTR) 密碼暴力破解工具

簡單先隨筆紀錄一下,滾動式更新,有空有想到就會來更新一下這一篇。
之前有在鐵人賽寫過關於這個工具的介紹,這篇就算是用法的教學跟指令的參考用。
[iT邦鐵人賽][駭客工具 Day22] 密碼HASH值破解 – John the Ripper

基本用法

將想要破解的hash內容儲存到特定檔案,譬如說我儲存到一個檔案名為hashfile:

echo '900150983cd24fb0d6963f7d28e17f72' > hashfile

利用john進行hash暴力破解,用wordlist指令字典檔,用format指定hash的格式:
–wordlist 字典檔模式
–format 指定格式

john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 hashfile

利用show查看解出來的內容

john --show --format=raw-md5 hashfile

Usage

root@hackercat:~# john -h
John the Ripper 1.9.0-jumbo-1 OMP [linux-gnu 64-bit x86_64 AVX2 AC]
Copyright (c) 1996-2019 by Solar Designer and others
Homepage: http://www.openwall.com/john/

Usage: john [OPTIONS] [PASSWORD-FILES]
--single[=SECTION[,..]]    "single crack" mode, using default or named rules
--single=:rule[,..]        same, using "immediate" rule(s)
--wordlist[=FILE] --stdin  wordlist mode, read words from FILE or stdin
                  --pipe   like --stdin, but bulk reads, and allows rules
--loopback[=FILE]          like --wordlist, but extract words from a .pot file
--dupe-suppression         suppress all dupes in wordlist (and force preload)
--prince[=FILE]            PRINCE mode, read words from FILE
--encoding=NAME            input encoding (eg. UTF-8, ISO-8859-1). See also
                           doc/ENCODINGS and --list=hidden-options.
--rules[=SECTION[,..]]     enable word mangling rules (for wordlist or PRINCE
                           modes), using default or named rules
--rules=:rule[;..]]        same, using "immediate" rule(s)
--rules-stack=SECTION[,..] stacked rules, applied after regular rules or to
                           modes that otherwise don't support rules
--rules-stack=:rule[;..]   same, using "immediate" rule(s)
--incremental[=MODE]       "incremental" mode [using section MODE]
--mask[=MASK]              mask mode using MASK (or default from john.conf)
--markov[=OPTIONS]         "Markov" mode (see doc/MARKOV)
--external=MODE            external mode or word filter
--subsets[=CHARSET]        "subsets" mode (see doc/SUBSETS)
--stdout[=LENGTH]          just output candidate passwords [cut at LENGTH]
--restore[=NAME]           restore an interrupted session [called NAME]
--session=NAME             give a new session the NAME
--status[=NAME]            print status of a session [called NAME]
--make-charset=FILE        make a charset file. It will be overwritten
--show[=left]              show cracked passwords [if =left, then uncracked]
--test[=TIME]              run tests and benchmarks for TIME seconds each
--users=[-]LOGIN|UID[,..]  [do not] load this (these) user(s) only
--groups=[-]GID[,..]       load users [not] of this (these) group(s) only
--shells=[-]SHELL[,..]     load users with[out] this (these) shell(s) only
--salts=[-]COUNT[:MAX]     load salts with[out] COUNT [to MAX] hashes
--costs=[-]C[:M][,...]     load salts with[out] cost value Cn [to Mn]. For
                           tunable cost parameters, see doc/OPTIONS
--save-memory=LEVEL        enable memory saving, at LEVEL 1..3
--node=MIN[-MAX]/TOTAL     this node's number range out of TOTAL count
--fork=N                   fork N processes
--pot=NAME                 pot file to use
--list=WHAT                list capabilities, see --list=help or doc/OPTIONS
--format=NAME              force hash of type NAME. The supported formats can
                           be seen with --list=formats and --list=subformats

Manual

JOHN(8)                                          System Manager's Manual                                         JOHN(8)

NAME
       john - a tool to find weak passwords of your users

SYNOPSIS
       john [options] password-files

DESCRIPTION
       This  manual page documents briefly the john command.  This manual page was written for the Debian GNU/Linux dis‐
       tribution because the original program does not have a manual page.  john, better known as John the Ripper, is  a
       tool  to  find weak passwords of users in a server. John can use a dictionary or some search pattern as well as a
       password file to check for passwords. John supports different cracking modes and understands many ciphertext for‐
       mats, like several DES variants, MD5 and blowfish. It can also be used to extract AFS and Windows NT passwords.

USAGE
       To  use  John,  you just need to supply it a password file and the desired options. If no mode is specified, john
       will try "single" first, then "wordlist" and finally "incremental".

       Once John finds a password, it will be printed to the terminal and saved into  a  file  called  ~/.john/john.pot.
       John will read this file when it restarts so it doesn't try to crack already done passwords.

       To see the cracked passwords, use

       john -show passwd

       Important:  do  this  under  the  same  directory  where  the  password  was  cracked  (when  using  the cronjob,
       /var/lib/john), otherwise it won't work.

       While cracking, you can press any key for status, or Ctrl+C to abort the session, saving point information  to  a
       file  (  ~/.john/john.rec  by default). By the way, if you press Ctrl+C twice John will abort immediately without
       saving.  The point information  is  also  saved  every  10  minutes  (configurable  in  the  configuration  file,
       ~/.john/john.ini or ~/.john/john.conf ) in case of a crash.

       To continue an interrupted session, run:

       john -restore

       Now,  you  may notice that many accounts have a disabled shell, you can make John ignore these (assume that shell
       is called /etc/expired ):

       john -show -shells:-/etc/expired passwd

       You might want to mail all the users who got weak passwords, to tell them to change the passwords. It's  not  al‐
       ways  a  good  idea  though (unfortunately, lots of people seem to ignore such mail, it can be used as a hint for
       crackers, etc), but anyway, I'll assume you know what you're doing. Get a copy of the  'mailer'  script  supplied
       with John, so you won't change anything that's under /usr/sbin ; edit the message it sends, and possibly the mail
       command inside it (especially if the password file is from a different box than you got John running  on).   Then
       run:

        ./mailer passwd

       Anyway,  you  probably  should  have a look at /usr/share/doc/john/OPTIONS for a list of all the command line op‐
       tions, and at /usr/share/doc/john/EXAMPLES for more John usage examples with other cracking modes.

OPTIONS
       All the options recognized by john start with a single dash (`-').  A summary of options is included below.

       -external:MODE
              Enables an external mode, using external functions defined in ~/john.ini's [List.External:MODE] section.

       -format:NAME
              Allows you to override the ciphertext format detection. Currently, valid format names are DES, BSDI,  MD5,
              BF,  AFS,  LM.  You can use this option when cracking or with '-test'. Note that John can't crack password
              files with different ciphertext formats at the same time.

       -groups:[-]GID[,..]
              Tells John to load users of the specified group(s) only.

       -incremental[:MODE]
              Enables the incremental mode, using the specified ~/john.ini definition  (section  [Incremental:MODE],  or
              [Incremental:All] by default).

       -makechars:FILE
              Generates a charset file, based on character frequencies from ~/.john/john.pot, for use with the incremen‐
              tal mode. The entire ~/.john/john.pot will be used for the charset file unless you specify  some  password
              files. You can also use an external filter() routine with this option.

       -restore[:FILE]
              Continues   an   interrupted   cracking  session,  reading  point  information  from  the  specified  file
              (~/.john/john.rec by default).

       -rules Enables wordlist rules, that are read from [List.Rules:Wordlist] in /etc/john/john.conf (or  the  alterna‐
              tive configuration file you might specify on the command line).
              This option requires the -wordlist option to be passed as well.

       -salts:[-]COUNT
              This feature sometimes allows you to achieve better performance. For example you can crack only some salts
              using '-salts:2' faster, and then crack the rest using '-salts:-2'. Total cracking time will be about  the
              same, but you will get some passwords cracked earlier.

       -savemem:LEVEL
              You  might  need this option if you don't have enough memory, or don't want John to affect other processes
              too much. Level 1 tells John not to waste memory on login names, so you won't  see  them  while  cracking.
              Higher  levels have a performance impact: you should probably avoid using them unless John doesn't work or
              gets into swap otherwise.

       -session:FILE
              Allows you to specify another point information file's name to use for this cracking session. This is use‐
              ful  for  running  multiple  instances of John in parallel, or just to be able to recover an older session
              later, not always continue the latest one.

       -shells:[-]SHELL[,..]
              This option is useful to load accounts with a valid shell only, or not to load accounts with a bad  shell.
              You can omit the path before a shell name, so '-shells:csh' will match both '/bin/csh' and '/usr/bin/csh',
              while ´-shells:/bin/csh' will only match '/bin/csh'.

       -show  Shows the cracked passwords in a convenient form. You should also specify the password files. You can  use
              this option while another John is cracking, to see what it did so far.

       -single
              Enables the "single crack" mode, using rules from [List.Rules:Single].

       -status[:FILE]
              Prints  status of an interrupted or running session. To get an up to date status information of a detached
              running session, send that copy of John a SIGHUP before using this option.

       -stdin These are used to enable the wordlist mode (reading from stdin).

       -stdout[:LENGTH]
              When used with a cracking mode, except for "single crack", makes John print the words it generates to std‐
              out  instead  of cracking. While applying wordlist rules, the significant password length is assumed to be
              LENGTH, or unlimited by default.

       -test  Benchmarks all the enabled ciphertext format crackers, and tests them for correct operation  at  the  same
              time.
              This  option  does not need any file passed as argument. Its only function is to benchmark the system john
              is running on.

       -users:[-]LOGIN|UID[,..]
              Allows you to filter a few accounts for cracking, etc. A dash before the list can be used  to  invert  the
              check (that is, load all the users that aren't listed).

       -wordlist:FILE
              These are used to enable the wordlist mode, reading words from FILE.

MODES
       John can work in the following modes:

       Wordlist
              John will simply use a file with a list of words that will be checked against the passwords. See RULES for
              the format of wordlist files.

       Single crack
              In this mode, john will try to crack the password using the login/GECOS information as passwords.

       Incremental
              This is the most powerful mode. John will try any character combination to resolve the password.   Details
              about these modes can be found in the MODES file in john's documentation, including how to define your own
              cracking methods.

FILES
       /etc/john/john.conf
              is where you configure how john will behave.

       /etc/john/john-mail.msg
              has the message sent to users when their passwords are successfully cracked.

       /etc/john/john-mail.conf
              is used to configure how john will send messages to users that had their passwords cracked.

SEE ALSO
       mailer(8), unafs(8), unique(8), unshadow(8),

       The programs and the configuration files are documented fully by John's documentation, which should be  available
       in /usr/share/doc/john or other location, depending on your system.

AUTHOR
       This  manual  page  was  written  by  Jordi  Mallach <jordi@debian.org> and Jeronimo  Pellegrini <pellegrini@mpc‐
       net.com.br>, for the Debian GNU/Linux system (but may be used by others).
       John the Ripper was written by Solar Designer <solar@openwall.com>.  The complete list  of  contributors  can  be
       found in the CREDITS file in the documentation directory.

john                                                  June 09, 2008                                              JOHN(8)

發佈留言

Close Menu