Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers

John the Ripper FAQ.

The latest version of this FAQ may be viewed online at:

	http://www.openwall.com/john/doc/FAQ.shtml

Help! I can't run John.

If you're not familiar with your OS, you should probably not be using John in the first place since John is primarily a tool for system administrators. This is starting to change with the "community enhanced" -jumbo versions' support for things such as password-protected archives, though.

Here are the answers to a few (not very) common questions to avoid having them asked over and over and for amusement. For more serious matters, please skip over to the next section.

Q: When I type "john" (or "john passwd", etc.), it says "command not found" (or equivalent)?!
A: The examples given in John the Ripper documentation assume that you know how to invoke newly-built programs from your shell. On Unix-like systems, it is typical to not have "." (the current directory) in your $PATH (the list of directories to search for programs). In that case, you need to type "./john" (dot, slash, and "john", without the quotes) to invoke the John binary executable located in the current directory.

Q: ...but I am on a Unix-like system and I don't seem to readily have a John binary executable.
A: Please follow the instructions in INSTALL.

Q: When I double-click on "john.exe", a window flashes and disappears?!
A: You're not supposed to click. You're supposed to run John from a command-line shell. On Windows, some of those shells would be cmd.exe, command.com, or bash (the latter is available with Cygwin).

Other typical new user questions.

Q: How do I start John on my password file, use a specific cracking mode, see the passwords it cracked, etc?
A: See README and EXAMPLES. :-)

Q: Why doesn't John load my password file? It says "No password hashes loaded", "No password hashes loaded (see FAQ)", or "No password hashes left to crack (see FAQ)".
A: Your password file taken from a Unix-like system might be shadowed. You need to get both /etc/passwd and the shadow file (typically /etc/shadow or /etc/master.passwd), and combine them into one file using "unshadow" (which is supplied with John). Please refer to EXAMPLES.
A: All of the password hashes found in the file (that are of the same type as the very first recognized hash in the file unless you're using the "--format=..." option) might be already cracked by previous invocations of John. (The message printed in that case has been changed to "No password hashes left to crack (see FAQ)" starting with version 1.7.7.) To display cracked passwords, use "john --show" on your password hash file(s). To force John to crack those same hashes again, remove the john.pot file.
A: With PWDUMP-format files, John focuses on LM rather than NTLM hashes by default, and it might not load any hashes at all if there are no LM hashes to crack. To have JtR Pro or a -jumbo version focus on NTLM hashes instead, you need to pass the "--format=nt" option.
A: If you're using the "--format" option, try dropping it. Except for the special case mentioned in the answer above, "--format" is normally a way to choose one of multiple hash/cipher types found in the same file or to clarify the hash/cipher type if it would otherwise be ambiguous (e.g., a 32 hexadecimal character string may correspond to one of many distinct hash types). That is, you normally only need to use "--format" when John would otherwise misdetect your hash/cipher type (e.g., when it says LM and you know that your hashes are in fact raw MD5, you'd use "--format=raw-md5" with -jumbo) or if it would load undesired entries from the file. If John does not load anything, then your use of "--format" is probably unreasonable (or you should be using a different version/build of John - see the answer below).
A: Your password hash or cipher type(s) might not be supported by John, or at least by the version and build of John that you're using. If you're using a non-jumbo version, you will likely want to try -jumbo instead, which supports a lot of additional hash and cipher types (e.g., you currently need -jumbo for raw MD5). If unsuccessful with that and if other answers (above and below this one) don't apply, please post a note to the mailing list (see CONTACT) including a sample password file line that John does not load (please make sure that the password is already changed by the time you post).
A: John only loads properly formatted text files directly. It can load /etc/passwd and PWDUMP format files. Starting with version 1.7.6, it can also load text files containing one password hash per line (and nothing else on that line). Some other file formats are supported via extra tools (supplied with John): unafs (Kerberos AFS database files), undrop (Eggdrop IRC bot userfiles), ssh2john (OpenSSH private keys), pdf2john (some password-protected PDF files), rar2john (some password-protected RAR archives), zip2john (some password-protected PKZIP and WinZip archives). You need -jumbo for most of these. To use the proper one of these (for your file format), run it on your file(s) and redirect the output to a new file (using your shell's output redirection feature - e.g., "./ssh2john ~/.ssh/id_rsa > sshpasswd"). Then run John on the resulting file (e.g., "./john sshpasswd").
A: The file you're trying to run John on might in fact not be a password file at all.
A: Your command line syntax might be wrong, resulting in John trying to load a wrong file.

Q: John appears to misdetect my hash type. I have raw MD5 hashes from a web application, but John wrongly says they're LM hashes. How do I get them detected correctly?
A: Some hash and cipher types use ambiguous encodings - e.g., a 32 hexadecimal character string may correspond to one of many hash types, including raw MD5, LM, NTLM, and many others supported in -jumbo. First of all, you need a version and build of John that supports your hash and cipher type. Starting with version 1.7.7 (and 1.7.7-jumbo*) John will suggest alternate hash and cipher types for encodings that it finds ambiguous (that is, those corresponding to more than one of its supported hash and cipher types). When doing so, it will suggest specific "--format=..." options to use. For example, when you run a recent enough -jumbo version on raw MD5 hashes, it loads those as LM (because they could in fact be LM, as well as for compatibility with non-jumbo), but it suggests that you use "--format=raw-md5", which is what you should in fact use in this case. It makes other suggestions as well because it does not know whether your hashes are raw MD5 or something else. You're supposed to know this and choose the right one of the suggested "--format=..." options. If you're not getting a suggestion like this from John 1.7.7 or newer even though you're not yet using the "--format" option, this means that your version and build of John does not recognize the encodings as ambiguous, which may mean that it does not support the actual hash or cipher type that you have in mind. If you're already using the "--format" option, try dropping the option to receive the suggestions. If you're using a non-jumbo version of John, the first step is for you to try -jumbo instead. As of this writing, you do need -jumbo for some popular hash types such as raw MD5 and NTLM.

Q: What do the various numbers printed on the status line mean?
A: As of version 1.8.0, the status line may include: successful guess count ("g"), session duration (in the D:HH:MM:SS format for days, hours, minutes, and seconds), progress indicator (percent done and optionally pass number out of the total number of passes), up to four speed metrics ("g/s", "p/s", "c/s", and "C/s"), and the current (range of) candidate password(s) being tested (John is often able to test multiple candidate passwords in parallel for better performance, hence a range). The four speed metrics are as follows: g/s is successful guesses per second (so it'll stay at 0 until at least one password is cracked), p/s is candidate passwords tested per second, c/s is "crypts" (password hash or cipher computations) per second, and C/s is combinations of candidate password and target hash per second. Versions of John prior to 1.8.0 displayed only the C/s rate (calling it c/s). When you restore a pre-1.8.0 session with version 1.8.0 or newer, only the g/s and C/s rates will be displayed, because the older .rec file format lacked information needed to compute p/s and c/s.

Q: I am running John for 10 days and it is still not finished?!
Q: How long should I expect John to run?
A: It primarily depends on the cracking mode(s) and on your password files (in particular, the type of hashes and the number of different salts, if applicable). Most importantly, you should note that the "incremental" mode, which a default John run (with no command line options) proceeds with after being done with the quicker checks, is not supposed to terminate in a reasonable time. It is up to you to decide how long you're going to let it run, then consider any uncracked passwords strong enough. "Single crack" mode runs typically take from under a second to one day (depending on the type and number of password hashes). Wordlist mode runs may also be quick (under a second) for tiny wordlists and fast hashes or they may take multiple days with large wordlists, with word mangling rules, and with slow hash types and substantial numbers of different salts. The status line John reports whenever you hit a key includes a progress indicator (percent complete) for "single crack" and wordlist modes. With no cracking mode requested explicitly, John will start with "single crack" mode (pass 1), then proceed with wordlist mode (pass 2), and finally with "incremental" mode (pass 3). The pass numbers are reported on the status line, too. It is reasonable to let John reach "incremental" mode (pass 3) and run that for a while (some days). You will notice that John's success rate (the number of passwords cracked per hour or per day) will be dropping rapidly. When you determine that the success rate is low enough, you interrupt John.

Q: Does John support multi-processing or distributed processing?
A: Yes, but you need to explicitly enable this if desired. Starting with version 1.8.0, there's the "--fork" option on Unix-like systems (to make use of multiple CPUs and/or CPU cores in a single system) and the "--node" option on all systems (this one allows for a trivial form of distributed processing). The "--fork" and "--node" options may also be used together. Please refer to OPTIONS for a description of these options. Additionally, there's built-in parallel processing support using OpenMP for all crypt(3) hash flavors (DES-, MD5-, and Blowfish-based) supported by John natively, and when running on Linux or Solaris also for the underlying system's thread-safe password hashing function. The latter is only reasonable to use for crypt(3) hash types not yet supported by John natively (such as for glibc 2.7+ SHA-crypt hashes as used by recent versions of Fedora and Ubuntu, and for SunMD5 hashes, which may optionally be enabled on Solaris). In "community enhanced" -jumbo versions, parallelization with OpenMP is also supported for many (but not all) of the hash and cipher types added in those versions (including for their built-in implementation of SHA-crypt). To use John's OpenMP support, you need to either use an existing OpenMP-enabled build (e.g., "john-omp.exe" on Windows) or make an OpenMP-enabled build by uncommenting one of the OMPFLAGS lines near the beginning of Makefile. This requires GCC 4.2 or newer, or another OpenMP-capable C compiler. For other hash or cipher types and/or to distribute the workload between multiple machines, other approaches need to be used. One of those approaches is to use the "--fork" and "--node" options. For a very small number of nodes (CPUs, CPU cores, and/or machines), it is also reasonable to use a manual approach, such as to have your nodes try different password lengths. This is easily accomplished with "incremental" mode's "MinLen" and "MaxLen" settings (see CONFIG). You might not need to split the workload for "single crack" and wordlist modes since these are typically relatively quick, although "--fork" and "--node" are supported for these modes too. You may safely run multiple instances of John in the same working directory, all writing to the same "pot file" (this is a feature). You do, however, need to assign each of them a unique session name, with "--session" (please note that doing so does not eliminate the need to also distribute the workload with "--node" or otherwise, as discussed above). Other approaches, such as splitting password files naively (without regard to salts), are typically less efficient (in some cases to the extent where there's no speedup from using multiple nodes at all). Some other approaches, such as using MPI, are listed on the wiki at: http://openwall.info/wiki/john/parallelization

Q: Where do I get wordlists for use with John?
A: http://www.openwall.com/wordlists/

Q: Where do I get new versions of John the Ripper?
Q: Where do I get the source code for John?
Q: I only have the source code for John the Ripper, where do I get it pre-compiled for my OS (if supported)?
Q: What is the primary website for John the Ripper?
A: http://www.openwall.com/john/

Q: How can I contact you (the author)?
A: See CONTACT.

Questions sometimes asked by existing users.

Q: I've recently switched my system to Blowfish-based password hashes, but there are still some DES-based and MD5-based hashes in the password file. How do I handle multiple hash types in one file?
A: Use the "--format=..." option to tell John which hashes you would like it to load. Unfortunately, you will have to run John for each hash type separately. This requirement may sometimes be avoided with the use of "--format=crypt", but this is not recommended. Please see the description of the "--format" option in OPTIONS for more detail.

Q: I have 10 users, but John said it loaded 15 password hashes. What's going on?
A: Some extremely poorly designed hash types (Windows LM hashes and DES-based crypt(3) hashes known as "bigcrypt") have a property that allows John to split their encodings into two separate hashes (corresponding to "halves" of plaintext passwords) on load. John then proceeds to crack those hashes separately, so at a given time it might have only one of two halves of some passwords cracked. If interrupted and restarted, it would need to only load the hashes that correspond to uncracked password halves, so the number of such hashes is what John reports (in all cases, for consistency).

Q: Are the strings tried with "-i" ("incremental" mode) random? They certainly look like they are almost random.
A: No, they are not. No single candidate password will be tried for a second time and the order in which they are tried is in fact very smart: it is based on frequencies of different trigraphs, stored and processed separately for each character position and for each password length.

Q: Why doesn't John display a progress indicator for the "incremental" mode?
A: Do you really want to see a 0% all the time? As explained in MODES, "incremental" mode is not supposed to terminate in a reasonable time. (There are a few exceptions to this, so a progress indicator has been added in -jumbo and it might be added in official versions later.)

Q: I just noticed that the p/s, c/s, and C/s rates reported while using "incremental" mode are a lot lower than they are with other cracking modes. Why is that?
A: You're probably running John for a few seconds only. The current "incremental" mode implementation uses large character sets, which need to be expanded into even larger data structures in memory each time John switches to a different password length. Fortunately, this is only noticeable when John has just started since the length switches become rare after a few minutes. For long-living sessions, which is where we care about performance the most, this overhead is negligible. This is a very low price for the better order of candidate passwords tried.

Q: What are the "real" and "virtual" c/s rates as reported by "--test" (on Unix-like operating systems)?
A: These correspond to real and virtual (processor) time, respectively. The two results would differ when the system is under other load, with the "virtual" c/s rate indicating roughly what you could expect to get from the same machine if it were not loaded.

Q: How can I test John's password hashing routines for proper operation?
A: John always performs a self-test when you run it on a password file and refuses to work if an error occurs. If you need to test all of the low-level routines at once, use "--test".

Q: What is the format of the crash recovery files ("john.rec", other .rec's)? What do the numbers mean?
A: The format of these files is deliberately undocumented and is subject to change without notice. (However, each release of John the Ripper is likely to be able to read .rec files produced by at least the immediately preceding release. Whenever compatibility is broken, John will refuse to recover the session, leaving the .rec file intact.) Although the meaning of some of the numbers that get into .rec files is trivial to explain, it is not possible to reasonably describe some others without going into great detail on John internals. If you really need to know, read the source code.

$Owl: Owl/packages/john/john/doc/FAQ,v 1.34 2013/05/29 22:44:35 solar Exp $

Powered by Openwall GNU/*/Linux - Powered by OpenVZ