John the Ripper in the cloud
John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems. John the Ripper jumbo supports hundreds of hash and cipher types, including for: user passwords of Unix flavors (Linux, *BSD, Solaris, AIX, QNX, etc.), macOS, Windows, "web apps" (e.g., WordPress), groupware (e.g., Notes/Domino), and database servers (SQL, LDAP, etc.); network traffic captures (Windows network authentication, WiFi WPA-PSK, etc.); encrypted private keys (SSH, GnuPG, cryptocurrency wallets, etc.), filesystems and disks (macOS .dmg files and "sparse bundles", Windows BitLocker, etc.), archives (ZIP, RAR, 7z), and document files (PDF, Microsoft Office's, etc.) These are just some of the examples - there are many more.
As an alternative to running John the Ripper on your own computer, you can run it in the cloud. We provide a pre-generated Amazon Machine Image (AMI) called Openwall Password Recovery and Password Security Auditing Bundle, which lets you start password recovery or a password security audit in minutes (if you've used Amazon Web Services before, or you need to sign up first).
The Bundle features Amazon Linux 2 along with John the Ripper jumbo pre-built and pre-configured with multi-GPU (via OpenCL) and multi-CPU support (with AVX-512, AVX2, and AVX acceleration, and transparent fallback when run on older CPUs lacking the latest AVX extensions). The Bundle has been tested on both GPU-enabled and CPU-only AWS instances.
Also included are the "all.lst" multi-lingual wordlist (20+ languages) from the Openwall wordlists collection, and sample Unix and Windows password hashes for testing and learning how to use the software.
Proceed to subscribe to the Bundle and launch your first virtual machine:
Paid usage of the Bundle supports our Open Source project. In fact, this might be one of your reasons to use the Bundle as opposed to building from source on your own, especially if you manage an AWS account for an organization that benefits from our software and can afford to contribute back.
For hash and cipher types that we include OpenCL support for, we recommend current generation GPU instance type p3.2xlarge (or larger), which features NVIDIA Tesla V100 GPU(s). For hash and cipher types that we only support on CPU and in special cases where CPUs are more efficient, we recommend current generation Compute Optimized instance types c5.24xlarge (Intel Xeon, AVX-512) or c5a.24xlarge (AMD EPYC, AVX2). If in doubt, give several of these a try at your specific task.
Connect to your instance using a SSH client (on Windows, you can use PuTTY). To keep and reconnect to a running John the Ripper session across SSH disconnects/reconnects, use one of the tools screen or tmux, both of which are pre-installed in our AMI.
For major cost savings, we recommend spot instances, where you bid a maximum per hour price and are charged the current market price. A typical spot price is 2 to 3+ times lower than the regular on-demand price. (This applies to AWS service fees only. The charges for our Bundle are on top of those, and are the same for spot and on-demand instances. Nevertheless, you'd typically halve your total costs by using spot instances.) When launching from AWS Marketplace, choose "Launch through EC2" instead of "Launch from Website". This gets you to 7-step "Launch instance wizard". On "Step 3: Configure Instance Details", check the "Request Spot instances" box and enter a "Maximum price" no lower than one of the current prices. Under "Subnet", choose an option matching an "Availability Zone" for which a low enough current price was listed.
A spot instance might be interrupted if the market price exceeds your bid. One way not to lose your work-in-progress if a spot instance gets interrupted is to uncheck the "Delete on Termination" box on "Step 4: Add Storage". You can then effectively recover your instance by creating a snapshot from the terminated instance's volume, creating an AMI from the snapshot, and launching an instance from the AMI. You'll need to run the "john --restore" command to continue from where the work was interrupted.
If you're new to AWS, you'll likely find that you need to request a service quota increase before you're able to launch the large instances that we recommend, and to launch them as spot instances.
We don't charge for usage of the Bundle on nano and micro sized instances. Out of those, t2.micro is eligible for AWS free tier, which provides free usage of some AWS services for the first year for new AWS users. Outside of the free tier, t3.micro is better. Of course, such instances are unsuitable for serious usage of the Bundle (especially as they're so-called "burstable" instances, with long-term vCPU utilization limited e.g. to just 10% of one vCPU on t2.micro), but you can use them for getting acquainted with the Bundle at no or little cost, and they just might succeed in recovering the weakest passwords despite of being extremely limited performance-wise. Once your service quota permits, we recommend at least c5.large (which isn't "burstable", allowing sustained 100% vCPU utilization).
For free community support on (semi-)advanced questions or issues (if you know half the answer), please join the public john-users mailing list and post in there. For general customer support, please e-mail us at <john-cloud-support at openwall.com>.
You can browse the documentation for John the Ripper core online. Also relevant is our presentation on the history of password security.
Demo of Apple macOS .dmg file password recovery using a GPU in the cloud: