John The Ripper

John the Ripper (JTR) is a free, open-source software tool used by hackers, both ethical and otherwise, for password cracking. The software is typically used in a UNIV/Linux and Mac OS X environment where it can detect weak passwords. 

John the Ripper jumbo supports many cipher and hash types. This includes the user passwords for all of the Unix variants (Linux, *BSD, Solaris, AIX, QNX, etc.), macOS, Windows, network traffic captures (Windows network auth, WiFi WPA-PSK, and more), encrypted private keys, filesystems and disks, archive formats (ZIP, RAR, etc.), certain web applications such as WordPress, groupware, and database servers such as SQL and LDAP, and document files such as Adobe PDF, Microsoft 365 Office, and more.

Ethical hackers and penetration testers prefer John the Ripper software because of its ability to detect password hash types automatically. JTR can run several types of attacks to include the classic dictionary attack as well as a brute force attack.  JTR also offers a business version of the product called “John the Ripper Professional.” You can download JTR here. 

Types of Password Attacks

A dictionary attack attempts unauthorized entry to a computer using dictionary words or some other library of terms to generate variations of possible passwords. A brute force attack uses trial and error to break passwords. A password spray attack uses a popular password or set of popular passwords in an attempt to discover one that will work. In any case, when a password is identified, credential stuffing, or trying the newly found password across all of the websites associated with that user, may also net additional successfully breached data.

The difference with a brute force attack is that a very large number of key possibilities must be checked. In the dictionary attack, only words with the greatest possibility of success are tested. For this reason, dictionary attacks generally consume less time than brute force attacks.

The rate at which John the Ripper will guess the password is going to depends on the password’s strength and the offered wordlist. JTR will keep attempting to break the password continuously unless there is a termination command.

John the Ripper Key Features

John the Ripper is fast and replete with many key features. JTR combines several cracking modes in one program and is fully configurable. Also, JTR is available for several different platforms which enables you to use the same password cracking tool everywhere.

John the Ripper supports and detects the following Unix crypt(3) hash types: 

• Traditional DES-based; \OpenBSD Blowfish-based;
• Kerberos/AFS;
• FreeBSD MD5-based which is also used on Linux and in Cisco IOS; 
• BSDI extended DES-based; 
• Windows LM (DES-based) hashes; and,
• DES-based tripcodes.

Attack Mitigation

You can protect your organization from password cracking attacks by following ways:

• Choose a randomized mix of upper and lower case letters, numbers and special characters.
• Passwords must be as long as possible. Longer passwords are harder to break and take more time.
• Passwords should be frequently changed.
• Utilize an account lockout mechanism. 
• Physically protect domain-joined Windows systems. If attackers have physical access to a domain-joined system then they can download a copy of the Windows Security Account Manager (SAM). SAM contains password hashes for the accounts used on the machine. Once they have the SAM, a threat actor can then use rainbow tables or a brute force attack against the SAM that they have downloaded, thereby giving them the opportunity to crack the password without having to worry about accounts being locked out. Note that a rainbow table is a precomputed table for caching the output of cryptographic hash functions which are used for breaking passwords.

Long passwords alone will not completely stop a brute force attack. Threat actors will often combine brute force attacks with a dictionary attack. The password breaking process will start with a brute force attack. This brute force attack is designed to try every possible password combination up to a certain length which may be about four to six characters. Once that is done, the software algorithms then use dictionary words to break any passwords that were not compromised through brute force.

Sometimes the organization’s minimum password length is determined through social engineering. In the event that an attacker learns that an organization requires a minimum password length of eight characters that is critical information. In that case, the attacker doesn’t need to work on breaking smaller passwords. This reduction in the number possible solutions shotends the time to perform a brute force attack. 

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.