John The Ripper Multi Core

Return to site

John The Ripper Multi Core

John The Ripper Multi Core Bits
John Ripper Download
John The Ripper Multi Core Bit
Free Download John The Ripper
We will use John the Ripper (JtR) which is a remarkable piece of software. Extremely feature rich, very fast, free and actively maintained. Today is still one of the best tools available for password cracking – definitely the best when using CPUs'. John the Ripper 1.7.6+ includes built-in parallelization for multi-CPU and/or multi-core systems by means of OpenMP directives. In 1.7.6, this was limited to bcrypt hashes (with JtR's own optimized code) and SHA-crypt and SunMD5 hashes on recent Linux and Solaris systems (with system-provided thread-safe crypto code). John the Ripper is a free software cracking tool through which you can crack the password of different file formats. It is a free and open-source software tool, it can be somewhat complex to install and use it. Don't worry, here we have elaborated. John the Ripper is a multi-platform cryptography testing tool that works on Unix, Linux, Windows and MacOS. It allows system administrators and security penetration testers to launch brute force attacks to test the strength of any system password. It can be used to test encryptions such as DES, SHA-1 and many others.
As part of a project recently I got the chance to play with a 36 core instance on AWS (c4.8xlarge) for some password cracking related activities. To get hashcat and john up and running with multi-core is a little fiddly (it's not download and crack), so I thought I'd document the setup and show some benchmarks with hashcat and John the Ripper utilising 36 cores. In order to select the 36 core instance you'll need to use a HVM (hardware virtual machine) enabled machine image. I used the Ubuntu Server 14.04 LTS image.
I'll be assuming you can reach the point of setup where you are logging into your freshly set-up machine on AWS (if you're following along to set this up yourself). If you need help setting up a box on AWS, there's a getting started guide from amazon to get you going.
The bench marks from this will differ depending on attack type, rules, and what hash type is being attacked, so take these results with a pinch of salt. Both hashcat and john both have different benchmark outputs. John only shows the benchmarks of the algorithms it was compiled with (as far as i'm away).
hashcatUsually the GPU version of hashcat is the tool of choice for me when it comes to password cracking. However, on this occasion I was interested in experimenting and benchmarking with CPU only.
SetupThe setup for multicore hashcat is pretty straight forward. Installing libgmp3-dev was required in order to run multicore. Multiple core support is provided by default. You'll need to download p7zip-full to extract the download a bit further on (7z).
After this it was just a case of downloading and installing the latest version of hashcat.
The EULA needed to be accepted proceeding with using hashcat, here's a quick copy paste way to get the prompt up, I guess:
‘OH NO! I got this!'
No you didn't, because you did the apt-get install from earlier…
BenchmarksBenchmarking is simple enough with hashcat using the --benchmark or -b option. Here's the output (it's a bit long):

 Assassin's Creed: Revelations became the final part of the series of exciting adventures of the assassin Ezio Auditore da Firenze. Although in this game the main character is already over 50, he still climbs the highest walls with dexterity and controls weapons.
John the RipperI compiled John from source so there were a few extra steps involved. If I try this again at some point i'll try and setup the community edition of John for some of the added functionality.
SetupSince there's some compiling to do I grabbed build-essentail. libssl-dev is required for john.
Next I pulled down the latest release of john the ripper (1.8.0 at the time or writing) and extracted. If you're using these notes in the future you might have to change the URL below (or at least check to see if there's a newer version out).
Time to compile. The OMPFLAGS need to be uncommented in the make file.
The following lines needed changing…
.to (lines uncommented):
After changing I saved the file then ran the following to compile.
With any luck the john binary will be in the run folder ready to be played with.
BenchmarksJohn comes with a --test option for benchmarking.

Thoughts on AWSSome of the speeds reported aren't bad, but not great. Most decent GPUs will do much better against some of the easy algorithms such as MD5, NTLM etc.
Looking into spot instances on AWS (instances run at cheaper rates when available) could be an option for those automating a password cracking business in the cloud.
This was really just a close look at using a high core count on AWS. Maybe in the future i'll get around to delving a bit deeper into this approach to password cracking.
The glory of htopIncremental Mode
John The Ripper Multi Core Bitsread https://www.openwall.com/john/doc/MODES.shtml
This is the most powerful cracking mode, it can try all possible character combinations as passwords. However, it is assumed that cracking with this mode will never terminate because of the number of combinations being too large (actually, it will terminate if you set a low password length limit or make it use a small charset), and you'll have to interrupt it earlier. Compaq presario v2000.
That's one reason why this mode deals with trigraph frequencies, separately for each character position and for each password length, to crack as many passwords as possible within a limited time.
To use the mode you need a specific definition for the mode's parameters, including password length limits and the charset to use. These parameters are defined in the configuration file sections called [Incremental:MODE], where MODE is any name that you assign to the mode (it's the name that you will need to specify on John's command line). You can either use a pre-defined incremental mode definition or define a custom one.
As of version 1.8.0, pre-defined incremental modes are 'ASCII' (all 95 printable ASCII characters), 'LM_ASCII' (for use on LM hashes), 'Alnum' (all 62 alphanumeric characters), 'Alpha' (all 52 letters), 'LowerNum' (lowercase letters plus digits, for 36 total), 'UpperNum' (uppercase letters plus digits, for 36 total), 'LowerSpace' (lowercase letters plus space, for 27 total), 'Lower' (lowercase letters), 'Upper' (uppercase letters), and 'Digits' (digits only). The supplied .chr files include data for lengths up to 13 for all of these modes except for 'LM_ASCII' (where password portions input to the LM hash halves are assumed to be truncated at length 7) and 'Digits' (where the supplied .chr file and pre-defined incremental mode work for lengths up to 20). Some of the many .chr files needed by these pre-defined incremental modes might not be bundled with every version of John the Ripper, being available as a separate download.
John Ripper DownloadUsing masks
read https://github.com/magnumripper/JohnTheRipper/blob/bleeding-jumbo/doc/MASK
Checking for GPU support
Cracking ZIP and RAR protected filesread https://dfir.science/2014/07/how-to-cracking-zip-and-rar-protected.html
How-to - Cracking ZIP and RAR protected files with John the Ripper
After seeing how to compile John the Ripper to use all your computer's processors now we can use it for some tasks that may be useful to digital forensic investigators: getting around passwords. Today we will focus on cracking passwords for ZIP and RAR archive files. Luckily, the JtR community has done most of the hard work for us. For this to work you need to have built the community version of John the Ripper since it has extra utilities for ZIP and RAR files.
For this exercise I have created password protected RAR and ZIP files, that each contain two files.
The password for the rar file is 'test1234' and the password for the zip file is 'test4321'.
In the 'run' folder of John the Ripper community version (I am using John-1.7.9-jumbo-7), there are two programs called 'zip2john' and 'rar2john'. Run them against their respective file types to extract the password hashes:
This will give you files that contain the password hashes to be cracked.. something like this:
After, that you can run John the Ripper directly on the password hash files:
You should get a message like: Loaded 1 password hash (PKZIP [32/64]). By using John with no options it will use its default order of cracking modes. See the examples page for more information on modes.
Notice, in this case we are not using explicit dictionaries. You could potentially speed the cracking process up if you have an idea what the password may be. If you look at your processor usage, if only one is maxed out, then you did not enable OpenMP when building. If you have a multi-processor system, it will greatly speed up the cracking process.
Now sit back and wait for the cracking to finish. On a 64bit quad-core i7 system, without using GPU, and while doing some other CPU-intensive tasks, the password was cracked in 6.5 hours.

 Assassin's Creed: Revelations became the final part of the series of exciting adventures of the assassin Ezio Auditore da Firenze. Although in this game the main character is already over 50, he still climbs the highest walls with dexterity and controls weapons.
John the RipperI compiled John from source so there were a few extra steps involved. If I try this again at some point i'll try and setup the community edition of John for some of the added functionality.
SetupSince there's some compiling to do I grabbed build-essentail. libssl-dev is required for john.
Next I pulled down the latest release of john the ripper (1.8.0 at the time or writing) and extracted. If you're using these notes in the future you might have to change the URL below (or at least check to see if there's a newer version out).
Time to compile. The OMPFLAGS need to be uncommented in the make file.
The following lines needed changing…
.to (lines uncommented):
After changing I saved the file then ran the following to compile.
With any luck the john binary will be in the run folder ready to be played with.
BenchmarksJohn comes with a --test option for benchmarking.
Thoughts on AWSSome of the speeds reported aren't bad, but not great. Most decent GPUs will do much better against some of the easy algorithms such as MD5, NTLM etc.
Looking into spot instances on AWS (instances run at cheaper rates when available) could be an option for those automating a password cracking business in the cloud.
This was really just a close look at using a high core count on AWS. Maybe in the future i'll get around to delving a bit deeper into this approach to password cracking.
The glory of htopIncremental Mode
John The Ripper Multi Core Bitsread https://www.openwall.com/john/doc/MODES.shtml
This is the most powerful cracking mode, it can try all possible character combinations as passwords. However, it is assumed that cracking with this mode will never terminate because of the number of combinations being too large (actually, it will terminate if you set a low password length limit or make it use a small charset), and you'll have to interrupt it earlier. Compaq presario v2000.
That's one reason why this mode deals with trigraph frequencies, separately for each character position and for each password length, to crack as many passwords as possible within a limited time.
To use the mode you need a specific definition for the mode's parameters, including password length limits and the charset to use. These parameters are defined in the configuration file sections called [Incremental:MODE], where MODE is any name that you assign to the mode (it's the name that you will need to specify on John's command line). You can either use a pre-defined incremental mode definition or define a custom one.
As of version 1.8.0, pre-defined incremental modes are 'ASCII' (all 95 printable ASCII characters), 'LM_ASCII' (for use on LM hashes), 'Alnum' (all 62 alphanumeric characters), 'Alpha' (all 52 letters), 'LowerNum' (lowercase letters plus digits, for 36 total), 'UpperNum' (uppercase letters plus digits, for 36 total), 'LowerSpace' (lowercase letters plus space, for 27 total), 'Lower' (lowercase letters), 'Upper' (uppercase letters), and 'Digits' (digits only). The supplied .chr files include data for lengths up to 13 for all of these modes except for 'LM_ASCII' (where password portions input to the LM hash halves are assumed to be truncated at length 7) and 'Digits' (where the supplied .chr file and pre-defined incremental mode work for lengths up to 20). Some of the many .chr files needed by these pre-defined incremental modes might not be bundled with every version of John the Ripper, being available as a separate download.
John Ripper DownloadUsing masks
read https://github.com/magnumripper/JohnTheRipper/blob/bleeding-jumbo/doc/MASK
Checking for GPU support
Cracking ZIP and RAR protected filesread https://dfir.science/2014/07/how-to-cracking-zip-and-rar-protected.html
How-to - Cracking ZIP and RAR protected files with John the Ripper
After seeing how to compile John the Ripper to use all your computer's processors now we can use it for some tasks that may be useful to digital forensic investigators: getting around passwords. Today we will focus on cracking passwords for ZIP and RAR archive files. Luckily, the JtR community has done most of the hard work for us. For this to work you need to have built the community version of John the Ripper since it has extra utilities for ZIP and RAR files.
For this exercise I have created password protected RAR and ZIP files, that each contain two files.
The password for the rar file is 'test1234' and the password for the zip file is 'test4321'.
In the 'run' folder of John the Ripper community version (I am using John-1.7.9-jumbo-7), there are two programs called 'zip2john' and 'rar2john'. Run them against their respective file types to extract the password hashes:
This will give you files that contain the password hashes to be cracked.. something like this:
After, that you can run John the Ripper directly on the password hash files:
You should get a message like: Loaded 1 password hash (PKZIP [32/64]). By using John with no options it will use its default order of cracking modes. See the examples page for more information on modes.
Notice, in this case we are not using explicit dictionaries. You could potentially speed the cracking process up if you have an idea what the password may be. If you look at your processor usage, if only one is maxed out, then you did not enable OpenMP when building. If you have a multi-processor system, it will greatly speed up the cracking process.
Now sit back and wait for the cracking to finish. On a 64bit quad-core i7 system, without using GPU, and while doing some other CPU-intensive tasks, the password was cracked in 6.5 hours.
Now if you want to see the cracked passwords give john the following arguments:
John The Ripper Multi Core BitIt should output something like:
Note: the hash file should have the same type of hashes. For example, we cannot put the rar AND zip hashes in the same file. But this means you could try to crack more than one zip/rar file at a time.
Free Download John The RipperFor the rar file it did not take nearly as long since the password was relatively common. If you take a look at john.conf in the run directory, it has a list of the patterns it checks (in order). The pattern 12345 is much more likely than 54321, so it is checked first resulting in a quick crack.