TL;DR
This guide shows you how to use JohnTheRipper to crack alphanumeric passwords using a brute-force attack. It’s important to understand this is for testing your own systems and learning about password security, not for illegal activities.
Prerequisites
- JohnTheRipper installed on your system (Linux, macOS, or Windows via WSL). See the official website for installation instructions.
- A password hash file you want to crack. This could be from a compromised application or a test environment.
Steps
- Understand Your Hash Type
- Run a Basic Brute Force Attack
- Specify Character Set (Important for Speed)
- Limit Password Length (Further Speed Improvement)
- Monitor Progress and Stop the Attack
- View Cracked Passwords
- Using a Wordlist (Alternative Approach)
- Rules for More Complex Cracking
First, identify the type of hash you’re dealing with. JohnTheRipper needs to know this to crack it correctly. Use john --hash-type followed by your hash file name.
john --hash-type my_hashes.txtThis will output the hash type (e.g., MD5, SHA256). Note this down; you’ll need it in the next step.
For an alphanumeric password, we’ll use the --incremental mode with a character set. This tells JohnTheRipper to try every possible combination of characters starting from a specified length.
john --hash-type=MD5 --incremental my_hashes.txtReplace MD5 with the hash type you identified in step 1. This command will start cracking passwords, beginning with single-character combinations and increasing length until a match is found or you stop it.
To speed up the process, tell JohnTheRipper exactly which characters to use. Use the --charset option. For lowercase letters, uppercase letters and numbers:
john --hash-type=MD5 --incremental --charset='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' my_hashes.txtYou can customize the character set to include symbols if you know they were used in the passwords.
If you have an idea of the maximum password length, use --max-length. This significantly reduces cracking time.
john --hash-type=MD5 --incremental --charset='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' --max-length=8 my_hashes.txtThis will only try passwords up to 8 characters long.
JohnTheRipper displays its progress in real-time. You can stop the attack at any time by pressing Ctrl+C.
Once JohnTheRipper finds a password, it will display it. To view all cracked passwords, use john --show my_hashes.txt
john --show my_hashes.txtThis will output the plain-text passwords that were successfully cracked.
If you suspect the passwords are based on common words, use a wordlist instead of brute force. Download a suitable wordlist (e.g., RockYou.txt). Then run:
john --hash-type=MD5 my_hashes.txt rockyou.txtJohnTheRipper supports rules to apply transformations to wordlist entries (e.g., capitalization, adding numbers). Use the --rule= option.
john --hash-type=MD5 my_hashes.txt rockyou.txt --rule=best64