john - a tool to find weak passwords of your users
This manual page documents briefly the john
command. This manual page was
written for the Debian GNU/Linux distribution because the original program
does not have a manual page. john
, better known as John the Ripper, is
a tool to find weak passwords of users in a server. John can use a dictionary
or some search pattern as well as a password file to check for passwords. John
supports different cracking modes and understands many ciphertext formats,
like several DES variants, MD5 and blowfish. It can also be used to extract
AFS and Windows NT passwords.
To use John, you just need to supply it a password file and the desired options.
If no mode is specified, john will try "single" first, then
"wordlist" and finally "incremental".
Once John finds a password, it will be printed to the terminal and saved into a
file called ~/.john/john.pot. John will read this file when it restarts so it
doesn't try to crack already done passwords.
To see the cracked passwords, use
john -show passwd
Important: do this under the same directory where the password was cracked (when
using the cronjob, /var/lib/john), otherwise it won't work.
While cracking, you can press any key for status, or Ctrl+C to abort the
session, saving point information to a file ( ~/.john/john.rec
default). By the way, if you press Ctrl+C twice John will abort immediately
without saving. The point information is also saved every 10 minutes
(configurable in the configuration file, ~/.john/john.ini
) in case of a crash.
To continue an interrupted session, run:
Now, you may notice that many accounts have a disabled shell, you can make John
ignore these (assume that shell is called /etc/expired
john -show -shells:-/etc/expired passwd
You might want to mail all the users who got weak passwords, to tell them to
change the passwords. It's not always a good idea though (unfortunately, lots
of people seem to ignore such mail, it can be used as a hint for crackers,
etc), but anyway, I'll assume you know what you're doing. Get a copy of the
'mailer' script supplied with John, so you won't change anything that's under
; edit the message it sends, and possibly the mail command
inside it (especially if the password file is from a different box than you
got John running on). Then run:
Anyway, you probably should have a look at /usr/share/doc/john/OPTIONS
for a list of all the command line options, and at
for more John usage examples with other
All the options recognized by john start with a single dash (`-'). A summary of
options is included below.
- Enables an external mode, using external functions defined
in ~/john.ini's [List.External:MODE] section.
- Allows you to override the ciphertext format detection.
Currently, valid format names are DES, BSDI, MD5, BF, AFS, LM. You can use
this option when cracking or with '-test'. Note that John can't crack
password files with different ciphertext formats at the same time.
- Tells John to load users of the specified group(s)
- Enables the incremental mode, using the specified
~/john.ini definition (section [Incremental:MODE], or [Incremental:All] by
- Generates a charset file, based on character frequencies
from ~/.john/john.pot, for use with the incremental mode. The entire
~/.john/john.pot will be used for the charset file unless you specify some
password files. You can also use an external filter() routine with this
- Continues an interrupted cracking session, reading point
information from the specified file (~/.john/john.rec by default).
- Enables wordlist rules, that are read from
[List.Rules:Wordlist] in /etc/john/john.conf (or the alternative
configuration file you might specify on the command line).
This option requires the -wordlist option to be passed as
- This feature sometimes allows you to achieve better
performance. For example you can crack only some salts using '-salts:2'
faster, and then crack the rest using '-salts:-2'. Total cracking time
will be about the same, but you will get some passwords cracked
- You might need this option if you don't have enough memory,
or don't want John to affect other processes too much. Level 1 tells John
not to waste memory on login names, so you won't see them while cracking.
Higher levels have a performance impact: you should probably avoid using
them unless John doesn't work or gets into swap otherwise.
- Allows you to specify another point information file's name
to use for this cracking session. This is useful for running multiple
instances of John in parallel, or just to be able to recover an older
session later, not always continue the latest one.
- This option is useful to load accounts with a valid shell
only, or not to load accounts with a bad shell. You can omit the path
before a shell name, so '-shells:csh' will match both '/bin/csh' and
'/usr/bin/csh', while ´-shells:/bin/csh' will only match
- Shows the cracked passwords in a convenient form. You
should also specify the password files. You can use this option while
another John is cracking, to see what it did so far.
- Enables the "single crack" mode, using rules from
- Prints status of an interrupted or running session. To get
an up to date status information of a detached running session, send that
copy of John a SIGHUP before using this option.
- These are used to enable the wordlist mode (reading from
- When used with a cracking mode, except for "single
crack", makes John print the words it generates to stdout instead of
cracking. While applying wordlist rules, the significant password length
is assumed to be LENGTH, or unlimited by default.
- Benchmarks all the enabled ciphertext format crackers, and
tests them for correct operation at the same time.
This option does not need any file passed as argument. Its only
function is to benchmark the system john is running on.
- Allows you to filter a few accounts for cracking, etc. A
dash before the list can be used to invert the check (that is, load all
the users that aren't listed).
- These are used to enable the wordlist mode, reading words
John can work in the following modes:
- John will simply use a file with a list of words that will
be checked against the passwords. See RULES for the format of wordlist
- Single crack
- In this mode, john will try to crack the password using the
login/GECOS information as passwords.
- This is the most powerful mode. John will try any character
combination to resolve the password. Details about these modes can be
found in the MODES file in john's documentation, including how to define
your own cracking methods.
- is where you configure how john will behave.
- has the message sent to users when their passwords are
- is used to configure how john will send messages to users
that had their passwords cracked.
The programs and the configuration files are documented fully by John's
documentation, which should be available in /usr/share/doc/john
other location, depending on your system.
This manual page was written by Jordi Mallach <firstname.lastname@example.org> and
Jeronimo Pellegrini <email@example.com>, for the Debian GNU/Linux
system (but may be used by others).
John the Ripper was written by Solar Designer <firstname.lastname@example.org>. The
complete list of contributors can be found in the CREDITS file in the