John The Ripper Tutorial For Beginners | How To Crack A Password With John The Ripper | Simplilearn

[music] Hello everyone and welcome to Simply Learn. In this tutorial, we are going to learn about how John the Ripper works through practical hands-on demos. But first, let me tell you something about John the Ripper. John the Ripper is a password auditing tool which is used by cybersecurity professionals. It is basically used to test password strength in authorized environments. So guys, if you are interested in cybersecurity or ethical hacking, then watch this video till the end. The goal of this tutorial is not to attack real systems, but to understand how weak passwords can be cracked and why strong password practice are very much important. All the demos in this video are safe for lab examples and it is created using our own files. Now, here is the agenda of our today's session. First, we are going to learn about what is John the Ripper. Next, we are going to learn about hash versus plain text password. Third, we are going to learn about setting up a practice folder. After that, what we are going to do is we are going to try some basic Linux password hash cracking. After that, we are going to crack MD5 hash. Then, we are going to try cracking a password-protected zip file. After that, we are going to crack password using wordlist tools. And finally, we are going to crack a four-digit PIN using mask mode. Now, before we start our session, just a quick info guys, Simply Learn has got advanced executive program in cybersecurity. It is ranked India's number one cybersecurity course by Livemint, where you're going to learn to defend and prevent. Here, you are also going to build AI-powered security expertise with 100 plus guided assignments. Also, you're going to gain exposure with 30 plus real-world case studies and three capstone projects. And finally, you're going to defend against cyber threats using 30 plus hands-on tool. So guys, hurry up now and join the course. The course link is mentioned in the description box. Now, before we head to the session, here is a short quiz to test your knowledge. And the question is, what is the main purpose of John the Ripper in cybersecurity? Your options are to create websites, or to create password strength by cracking hashes, or to scan Wi-Fi networks, or to remove computer viruses. Please mention your answers in the comment section below. And also guys, if you like these kind of videos, then do not forget to hit the subscribe button and click the notification bell icon, so that you don't miss out any update from our end. So, let's get started. So guys, let us first try to understand what exactly is popular password security auditing tool. In simple words, if I have to say, it is used to test whether passwords are weak or easy to guess or vulnerable to cracking. Mostly cybersecurity professionals use it to check the strength of the passwords in legal and an authorized environment. One of its main features is password hash cracking. Instead of storing real passwords, systems usually store password hashes. John the Ripper tries to guess the original password by comparing the possible passwords with those hashes. And it supports many hash types, including Linux, Unix, Windows, and different application-based hashes. Another important feature is its dictionary attack support. This means that it can use word list of common password and try them against password hashes. It also supports brute force attacks, where it tries many possible combinations, and also rule-based attacks, where it modifies words by adding numbers, symbols, or changing letters. John the Ripper is also flexible and fast. It can automatically detect many hash formats, work on different operating systems like Linux, Windows, and macOS, and use different cracking modules and use different cracking modes depending upon the requirement. Now, let me tell you something very interesting about it. This tool is mainly used in ethical hacking, penetration testing, password audit scenarios, password audit scenarios. For example, a security team may use John the Ripper to check if employees are using weak passwords like password123 or let's say admin@123. It can also be used after collecting test password hashes from lab system to demonstrate how attackers crack weak passwords. Another common scenario is cybersecurity training. Beginners use John the Ripper in controlled lab environments to understand how password cracking works and why strong passwords are important. However, it should only be used with permission. Using John the Ripper to crack someone else's password without authorization is illegal and its correct purpose is to improve security by finding weak password before attackers do. So guys, this was a brief introduction about John the Ripper. Now, you would be wondering what exactly is hashing. So, hashing is an encryption mechanism where what we do, let's say if I write something like for example, so let's say guys, the password for your required email ID is password@123. Now, when you write this password, so what your system does it, it uses the hashing algorithm which converts all these numbers into a format like this and it is a kind of a very big string. So, generally the password is stored in this format. So, this becomes kind of hard for anyone to crack and this is a normal hashing mechanism. And there are a lot of hashing algorithms like MD5, uh, digest algorithm, and, uh, RSA algorithm. So, the when we talk about encryption and security, where we don't want anyone's data to be, you know, uh, leaked, we are storing in a very secure format. So, which is generally achieved in one of the ways which is called as hashing. So, I hope so you would have gone the brief idea regarding hashing. Now, it's time to install John the So, guys, if you are a Windows user, first I would suggest you go to the Microsoft Store, okay? And you will not be just using John the Ripper, there will be a lot of other tools also. For example, like Wireshark or Nmap, which you can use it to actually explore cybersecurity and ethical hacking. Now, let me tell you all over here. When you go to your Microsoft Store, just search Kali all over here, and uh, when you just search Kali Linux, it will be available on your Microsoft Store if you are Microsoft users, then just click on install and there will be a version of Kali Linux installed on your command prompt. Now, let us open our command prompt. So, we'll just search for it through our search bar, and you can see that our command prompt is opened. Now, in order to open Kali Linux, what you need to type is Kali, okay? So, you can see all over here, and this message you should see that this is a minimal installation of Kali Linux. You are likely want to install, uh, any other tools, so you can just refer to the official documentation of this. So, let me copy this, and okay, I have copied that link, and now, what I'm going to do is I'm just going to paste this thing. And minimal install setup information of Kali Linux. So, this is a uh, given website that you will be redirected to. So, there are a lot of things all over here. Now, the next step is installing John the Ripper. So, in order to install John the Ripper, just type install John the Ripper and there will be Linux command which says sudo install John the Ripper. And when you click on this, okay, so it does not give us the required installation. Let us go back. So, open for the firewall system, you can just use this thing and So, guys, in your given CMD, what you need to type all over here, you need to type sudo apt install John then hyphen y. And this is going to install your John the Ripper. And after that, guys, just you need to do is type this, John, and you can you will you're going to see something like this. John the Ripper 1.9.0 jumbo one version and this is copyrighted by Solar Designers and this is the official documentation by OpenWall for John the Ripper. If you want to use this, so just go to official documentation which I'm actually using and I showed you earlier also which I am repeat. So, if you follow that link, you're going to see the OpenWall documentation of the John Ripper. So, it is being maintained by OpenWall and there are a lot of things you are going to see and this is our required thing. Now, uh let us try to explore these tools. We will try on some basic hands-on demo first to get a brief idea regarding this tool. So, guys, in this hands-on demo, we will create a sample password and convert it into a hash. And then we are going to use John the Ripper with a word list to recover the original plain text password. Now, let me recollect everything once again. So, what is hash, guys? So, guys, what is hash? So, hash is basically an encrypted-looking password value, like I had shown you earlier. And the plain text password is like your real password, like password@123. So, guys, first type this command. Let's clear everything first. Now, all over here, let's create a directory all over here. So, we are going to use mkdir command, and let's say the directory is John demo. Now, after that, let us go to that directory. So, cd John demo. Now, guys, all over here, let us try to create a password called hello123 and store it in wordlist.txt. Now, we have clicked enter on the same. Now, let's hash that required password. So, guys, for hashing that password, what I want you to do is use OpenSSL for doing it. And we are going to do salting all over here, and the given command is OpenSSL password, then hyphen six, hyphen salt, and then test hello123 and store it in hash.txt file. Now, let's click enter. Now, guys, after that, what we are going to do is we are going to use John the Ripper to show that respective password, basically through the word list. So, let me click enter, and it says loaded one password hash, and it is using shy encryption 512 bits, and all over here. Now, I will show the hash password. So, you can see the password which I had written earlier, it has cracked it, and it shows one password hash cracked, zero left. And the password is hello123. So, guys, this is a very sample demo how John can access a list of set password, okay? And it can easily crack those hash passwords. So, guys, this demo demonstrates the basic password hash cracking. How John the Ripper can be used to crack the hash passwords. Now, guys, in the next scenario, what we are going to do is we are going to crack an MD5 hashing text, or basically called as a password. And then we are going to use John the Ripper to crack the same thing. Now, let me tell you a little bit about MD5 algorithm, okay? So, MD5 is an older hashing algorithm, which is used to perform the hashing. So, I told you like whenever you write a password all over here, so you use a hashing algorithm to convert something like this to this. So, one of the algorithm, the particular format of algorithm is MD5. So, you can see based on the algorithm, the cracking technique might be different. But since it's a very traditional password uh hashing algorithm, so we'll have a set technique to crack it. Let me show you guys. Now, let us store one more password, and we call it as uh let's say cyber2026. And let's say it's stored in wordlist2.txt. Now, after this, we are going to create an MD5 hash of the same password. So, guys, what we are going to type all over here is we are going to type echo, then hyphen n, then cyber2026. Then you can see the algorithm name is MD5 sum. And then we are going to print dollar one. And all over here, dollar one is basically variable signal. And then we'll just click enter to it. Now, let us use the cat command to view the required MD5 hash text. So, you can see this is our required hashing of this required password. Now, we're going to use John the Ripper to crack the same thing. So guys, you can see the command for the required thing is John {hyphen} {hyphen} format and the format is raw MD5. Then we're going to use the use the word list and we stored it all over here in wordlist2.txt. And this is md5hash.txt and we'll just click enter. So, you can see loaded one password hash. So, warning no open MP support. Some warnings are being given and you can see all over here it's showing the required thing. Now, I'm going to use John the Ripper to show the required password. So, when I just show this and you can see this password is cracked. Okay? Which is cyber2026. So, whatever the hashing we did all over here, that hashing is already been cracked. So, it's just a normal significance of that all these MD5 algorithm based password can be easily cracked by John the Ripper. So, in this demo what we learned basically that John has that hash format of the raw using this command. If you see all over here, so {dot} show {hyphen} {hyphen} format and raw MD5. So, we're telling John that the hash format all over here is MD5. And then John checks each password from the word list and find the correct plain text password. So, this is our required scenario. Now, let me show you one more scenario. So, first let's clear our screen. Okay. Now, in this third scenario, we are going to crack a zip file password using John the Ripper. And John can also crack password-protected files. And for the zip files, we first extract the hash using the zip to John. So, this is the required thing, and then we can crack that hash using the John the Ripper. So, first of all, let us create a simple file. Let's call this as this is a secret demo file, and we are going to store it in secret.txt. to do is we are going to create a password-protected zip file with the password, let's say blue123. Let's click enter. So, I'm using the command zip {hyphen}p and blue123secret.zip and .txt. So, you can see this has been done right now. And if you aren't familiar with Linux, I would request you to watch the Linux tutorial on our channel, which will going to give you a very clarity about what these commands are interpreting because we are in a Linux terminal. Now, next thing what we are going to do is we are going to use zip to zone, which is basically extracting the zip hash using zone zip to. And you can see all over here. After typing this, so the given thing it's trying to extract that hash. Now, let us try to create a word list all over here. So, you can see this is a word list three all over here. And then I am basically storing this required password blue123, let's say yellow123, green123 all over here, these three passwords in the word list three.txt. Now, guys, it's our time to actually crack the password using John the Ripper. So, what I'm going to do, I'm going to use this command, let's say John {hyphen}{hyphen}wordlist, and I am telling that the passwords are stored in the wordlist 3.txt and I'm going to use uh the required uh zip hash.txt file where the list of passwords were there and referring to the required thing in the respective file, which is all over here, if you see. Because our password is stored in this uh the hash password is stored all over there. So, let us click enter all over here and you can see the password has been cracked. Now, it's time to display the required hash password. So guys, from the list of password that we have stored in the wordlist 3.txt, John the Ripper is going to show the required file. So, let us click enter and you can see we have blue123 finally cracked for us. Pretty amazing. So, this gives you another dimension that you can use John the Ripper and zone zip to to crack the password of the zip files. So, let me also tell you few things. John cannot directly read the zip password. So, we have to use certain thing which is called as zip to John to convert the zip file into crackable hash and then John uses the wordlist and finds that respective password. Now, let's clear this. Now, let us move on to the next scenario. Where what we are going to do is we are going to use rules to crack the modified password. Now, when we are talking about cracking passwords using word mangling rules, so there the scenario will be kind of pretty much different and what we have explored all over there using the zip file or let's say cracking through the MD5 algorithm or let's say you know, cracking the password with the help of let's say sha algorithm. So, all these techniques are kind of bit different. So, sometimes users do not use exact dictionary words. They may capitalize the letters or slightly modify the password. So, we can use John's {hyphen} {hyphen} rules option and try variation of the words. So, let us try to first create a word list with a lowercase password all over here. Now, if you could see this required thing, what I'm trying to do is I have created admin password, let's say n kali, and I have stored it in word list 4.txt. Let's click enter. Now, next thing what we're going to do is we are going to create a hash for capitalized password. And we are going to use open SSL and also the salting rule to actually add some complexity. And first, what I'm going to show you is I'm going to try it without rules. Then, there may be a chance that it may not crack because the word list has the password, but the actual password is something else. Now, we have to try with the rules, and then we are going to show the exactly password that we have mentioned all over here. Because the word list is going to only have that one password, but the real password was, let's say, in the capital letters. Now, if you wouldn't have got the idea regarding the same, let me try to show you. Now, what I'm going to do is I'm going to create a capitalized version of that password using the open SSL and using the salting technique, add some rule to it all over there. Now, let us click enter. Now, in this step, first, I'm going to try out without rules. So, I'm using John {hyphen} {hyphen} word list, and let's say I store it in word list 4.txt, and the file name is with the help of rule hash.txt. Let us click enter, and you can see it has loaded one password hash. So, it's a SHA-512 crypt. So, guys, at the first, we are trying to crack the password without using the rule, if you see all over here. Now, it may crack the password or it may not. But, when you use this all over here {hyphen} {hyphen} rules, then we have a greater probability of cracking that password which we have stored. Now, let us click enter all over here and you can see we have got the given cracked password. Now, the next step is showing that required password. So, you can see all over here what I'm trying to show is the given rule-based password. So, for that I'm using {hyphen} {hyphen} show command and let's click enter and you can see the capitalized password is shown. So, John the Ripper is also very much capable of cracking the password when you are adding some rules all over there. Now, in this scenario we are mask attack all over there. So, what is a mask attack? So, let's say mask attack is a kind of a technique which is useful when we know the password pattern. For example, let's say if you know the password is a four-digit PIN. So, we can tell John the Ripper to try only digits. So, in the first step let us try to create MD5 hash for let's say PIN number uh you can give any PIN number. So, I'll say use 0427 and next step we are going to view that required hash and then we are going to crack using the mask mode present all over there. So, guys you can see all over here I have created a four-digit PIN which is 0427 and I've stored in pinhash.txt. Let's click enter. So, this is using MD5 sum algorithm to store this required password in a kind of hash format. Now, let us show the required hash using the cat command which is stored in pinhash.txt file. Now, after that what we are going to use is we are going to crack that required password using let's say mask mode. And you can see we already know the format and let's say it's using format raw MD5 and you can see the the mode is the mask mode. And I've also given this 1 2 3 4. So, this is question mark question mark and all DD. And let's say it's trying to crack the password which is stored in the hash format and this is our required file. Now, John when it uses this it has loaded and it has cracked the required password. Now, it's our time to show that required password. Now, I'm going to use the required command John hyphen hyphen format equal to raw MD5 hyphen hyphen show pin hash.txt. Let's click enter all over here and you can see that we have cracked the required password using the mask mode. So, these are some of the techniques you can use John the Ripper to explore or you know, crack the password. But guys, beware it's only used for ethical hacking or you know, checking the security of any system. Now, do not use it definitely to crack someone else's password or your friend's password. It's completely unethical. You may be entitled to a cyber security crime or fraud which is not correct and ethical. So guys, this was all about John the Ripper. I hope so you would have enjoyed our today's tutorial on this required topic. And thank you guys for watching this video. And also guys, if you like these kind of videos then do not forget to hit the subscribe button and click the notification bell icon so that you don't miss out any update from our end.