John the Ripper - Jean-Marc's Notes

John the Ripper is an open source tool that allows you to crack passwords from pretty much any format. I discovered it after coming across an old mac archive that I created nearly 10 years ago. After trying all the password combinations I could think of, I turned to brute force. **Legal Disclaimer** _The use of password cracking tools, such as John the Ripper, may be illegal in certain jurisdictions. It is your responsibility to ensure that you are in compliance with all applicable laws and regulations in your region. This guide is intended for educational purposes only and should only be used to recover passwords for files that you own or have explicit permission to access. Unauthorized access to computer systems, networks, or data is illegal and unethical. The author of this article and the developers of John the Ripper are not responsible for any misuse of this information. Always verify the legality of using such tools in your specific case before proceeding._ # Installing John the Ripper on a Mac I'm trying to break open an old Apple DMG file I created, so I needed a variant of John the Ripper that was designed for DMG files. Thankfully, there's a very easy to use version of John the Ripper that can be installed in one line. And that includes all the necessary tools to do this: ``` brew install john-jumbo ``` John the Ripper should now be installed and accessible anywhere in your terminal via the `john` command. # Preparing the DMG file for John the Ripper The `john` command needs a hash file to start the decryption process, which is where the `dmg2john` tool comes in. This tool is not added to the bash path by default, so you'll need to do a bit of digging around to find it. The location should be in `{homebrew_folder}/john-jumbo/{version_number}/share/john/dmg2john`. For Apple Silicon (Mx series) macs, the Homebrew location should be `/opt/homebrew/Cellar/`. Once you have found the tool, run it with the dmg you want to crack as your first argument and pipe the result into a hashfile: ``` dmg2john archive.dmg > archive.dmg.hash ``` # Cracking with John the Ripper Now that you have the hash, it's time to crack it! Run `john` and pass in the hashfile and the format as the argument: ``` john --format=dmg-opencl archive.dmg.hash ``` Wait a while, and you *should* see the results. The `--format` argument is important, as it specifies the type of file to decrypt and hardware optimizations that can be used to speed up the process. John supports a *lot* of formats, and if you're looking for a specific one you can type ``` john --list=formats ``` to see all the available formats. The `-opencl` argument specifies GPU decryption, which is typically much faster than CPU. ## Resuming sessions Depending on the password complexity, John may take a little while to decrypt the password. That's where sessions can be really handy. They allow you to pause and resume a decryption over multiple sessions. To start one, simply pass in a value for the `session` argument: ``` john --session=my_session ``` You should now see a `my_session.rc` file. You can press Ctrl-C at any time to stop John, and then type the following command to resume where you left off: ``` john --restore=my_session ``` ## What if you remember some of the password? In my case, I was pretty confident I knew the password, but I was just confused about some of the variations I may have made to it. If you’re like me, you can speed up the decryption process significantly by providing some hints to John. Let’s say you remember that the middle part of your password was “test,” but you completely forget the parts before or after that. You can pass in a regular expression that will allow John to search within a particular range. The following command would try all passwords with one to five characters before the word “test” followed by one to five characters after the word “test”: ``` john --regex='.{1,5}test.{1,5}' ```