“John the Ripper” – is a fast password cracker. Its primary purpose is to detect weak Unix passwords.
Most likely you do not need to install “John the Ripper” system-wide.
Instead, after you extract the distribution archive and possibly compile the source code (see below), you may simply enter the “run” directory and invoke John from there.
Compiling “John the Ripper”
Step 1: Download the latest version of ““John the Ripper”” and its signature
$ wget http://www.openwall.com/john/g/john-1.7.9.tar.bz2 $ wget http://www.openwall.com/john/g/john-1.7.9.tar.bz2.sign $ wget http://www.openwall.com/signatures/openwall-signatures.asc
Step 2: Confirm the signature
This is a safety measure as we are dealing with dangerous thing.
Install the public key:
$ pgp -ka openwall-signatures.asc
Check the signature:
$ pgp john-1.7.9.tar.bz2.sign john-1.7.9.tar.bz2 gpg: Signature made Wed 23 Nov 2011 01:38:48 PM CAT using RSA key ID 295029F1 gpg: Good signature from "Openwall Project <signatures@openwall.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 0C 29 43 AE 1E CD 24 EA 6E 0C B6 EE F5 84 25 69
You will see the message similar to the above. Ignore the warning as long as it says Good signature from “Openwall Project … “.
The warning is normal, see http://www.kernel.org/signature.html for more details.
Step 3: Uncompress and compile the sources
$ tar xvfj john-1.7.9.tar.bz2 $ cd john-1.7.9/src/ $ make To build John the Ripper, type: make clean <system> where SYSTEM can be one of the following: linux-x86-64-avx Linux, x86-64 with AVX (2011+ Intel CPUs) linux-x86-64-xop Linux, x86-64 with AVX and XOP (2011+ AMD CPUs) linux-x86-64 Linux, x86-64 with SSE2 (most common) ***
Note the make target for your system and type:
$ make clean <system>
Where <system> is the appropriate make target. Alternatively, if your system is not listed, use:
$ make clean generic
If everything goes well, this will create the executables for John and its related utilities under “../run/”.
Alternatively, you may copy the entire “run” directory to anywhere you like and use John from there.
Now you can change directory to there and test John, like this:
$ cd ../run/ $ ./john --test Many salts: 400332 c/s real, 400332 c/s virtual Only one salt: 383795 c/s real, 391627 c/s virtual --- Benchmarking: BSDI DES (x725) [32/32 BS]... DONE Many salts: 13362 c/s real, 13388 c/s virtual Only one salt: 13299 c/s real, 13299 c/s virtual --- Benchmarking: FreeBSD MD5 [32/32 X2]... DONE Raw: 9225 c/s real, 9225 c/s virtual ***
Installing “John the Ripper” on Ubuntu
Execute the next command to install “John the Ripper” on Ubuntu:
$ sudo apt-get install john
Installing “John the Ripper” on CentOS/RHEL
Execute the next command to install “John the Ripper” on CentOS/RHEL:
$ yum install john
Cant we directly do sudo apt-get install john for installing john the ripper in ubuntu?
Yes, we can. But there is no guarantee that the john’s version from repository is the latest one. And actually there is no need to install this tool system-wide as it can be compiled and run from a standalone directory – sometimes this is very convenient, i guess, as if the john is no more needed you just delete the directory without leaving any traces in the system
“john” doesn’t exist in RHEL 6/7 yum repos. Also not in centos 7.
sudo yum -y install john
…
Setting up Install Process
No package john available.
Error: Nothing to do
yo, ps-ax here, just an advise, the latest version of john atm is 1.8 so the download links for wget have changed to
: http://www.openwall.com/john/j/john-1.8.0.tar.gz << for the ripper itself
http://www.openwall.com/john/j/john-1.8.0.tar.gz.sign << signature
see you! and helpfull article man, enjoy it.!
roott-K73SJ roott # pgp john-1.7.9.tar.bz2.sign john-1.7.9.tar.bz2
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
WARNING: Can’t find the right public key– can’t check signature integrity.
roott-K73SJ roott #
When installing JtR from a distribution repository, you don’t just get an older version than the latest available release. Users will most likely get problems/error messages if installing JtR from repos (for example in Ubuntu). Most often the jumbo version is needed to get things such as cracking raw sha1 to work.
Not all 2011+ Intel CPUs have AVX so even if having a CPU architecture released after Sandy Bridge, chosing the AVX system type when compiling might not be correct.
https://en.wikipedia.org/wiki/Advanced_Vector_Extensions
At least for john-1.9.0 the ./configure step is missing before make. Since no makefile is present without running ./configure, make will stop.
To compile/make JtR some systems might need a compiler as well (gcc) along with SSL dev libraries (libssl-dev).
In ubuntu 18.04.4 I get:
$ sudo apt-get install john
Reading package lists… Done
Building dependency tree
Reading state information… Done
Package john is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package ‘john’ has no installation candidate
pgp, command not found
BTW
I’m using Kali
sudo apt install pgp?
i have no clue what system i should pick so i just went with generic, do you think that will work good?