Provided by: john_1.6-39ubuntu1_i386 bug


       john - a tool to find weak passwords of your users


       john [options] password-files


       This  manual page documents briefly the john command.  This manual page
       was written for the Debian GNU/Linux distribution because the  original
       program  does  not  have a manual page.  john, better known as John the
       Ripper, is a tool to find weak passwords of users in a server. John can
       use  a  dictionary or some search pattern as well as a password file to
       check  for  passwords.  John  supports  different  cracking  modes  and
       understands many ciphertext formats, like several DES variants, MD5 and
       blowfish. It can also be used to extract AFS and Windows NT  passwords.


       To use John, you just need to supply it a password file and the desired
       options. If no mode is specified, john will try  "single"  first,  then
       "wordlist" and finally "incremental".

       Once  John  finds  a  password,  it will be printed to the terminal and
       saved into a file called ~/john.pot. John will read this file  when  it
       restarts so it doesn’t try to crack already done passwords.

       To see the cracked passwords, use

       john -show passwd

       Important:  do  this  under  the  same directory where the password was
       cracked (when using the cronjob,  /var/lib/john),  otherwise  it  won’t

       While  cracking,  you  can press any key for status, or Ctrl+C to abort
       the session,  saving  point  information  to  a  file  (  ~/restore  by
       default).  By  the  way,  if  you  press  Ctrl+C  twice John will abort
       immediately without saving.  The point information is also saved  every
       10  minutes  (configurable  in  the configuration file, ~/john.ini ) in
       case of a crash.

       To continue an interrupted session, run:

       john -restore

       Now, you may notice that many accounts have a disabled shell,  you  can
       make John ignore these (assume that shell is called ’ /etc/expired

       john -show -shells:-/etc/expired passwd

       You  might  want  to mail all the users who got weak passwords, to tell
       them to change the passwords.  It’s  not  always  a  good  idea  though
       (unfortunately, lots of people seem to ignore such mail, it can be used
       as a hint for crackers, etc), but anyway, I’ll  assume  you  know  what
       you’re  doing. Get a copy of the ’mailer’ script supplied with John, so
       you won’t change anything that’s under /usr/bin ; edit the  message  it
       sends,  and  possibly  the  mail  command  inside it (especially if the
       password file is from a different box than you got  John  running  on).
       Then run:

        ./mailer passwd

       Anyway,  you probably should have a look at /usr/share/doc/john/OPTIONS
       for   a   list   of   all   the   command   line   options,   and    at
       /usr/share/doc/john/EXAMPLES  for  more  John usage examples with other
       cracking modes.


       All the options recognized by john start with a single dash  (‘-’).   A
       summary of options is included below.

              Enables  an  external  mode, using external functions defined in
              ~/john.ini’s [List.External:MODE] section.

              Allows  you  to  override  the  ciphertext   format   detection.
              Currently,  valid  format names are DES, BSDI, MD5, BF, AFS, LM.
              You can use this option when cracking or with ’-test’. Note that
              John  can’t  crack  password  files  with  different  ciphertext
              formats at the same time.

              Tells John to load users of the specified group(s) only.

              Enables the incremental mode,  using  the  specified  ~/john.ini
              definition  (section [Incremental:MODE], or [Incremental:All] by

              Generates a charset file, based on  character  frequencies  from
              ~/john.pot,  for  use  with  the  incremental  mode.  The entire
              ~/john.pot will be used for the charset file unless you  specify
              some  password  files.  You  can  also  use an external filter()
              routine with this option.

              Continues  an  interrupted  cracking  session,   reading   point
              information from the specified file (~/restore by default).

       -rules Enables     wordlist     rules,     that     are    read    from

              This feature sometimes allows to achieve better performance. For
              example  you  can crack only some salts using ’-salts:2’ faster,
              and then crack the rest using ’-salts:-2’. Total  cracking  time
              will  be about the same, but you will get some passwords cracked

              You might need this option if you don’t have enough  memory,  or
              don’t  want  John  to  affect  other processes too much. Level 1
              tells John not to waste memory on login names, so you won’t  see
              them  while  cracking.  Higher levels have a performance impact:
              you should probably avoid using them unless John doesn’t work or
              gets into swap otherwise.

              Allows  you  to specify another point information file’s name to
              use for this  cracking  session.  This  is  useful  for  running
              multiple  instances  of  John in parallel, or just to be able to
              recover an older session later, not always continue  the  latest

              This  option is useful to load accounts with a valid shell only,
              or not to load accounts with a bad shell. You can omit the  path
              before a shell name, so ’-shells:csh’ will match both ’/bin/csh’
              and ’/usr/bin/csh’, while  ´-shells:/bin/csh’  will  only  match

       -show  Shows  the  cracked  passwords  in a convenient form. You should
              also specify the password files. You can use this  option  while
              another John is cracking, to see what it did so far.

              Enables    the   "single   crack"   mode,   using   rules   from

              Prints status of an interrupted or running session. To get an up
              to  date  status information of a detached running session, send
              that copy of John a SIGHUP before using this option.

       -stdin These are used to enable the wordlist mode (reading from stdin).

              When used with a cracking mode, except for "single crack", makes
              John print the words it generates to stdout instead of cracking.
              While  applying  wordlist rules, the significant password length
              is assumed to be LENGTH, or unlimited by default.

       -test  Benchmarks all the enabled ciphertext format crackers, and tests
              them for correct operation at the same time.

              Allows  you  to  filter a few accounts for cracking, etc. A dash
              before the list can be used to invert the check (that  is,  load
              all the users that aren’t listed).

              These  are  used to enable the wordlist mode, reading words from


       John can work in the following modes:

              John will simply use a file with a list of words  that  will  be
              checked  against  the  passwords.  See  RULES  for the format of
              wordlist files.

       Single crack
              In this mode, john will try to  crack  the  password  using  the
              login/GECOS information as passwords.

              This  is  the  most  powerful  mode. John will try any character
              combination to resolve the password.  Details about these  modes
              can  be  found  in  the  MODES  file  in  john’s  documentation,
              including how to define your own cracking methods.


              is where you configure how john will behave.

              has  the  message  sent  to  users  when  their  passwords   are
              successfully cracked.

              is  used  to configure how john will send messages to users that
              had their passwords cracked.


       mailer(8), unafs(8), unique(8), unshadow(8),

       The programs and the configuration files are documented fully by John’s
       documentation,  which  should  be  available  in /usr/share/doc/john or
       other location, depending on your system.


       This manual page was written by Jordi  Mallach  <>  and
       Jeronimo    Pellegrini   <>,   for  the  Debian
       GNU/Linux system (but may be used by others).
       John the Ripper was written  by  Solar  Designer  <>.
       The  complete  list of contributors can be found in the CREDITS file in
       the documentation directory.