.\"                                      Hey, EMACS: -*- nroff -*-
.\"
.\" john.8 is copyright 1999-2001 by
.\" Jordi Mallach <jordi@debian.org>
.\" This is free documentation, see the latest version of the GNU General
.\" Public License for copying conditions. There is NO warranty.
.TH JOHN 8 "June 09, 2008" john
.\" Please adjust this date whenever revising the manpage.
.SH NAME
john \- a tool to find weak passwords of your users
.SH SYNOPSIS
.B john
.RI [ options ]
password-files
.SH DESCRIPTION
This manual page documents briefly the
.B john
command.
This manual page was written for the Debian GNU/Linux distribution
because the original program does not have a manual page.
\fBjohn\fP, better known as John the Ripper, is a tool to find weak
passwords of users in a server. John can use a dictionary or some search
pattern as well as a password file to check for passwords. John supports
different cracking modes and understands many ciphertext formats, like
several DES variants, MD5 and blowfish. It can also be used to extract AFS
and Windows NT passwords.
.SH USAGE
To use John, you just need to supply it a password file and the desired
options. If no mode is specified, john will try "single" first, then
"wordlist" and finally "incremental".
.P
Once John finds a password, it will be printed to the terminal and saved
into a file called ~/.john/john.pot. John will read this file when it 
restarts so it doesn't try to crack already done passwords.
.P
To see the cracked passwords, use
.P
john \-show passwd
.P
Important: do this under the same directory where the password was cracked
(when using the cronjob, /var/lib/john), otherwise it won't work.
.P
While cracking, you can press any key for status, or Ctrl+C to abort the
session, saving point information to a file (
.I ~/.john/john.rec
by default). By the
way, if you press Ctrl+C twice John will abort immediately without saving.
The point information is also saved every 10 minutes (configurable in the
configuration file,
.I ~/.john/john.ini
or
.I ~/.john/john.conf
) in case of a crash.
.P
To continue an interrupted session, run:
.P
john \-restore
.P
Now, you may notice that many accounts have a disabled shell, you can make
John ignore these (assume that shell is called 
.I /etc/expired
):
.P
john \-show \-shells:\-/etc/expired passwd
.P
You might want to mail all the users who got weak passwords,
to tell them to change the passwords. It's not always a good idea though
(unfortunately, lots of people seem to ignore such mail, it can be used
as a hint for crackers, etc), but anyway, I'll assume you know what you're
doing. Get a copy of the 'mailer' script supplied with John, so you won't
change anything that's under
.I /usr/sbin
; edit the message it sends, and
possibly the mail command inside it (especially if the password file is
from a different box than you got John running on).
Then run:
.P
 ./mailer passwd
.P
Anyway, you probably should have a look at
.I /usr/share/doc/john/OPTIONS
for a list of all the command line options, and at
.I /usr/share/doc/john/EXAMPLES
for more John usage examples with other cracking modes.
.SH OPTIONS
All the options recognized by john start with a single dash (`\-').
A summary of options is included below.
.TP
.B \-external:MODE
Enables an external mode, using external functions defined in ~/john.ini's
[List.External:MODE] section.
.TP
.B \-format:NAME
Allows you to override the ciphertext format detection. Currently, valid
format names are DES, BSDI, MD5, BF, AFS, LM. You can use this option when
cracking or with '\-test'. Note that John can't crack password files with
different ciphertext formats at the same time.
.TP
.B \-groups:[\-]GID[,..]
Tells John to load users of the specified group(s) only.
.TP
.B \-incremental[:MODE]
Enables the incremental mode, using the specified ~/john.ini definition
(section [Incremental:MODE], or [Incremental:All] by default).
.TP
.B \-makechars:FILE
Generates a charset file, based on character frequencies from
~/.john/john.pot, for use with the incremental mode. The entire 
~/.john/john.pot will be used for the charset file unless you specify 
some password files. You can also use an external filter() routine with 
this option.
.TP
.B \-restore[:FILE]
Continues an interrupted cracking session, reading point information from
the specified file (~/.john/john.rec by default).
.TP
.B \-rules
Enables wordlist rules, that are read from [List.Rules:Wordlist] in
.I /etc/john/john.conf
(or the alternative configuration file you might specify on the command 
line).
.br
This option
.B requires
the
.B -wordlist
option to be passed as well.
.TP
.B \-salts:[\-]COUNT
This feature sometimes allows you to achieve better performance. For example
you can crack only some salts using '\-salts:2' faster, and then crack the
rest using '\-salts:\-2'. Total cracking time will be about the same, but
you will get some passwords cracked earlier.
.TP
.B \-savemem:LEVEL
You might need this option if you don't have enough memory, or don't want
John to affect other processes too much. Level 1 tells John not to waste
memory on login names, so you won't see them while cracking. Higher levels
have a performance impact: you should probably avoid using them unless John
doesn't work or gets into swap otherwise.
.TP
.B \-session:FILE
Allows you to specify another point information file's name to use for
this cracking session. This is useful for running multiple instances of
John in parallel, or just to be able to recover an older session later,
not always continue the latest one.
.TP
.B \-shells:[\-]SHELL[,..]
This option is useful to load accounts with a valid shell only, or not to
load accounts with a bad shell. You can omit the path before a shell name,
so '\-shells:csh' will match both '/bin/csh' and '/usr/bin/csh', 
while '\-shells:/bin/csh' will only match '/bin/csh'.
.TP
.B \-show
Shows the cracked passwords in a convenient form. You should also specify
the password files. You can use this option while another John is cracking,
to see what it did so far.
.TP
.B \-single
Enables the "single crack" mode, using rules from [List.Rules:Single].
.TP
.B \-status[:FILE]
Prints status of an interrupted or running session. To get an up to date
status information of a detached running session, send that copy of John
a SIGHUP before using this option.
.TP
.B \-stdin
These are used to enable the wordlist mode (reading from stdin).
.TP
.B \-stdout[:LENGTH]
When used with a cracking mode, except for "single crack", makes John
print the words it generates to stdout instead of cracking. While applying
wordlist rules, the significant password length is assumed to be LENGTH,
or unlimited by default.
.TP
.B \-test
Benchmarks all the enabled ciphertext format crackers, and tests them for
correct operation at the same time.
.br
This option does
.B not
need any file passed as argument. Its only function is to benchmark the 
system john is running on.
.TP
.B \-users:[\-]LOGIN|UID[,..]
Allows you to filter a few accounts for cracking, etc. A dash before the
list can be used to invert the check (that is, load all the users that
aren't listed).
.TP
.B \-wordlist:FILE
These are used to enable the wordlist mode, reading words from FILE.
.SH MODES
John can work in the following modes:
.TP
\fBWordlist\fP
John will simply use a file with a list of words that will be checked
against the passwords. See RULES for the format of wordlist files.
.TP
\fBSingle crack\fP
In this mode, john will try to crack the password using the login/GECOS
information as passwords.
.TP
\fBIncremental\fP
This is the most powerful mode. John will try any character combination
to resolve the password.
Details about these modes can be found in the MODES file in john's
documentation, including how to define your own cracking methods.
.SH FILES
.TP
.I /etc/john/john.conf
is where you configure how john will behave.
.TP
.I /etc/john/john\-mail.msg
has the message sent to users when their passwords are successfully cracked.
.TP
.I /etc/john/john\-mail.conf
is used to configure how john will send messages to users that had their passwords
cracked.
.P
.SH SEE ALSO
.BR mailer (8),
.BR unafs (8),
.BR unique (8),
.BR unshadow (8),
.PP
The programs and the configuration files are documented fully by John's 
documentation, which should be available in \fI/usr/share/doc/john\fP or 
other location, depending on your system.
.SH AUTHOR
This manual page was written by Jordi Mallach <jordi@debian.org>
and Jeronimo  Pellegrini <pellegrini@mpcnet.com.br>, for the
Debian GNU/Linux system (but may be used by others).
.br
John the Ripper was written by Solar Designer <solar@openwall.com>.
The complete list of contributors can be found in the CREDITS file
in the documentation directory.