Crack File Password With John

Many file formats support encryption with a password. John the Ripper can crack these passwords with dictionary attack.

This article teaches you to obtain Jumbo version and compile it. Finally, you'll test your environment by cracking a ZIP archive password. A sample password protected ZIP file is provided with this article.

What you practice here

In this tutorial, you'll practice

  • Cracking file passwords with John dictionary attack
  • Obtaining latest versions of penetration testing tools
  • Compiling large C project from source code

Before you start, you should already know

You might want to crack passwords with Hashcat first, which is a bit easier.

Use of penetration testing techniques requires legal and ethical considerations. To safely use these tools, tactics and procedures, you might need to obtain contracts and permissions; and posses adequate technical skills. Check your local laws. To learn how to practice safely & legally, consider my penetration testing course.

Install prerequisites

Install the tools we need to work and the libraries required for John. These commands are for Debian 11-Bullseye, but you can find similar packages on other Linuxes, too.

$ sudo apt-get update
$ sudo apt-get -y install micro bash-completion git build-essential libssl-dev zlib1g zlib1g-dev zlib-gst libbz2-1.0 libbz2-dev atool zip wget

Installing software in Linux is indeed convenient. But what do all these packages do?

microText editor
bash-completionUse tab to complete file names
gitClone (copy) Jumbo John source code
build-essentialC compiler and related tools
libssl-devJohn requirements
zlib1g zlib1g-dev zlib1g-gstFor John ZIP support
libbz2-1.0 libbz2-devFor John 7zip support
atool zipCompression tools, 'aunpack', 'unzip'
wgetWeb downloader for command line

Download & Compile John the Ripper, Jumbo version

Latest Jumbo version of John the Ripper supports many file formats. We'll compile John from source, as the version packaged with distributions doesn't seem to contain support for many formats. A paid version also seems to exist, but this one is free.

Download John the Ripper, Jumbo version. Git clone copies the whole project to you. To save download time, we copy just the latest versions of the files using --depth=1, but this is optional.

Installing software outside package management is done on case by case bases. Obviously, the maker of that software could execute any code on our system when we run it.

$ git clone --depth=1

Many Linux C and C++ programs are compiled with a variation of './configure && make'.

$ cd john/src/	
$ ./configure

Configure will detect the environment and create a Makefile for 'make' command.

If you're missing any dependencies, you'll get a warning here. That's how I found out what packages to install beforehand with 'apt-get'. I read the error messages, then used 'apt-cache search libfoobar' to find the packages containing the missing libraries. We've already installed the dependencies we need here, but if you install some dependencies in the future, remember to run './configure' again.

Then the actual compilation. The correct make command was printed as the end of './configure' output, and I simply copied it here. Running these commands does not require new trust at this point, as we've already run a lot of code from this repository.

$ make -s clean && make -sj4

Compilation takes a couple of minutes minutes. Compilation requires a couple of gigabytes of memory. In my tests, it compiled in three minutes with 4 GB of RAM, but failed on a tiny 0.5 GB RAM virtual machine.

Once John is compiled, we can find the new executables and scripts in run/.

$ cd ../run/
$ ls -1
$ cd

Let's run it. (I removed some lines from output here)

$ $HOME/john/run/john 
John the Ripper 1.9.0-jumbo-1+bleeding-3423642 2023-01-19 00:38:00 +0100 OMP [linux-gnu 64-bit x86_64 AVX2 AC]
Copyright (c) 1996-2022 by Solar Designer and others

Did your john spit out it's version number? Well done, you've got it downloaded, compiled and running.

Password Protected ZIP

Here is a sample ZIP file to test your setup. It's password protected. Download

$ wget

We can try to open it - but in vain.

$ unzip 
   creating: secretFiles/
[] secretFiles/ password: 
password incorrect--reenter: 
password incorrect--reenter: 
   skipping: secretFiles/   incorrect password

Usually, empty directories are extracted, but the file contents are encrypted. So all we get without password are empty directories. In this case, an empty directory "secretFiles/" is created, but contents of remain a mystery.

Crack ZIP Password

Cracking the ZIP password is a two step process. First, extract the hash into a new file called

$ $HOME/john/run/zip2john >

It prints a couple of lines about the zipfile. You can optionally have a look at the extracted hash with 'cat'.

Then, let John perform a dictionary attack against the hash.

$ $HOME/john/run/john 

There is a lot of output. For a slower hash and more complicated password, it would also take longer.

Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
0g 0:00:00:00 DONE 1/3 (2023-02-09 11:09) 0g/s 2112Kp/s 2112Kc/s 2112KC/s Mdzip1900..Msecret1900
Proceeding with wordlist:/home/tero/john/run/password.lst
Enabling duplicate candidate password suppressor
butterfly        (     
1g 0:00:00:00 DONE 2/3 (2023-02-09 11:09) 10.00g/s 886030p/s 886030c/s 886030C/s 123456..bob123
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

The key line is

butterfly        (     

The password is "butterfly"! Now that we know the password, let's just extract the ZIP

$ unzip 
[] secretFiles/ password: [type password here, it's not echoed]
  inflating: secretFiles/   

And enjoy your loot

$ cat secretFiles/ 
You've found [REDACTED]

So many files to crack, from iTunes to Telegram

John the Ripper Jumbo can crack a lot of formats. I did not test each, but here they are:

1password 7z DPAPImk adxcsouf aem aix aix andotp androidbackup androidfde ansible apex apop applenotes aruba atmail axcrypt bestcrypt bestcryptve bitcoin bitlocker bitshares bitwarden bks blockchain cardano ccache cisco cracf dashlane deepsound diskcryptor dmg dmg ecryptfs ejabberd electrum encdatavault encfs enpass ethereum filezilla geli gpg hccap hccapx htdigest ibmiscanner ikescan itunes_backup iwork kdcdump keepass keychain keyring keystore kirbi known_hosts krb kwallet lastpass ldif libreoffice lion lion lotus luks mac mac mcafee_epo monero money mongodb mosquitto mozilla multibit neo network office openbsd_softraid openssl padlock pcap pdf pem pfx pgpdisk pgpsda pgpwde prosody ps_token pse putty pwsafe racf radius radius rar restic sap sense signal sipdump ssh sspr staroffice strip telegram test_tezos tezos truecrypt uaf vdi vmx wpapcap zed zip

You can try some of them. The hash extractors are in "run/", e.g.

$ $HOME/john/run/ 
Usage: /home/vagrant/john/run/ <1Password Agile Keychain(s) / Cloud Keychain(s)> / OnePassword.sqlite

Some extractors look for 'python' when they mean 'python3'. If you get an error, you can create a symlink

$ $HOME/john/run/
/usr/bin/env: 'python': No such file or directory

$ sudo ln -s /usr/bin/python3 /usr/local/bin/python

$ $HOME/john/run/
Usage: /home/vagrant/john/run/ <encrypted Office file(s)>

What next?

Create some encrypted files and crack them.

Always use good passwords. Never use bad passwords. Dictionary attack used here would not work for a random password. You can generate those with 'pwgen -s 20 1': "ziGtyrObMgvlxt52U0wz".

Use a password manager.

Only use your new powers for good. Happy hacking!

See also

Cracking Passwords with Hashcat