If you have already read my article on john the ripper you know how hackers can hack passwords provided they can get access to the password hashes. Now I hope you know how to get password hashes or least what password hashes are. But using john the ripper is a pain. It is all terminal black and white boring stuff. How can I crack passwords without all that?
Must read: Hacking passwords with android phones
Well, Johnny has the answer you want.
Introducing Johnny the GUI version of john the ripper. It is available by default in Kali Linux. You can install it in windows if you want.
Now open and install johnny like any other app.Once you are done with that now you need to set up Johnny. To do this extract john the ripper in a folder.
Use johnny settings to locate and connect both john the ripper and johnny.
It should be like this:
After locating the folder of john the ripper select john.exe, it will be like this:
Now that both are connected to each other you can start hacking passwords with the GUI interface.
For this demo tutorial, we will be using the DEFCON challenge list which is a listed of hashed passwords we need to crack. It has over 50000 account passwords which we will crack in less than 2 hours.
So without further ado, let’s get cracking
Step 1: Import hashes
Start Johnny and import the hashes with the open password file option
Step 2: Find a word list
Download a good wordlist from the internet. I’m using the two billion possible passwords wordlist which you can download from here.
Step 3: Select the wordlist
Go to the wordlist section and select the downloaded wordlist.
Step 4: Hash type selection
Now by default, the most used type of hash will be auto-selected for cracking for the rest you need to select the type manually.
Step 5: Start cracking passwords
Now as you see sha1 is my auto-selected type. Once this is selected click on start attack, and the password cracking should start. It is easy to crack passwords as long as you have patience.
20 minutes later
Step 6: Changing hash type
Once you have cracked all the possible hashes of a certain type. Change the hash format to type a different type of hash. And again start cracking.
Step 7: Done done done
By the time you have tried all the hash types in Johnny. You will have cracked over 50000 passwords. Do note you do need some patience. It took me 2 hours depending on my pc speed. If you have a better pc you will be able to do it faster.
Congratulations on hacking and completing the 50000 account challenge!!!
So how does it all work?
Well, what happens is Johnny automated the process of cracking passwords and using our wordlist started comparing the hashes of passwords with the hashes present in the challenge list. As you can see in the images below by no means are these passwords easy to guess or too small even then these passwords were easily hacked. In other words, if you have a good wordlist almost any password can be hacked by hackers.
Cracked passwords examples:
How do I protect my account password?
- Beware of phishing attacks
- Use two-factor authentication for everything (all websites you use)
- Make a password with a minimum of 12 characters. Bigger the password harder it is to crack. Those 12 characters should not be present in the dictionary.
- Check if your email was ever compromised. Visit https://haveibeenpwned.com/ website and check your email if it was ever compromised.
- Stay alert and improve your knowledge by reading articles on the hacking world.
Don`t miss: How to secure your accounts from hackers
Commonly asked questions about Johnny.
Q1. Can Johnny hack any password hash?
Technically speaking yes, it can be provided you meet all of its requirements of cracking the password. For example, if the password is complicated but is present in the wordlist dictionary you use, then it can easily be hacked. Also if you know the precise length of the password hacking that password becomes that easy.
Q2. Is this tool free to use?
Yes, this version is free to use there is a separate paid version for those who required. The paid version has a lot of features, but I haven’t tested it yet. The free version is good enough according to me. Unless you are a professional hacker using it for business.
Q.3 Can you use this tool online?
No, this is an offline password cracking tool to crack hashes. It cannot perform online password cracking attacks. You need to use hydra for online password cracking.
Q.4 Can you hack facebook and Instagram with this tool?
Yes, you can hack any website as facebook and Instagram provided you get the hashes of the facebook and Instagram password. You cannot crack any online passwords with this tool.
Q.5 Can any password hash be cracked?
Hashes can only be cracked if the corresponding password is found. If the password is too big and too unique and not present in a wordlist than your security becomes that good. That is why we always suggest our users keep long and complicated passwords for their accounts. The minimum password length is 12 characters according to us.
Q.6 Do websites have similar password hashes?
Yes, but they are stored in the database. If you are able to extract the database then you can get access to the passwords easily. However professional websites have good security and cannot be hacked this easily. This tool does not support online password cracking.