John The Ripper

I normally don’t have a use for a password cracking application like John the Ripper, but a family member was having problems logging in to their Mac and they couldn’t remember what password they were using for the keychain. I decided to give John the Ripper a try and I’m glad I did. It picked the password for the keychain in about a minute using its built-in dictionary. If you get in a similar bind, the following worked for me running Mountain Lion Server.

The family member was remote, so they zipped up the login.keychain file and sent it to me. I moved the file to my local machine running Mountain Lion Server, but this should work on Mountain Lion, Lion, Snow Leopard, and maybe further back… I downloaded a jumbo build of John the Ripper, moved the login.keychain file into the same directory as the “run” directory of the downloaded JtR, and ran the following commands from JtR’s run directory with

./keychain2john login.keychain

(running keychain2john spews out a few lines of characters, copy all of the lines to a .txt file and save it to the JtR directory – I copied keychain2john’s output to “clwlogin.txt”) and then I ran the following command from Terminal:

./john -i=all clwlogin.txt

While the command above is running, you can press “enter” and see JtR’s status. When JtR picks the password, it will automatically throw it up on the screen followed by a question mark in parentheses. At this point, JtR will keep running to look for more passwords, so I press Control-C to force it to quit. Success!

5 Responses to “John The Ripper”

  1. Dave says:

    did you have to get a wordlist? I had a similar situation, and once I’d gotten the keychain2john output I ran it. The command ran 20 days until a spontaneous reboot.

  2. Brad says:

    Dave, I had a word list, but I don’t believe I bothered to use it for this. Were you able to get it working?

  3. Dave says:

    Nope. It did issue a guess, but it apparently guessed wrong. been running over 145 days now, no luck. It looks like the data from the keychain is gone.

  4. Jack says:

    I have the login.keychain file. I run it through keychain2john. It spits out $keychain$***

    I copy the entire thing and put it in a txt, then try to run it on ./john but it doesn’t work, it says
    $ ./john -i=all “Keychain.txt”
    No password hashes loaded (see FAQ)


  5. Dave says:

    don’t waste your time. JTR could take 100-1000 years to be successful.

    I mentioned above, it ran for over 4 months before a guess and the guess was wrong. if you have lost a mac keychain password, you’re done.

    format and start over.

Leave a Reply