How to Crack Passwords with pwdump3 and John the Ripper

By Kevin Beaver

Hackers use multiple methods to crack those seemingly fool-proof passwords. John the Ripper and pwdump3 can be used to crack passwords for Windows and Linux/Unix. Follow the easy steps below.

How to crack Windows passwords

The following steps use two utilities to test the security of current passwords on Windows systems:

  • pwdump3 (to extract password hashes from the Windows SAM database)

  • John the Ripper (to crack the hashes of Windows and Linux/UNIX passwords)

The following test requires administrative access to either your Windows standalone workstation or the server:

  1. Create a new directory called passwords from the root of your Windows C: drive.

  2. Download and install a decompression tool if you don’t already have one.

    WinZip is a good commercial tool you can use and 7-Zip is a free decompression tool. Windows XP, Windows Vista, and Windows 7 also include built-in Zip file handling.

  3. Download, extract, and install the following software into the passwords directory you created, if you don’t already have it on your system:

  4. Enter the following command to run pwdump3 and redirect its output to a file called cracked.txt:

    c:passwordspwdump3 > cracked.txt

    This file captures the Windows SAM password hashes that are cracked with John the Ripper. You can see the contents of the cracked.txt file that contains the local Windows SAM database password hashes.


  5. Enter the following command to run John the Ripper against the Windows SAM password hashes to display the cracked passwords:

    c:passwordsjohn cracked.txt

    This process can take seconds or days, depending on the number of users and the complexity of their associated passwords.


How to crack UNIX/Linux passwords

John the Ripper can also crack UNIX/Linux passwords. You need root access to your system and to the password (/etc/passwd) and shadow password (/etc/shadow) files. Perform the following steps for cracking UNIX/Linux passwords:

  1. Download the UNIX source files from

  2. Extract the program by entering the following command:

    [root@localhost kbeaver]#tar -zxf john-1.7.9.tar.gz

    or whatever the current filename is.

    You can also crack UNIX or Linux passwords on a Windows system by using the Windows/DOS version of John the Ripper.

  3. Change to the /src directory that was created when you extracted the program and enter the following command:

    make generic
  4. Change to the /run directory and enter the following command to use the unshadow program to combine the passwd and shadow files and copy them to the file cracked.txt:

    ./unshadow /etc/passwd /etc/shadow > cracked.txt

    The unshadow process won’t work with all UNIX variants.

  5. Enter the following command to start the cracking process:

    ./john cracked.txt

    When John the Ripper is complete (and this could take some time), the output is similar to the results of the preceding Windows process.

After completing the preceding Windows or UNIX steps, you can either force users to change passwords that don’t meet specific password policy requirements, you can create a new password policy, or you can use the information to update your security awareness program. Just do something.

Be careful handling the results of your password cracking. You create an accountability issue because more than one person now knows the passwords. Always treat the password information of others as strictly confidential. If you end up storing them on your test system, make sure it’s extra secure. If it’s a laptop, encrypting the hard drive is the best defense.