John the Ripper : Password cracking

John the Ripper is a multi-platform cryptography testing tool that works on Unix, Linux, Windows and MacOS. It allows system administrators and security penetration testers to launch brute force attacks to test the strength of any system password. It can be used to test encryptions such as DES, SHA-1 and many others.

Its abilities to change password decryption methods are set automatically, depending on the detected algorithm.

Licensed and distributed under the GPL license, it’s a free tool available for anyone who wants to test their password security.

Main features include:

  • Dictionary attacks and brute force testing
  • Compatible with most operating systems and CPU architectures
  • Can run automatically by using crons
  • Pause and Resume options for any scan
  • Lets you define custom letters while building dictionary attack lists
  • Allows brute force customization rules

John the Ripper (“JtR”) is one of those indispensable tools. It’s a fast password cracker, available for Windows, and many flavours of Linux. It’s incredibly versatile and can crack pretty well anything you throw at it.

So let’s test it out! It can be a bit overwhelming when JtR is first executed with all of its command line options but its level of customization is a testament to its versatility.

john wasn’t detected in my $PATH so had to leverage full path

When it comes to cracking passwords, there are three types of attacks:

  1. Brute force: Which attempts to guess the password by sequentially working through every possible letter, number, and special character combination. This is a painfully slow process, but effective.
  2. Dictionary: This attack leverages a file containing lists of common passwords (usually taken from a breach of some kind) to guess a given password. Can be helpful in CTFs, but nowadays it can be difficult to apply this type of attack in the real world.
  3. Rainbow table: Rainbow tables are a series of pre-computed hashes. The idea is that these rainbow tables include all hashes for a given algorithm. So instead of cracking the hash/password/etc. you perform a look up of the hash in the table. Do note that this takes considerable processing power to achieve.

For this article, lets perform a dictionary attack. To do that, first we need a dictionary to attack with. The easiest to acquire is rockyou.txt. rockyou.txt is a set of compromised passwords from the social media application developer RockYou. Note: you can download rockyou.txt.gz from here, if you’re not using Kali Linux.

On Kali, unzip the rockyou.txt.gz file with the following commands:

sudo gunzip /usr/share/wordlists/rockyou.txt.gzwc -l /usr/share/wordlists/rockyou.txt

Now you need something to crack. How about Linux password hashes? To do this we need two files: /etc/passwd, and /etc/shadow.

According to Wikipedia: The /etc/passwd file is a text-based database of information about users that may log into the system or other operating system user identities that own running processes. The/etc/shadow is used to increase the security level of passwords by restricting all but highly privileged users’ access to hashed password data. Typically, that data is kept in files owned by and accessible only by the super user.

And as we will find out later, JtR requires whatever it wants to crack to be in a specific format. To convert the passwd, and shadow files, we need to leverage the /usr/sbin/unshadow executable. This will require super user privileges to perform.

sudo /usr/sbin/unshadow /etc/passwd /etc/shadow > ~/passwords.txt

And the command to crack your Linux passwords is simple enough. To perform the crack execute the following:

/usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt ~/passwords.txt

JtR is a great way to show if you (or your users) have weak/predictable passwords!

So, what else can John the Ripper do? Well, turns out a lot. As noted by the file search below, there are many different conversion tools, to convert various file types to JtR compatible attack files, indicating what it can attack.

For instance…

SSH keys

To test out JtR’s SSH key password cracking prowess, first create a set of new private keys. Note: JtR isn’t cracking the file itself (i.e. the number of bytes in the generated key doesn’t matter), JtR is just cracking the private key’s encrypted password.

In this case create the public/private key pair with a predictable password:

# Create some private key
ssh-keygen -t rsa -b 4096# Create encrypted zip
/usr/sbin/ssh2john ~/.ssh/id_rsa > id_rsa.hash

Next, all you need to do is point John the Ripper to the given file, with your dictionary:

/usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash

And voila!

Keepass2 database

What about Keepass? If you’re not aware, Keepass is an open source, cross-platform, password management vault. For those paranoid individuals who fear storing all their secrets in the cloud (i.e. with LastPass).

So lets create a vault to attack. First, install Keepass CLI (“kpcli”).

sudo apt-get install -y kpcli

Next, create a vault. You don’t need to store any passwords in the vault, an empty vault will do.

$ kpcliKeePass CLI (kpcli) v3.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.kpcli:/> saveas newdb.kdb
Please provide the master password: *************************
Retype to verify: *************************
kpcli:/> exit

As with attacking both SSH private keys, and Linux password hashes, convert the Keepass database to a JtR compatible format.

/usr/sbin/keepass2john newdb.kdb > newdb.kdb.hash

And attack!

/usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt newdb.kdb.hash

RAR

Next, lets go after the Roshal Archive (“RAR”) format. To create an encrypted RAR archive file on Linux, perform the following:

# Install rar
sudo apt-get install -y rar# Create some dummy file
echo "Hello" > hello.txt# Create an encrypted RAR file with the password "password"
rar a -hppassword encrypted.rar hello.txt

Next, lets convert it to JtR’s cracking format:

/usr/sbin/rar2john encrypted.rar > encrypted.rar.hash

And fire away!

A note about cracking zip files…

In the process of writing this article, I discovered that the latest version of John the Ripper has a bug that may prevent the cracking of Zip files. According to this mailing list, you need to downgrade JtR to make things work. I suggest you use a different tool, because apparently uninstalling JtR on Kali Linux requires you to uninstall everything….

Hope this article helpful for you. Thank You

Indian Cyber Army | Make IT Secure

Enjoy…Stay Happy…Stay Secure

1 thought on “John the Ripper : Password cracking”

Leave a Comment

Your email address will not be published. Required fields are marked *

%d bloggers like this: