John the Ripper is a multi-platform cryptography testing tool that works on Unix, Linux, Windows and MacOS. It allows system administrators and security penetration testers to launch brute force attacks to test the strength of any system password. It can be used to test encryptions such as DES, SHA-1 and many others.
Its abilities to change password decryption methods are set automatically, depending on the detected algorithm.
Licensed and distributed under the GPL license, it’s a free tool available for anyone who wants to test their password security.
Main features include:
- Dictionary attacks and brute force testing
- Compatible with most operating systems and CPU architectures
- Can run automatically by using crons
- Pause and Resume options for any scan
- Lets you define custom letters while building dictionary attack lists
- Allows brute force customization rules
John the Ripper (“JtR”) is one of those indispensable tools. It’s a fast password cracker, available for Windows, and many flavours of Linux. It’s incredibly versatile and can crack pretty well anything you throw at it.
So let’s test it out! It can be a bit overwhelming when JtR is first executed with all of its command line options but its level of customization is a testament to its versatility.
When it comes to cracking passwords, there are three types of attacks:
- Brute force: Which attempts to guess the password by sequentially working through every possible letter, number, and special character combination. This is a painfully slow process, but effective.
- Dictionary: This attack leverages a file containing lists of common passwords (usually taken from a breach of some kind) to guess a given password. Can be helpful in CTFs, but nowadays it can be difficult to apply this type of attack in the real world.
- Rainbow table: Rainbow tables are a series of pre-computed hashes. The idea is that these rainbow tables include all hashes for a given algorithm. So instead of cracking the hash/password/etc. you perform a look up of the hash in the table. Do note that this takes considerable processing power to achieve.
For this article, lets perform a dictionary attack. To do that, first we need a dictionary to attack with. The easiest to acquire is rockyou.txt. rockyou.txt is a set of compromised passwords from the social media application developer RockYou. Note: you can download rockyou.txt.gz from here, if you’re not using Kali Linux.
On Kali, unzip the rockyou.txt.gz file with the following commands:
sudo gunzip /usr/share/wordlists/rockyou.txt.gzwc -l /usr/share/wordlists/rockyou.txt
Now you need something to crack. How about Linux password hashes? To do this we need two files: /etc/passwd, and /etc/shadow.
According to Wikipedia: The
/etc/passwdfile is a text-based database of information about users that may log into the system or other operating system user identities that own running processes. The
/etc/shadowis used to increase the security level of passwords by restricting all but highly privileged users’ access to hashed password data. Typically, that data is kept in files owned by and accessible only by the super user.
And as we will find out later, JtR requires whatever it wants to crack to be in a specific format. To convert the passwd, and shadow files, we need to leverage the /usr/sbin/unshadow executable. This will require super user privileges to perform.
sudo /usr/sbin/unshadow /etc/passwd /etc/shadow > ~/passwords.txt
And the command to crack your Linux passwords is simple enough. To perform the crack execute the following:
/usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt ~/passwords.txt
JtR is a great way to show if you (or your users) have weak/predictable passwords!
So, what else can John the Ripper do? Well, turns out a lot. As noted by the file search below, there are many different conversion tools, to convert various file types to JtR compatible attack files, indicating what it can attack.
To test out JtR’s SSH key password cracking prowess, first create a set of new private keys. Note: JtR isn’t cracking the file itself (i.e. the number of bytes in the generated key doesn’t matter), JtR is just cracking the private key’s encrypted password.
In this case create the public/private key pair with a predictable password:
# Create some private key
ssh-keygen -t rsa -b 4096# Create encrypted zip
/usr/sbin/ssh2john ~/.ssh/id_rsa > id_rsa.hash
Next, all you need to do is point John the Ripper to the given file, with your dictionary:
/usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
What about Keepass? If you’re not aware, Keepass is an open source, cross-platform, password management vault. For those paranoid individuals who fear storing all their secrets in the cloud (i.e. with LastPass).
So lets create a vault to attack. First, install Keepass CLI (“kpcli”).
sudo apt-get install -y kpcli
Next, create a vault. You don’t need to store any passwords in the vault, an empty vault will do.
$ kpcliKeePass CLI (kpcli) v3.1 is ready for operation.
Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.kpcli:/> saveas newdb.kdb
Please provide the master password: *************************
Retype to verify: *************************
As with attacking both SSH private keys, and Linux password hashes, convert the Keepass database to a JtR compatible format.
/usr/sbin/keepass2john newdb.kdb > newdb.kdb.hash
/usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt newdb.kdb.hash
Next, lets go after the Roshal Archive (“RAR”) format. To create an encrypted RAR archive file on Linux, perform the following:
# Install rar
sudo apt-get install -y rar# Create some dummy file
echo "Hello" > hello.txt# Create an encrypted RAR file with the password "password"
rar a -hppassword encrypted.rar hello.txt
Next, lets convert it to JtR’s cracking format:
/usr/sbin/rar2john encrypted.rar > encrypted.rar.hash
And fire away!
A note about cracking zip files…
In the process of writing this article, I discovered that the latest version of John the Ripper has a bug that may prevent the cracking of Zip files. According to this mailing list, you need to downgrade JtR to make things work. I suggest you use a different tool, because apparently uninstalling JtR on Kali Linux requires you to uninstall everything….
Hope this article helpful for you. Thank You
Indian Cyber Army | Make IT Secure
Enjoy…Stay Happy…Stay Secure