John The Ripper: The Fast, Multi-platform Password Cracking Tool

Weak passwords are the most common threats to the Information Security. Many users, still, are using the weak passwords which contains their first or last name, DOB, mobile number, father’s/mother’s maiden name, birth place, crush name, so and so. In this fast-faced technology world, it is such a worst idea to have these kind of silly and weak passwords.

As we all know, “the passwords should be easy to remember, but hard to guess”. The strong password should consists of;

  • At-least 12 or more characters,
  • Upper/lower characters,
  • Numeric characters,
  • Special characters etc.

Also, it is very very bad idea to have the same password for multiple accounts.

But, how do we know the passwords are really strong? Is there any programs or tools to test the strength of the passwords? Indeed, Yes!! Here is where John the Ripper comes in handy. Using this tool, we can easily check the strength of the passwords. John the Ripper will break or crack the simple passwords in minutes, whereas it will take several hours or even days for the complex passwords.

About John the Ripper

John the Ripper is a fast password cracker that can be used to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version. It is currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS.

Install John the Ripper In Linux

John the Ripper is available in the default repositories of the most modern Linux distributions. So, we can easily install it with ‘root’ privileges as shown below depending upon your distribution type.

On DEB based systems, Ex. Ubuntu:

apt-get install john

On RPM based systems, Ex.CentOS:

yum install epel-release
yum install john

On SUSE/openSUSE:

zypper install john

On Arch Linux:

pacman -S john

On Gentoo:

emerge johntheripper

Usage

John the Ripper’s usage is quite simple. You don’t have to use any special cryptographic methods or don’t have to memorize lot of commands to find and break a weak password.

Before Using John tool, It is recommended to check John the Ripper’s efficiency and capabilities.To do this, run:

john -test

Sample output:

Benchmarking: descrypt, traditional crypt(3) [DES 128/128 SSE2-16]... DONE
Many salts:    3144K c/s real, 3150K c/s virtual
Only one salt:    3005K c/s real, 3011K c/s virtual

Benchmarking: bsdicrypt, BSDI crypt(3) ("_J9..", 725 iterations) [DES 128/128 SSE2-16]... DONE
Many salts:    102809 c/s real, 102809 c/s virtual
Only one salt:    100352 c/s real, 100553 c/s virtual

Benchmarking: md5crypt [MD5 32/64 X2]... DONE
Raw:    8897 c/s real, 8915 c/s virtual

Benchmarking: bcrypt ("$2a$05", 32 iterations) [Blowfish 32/64 X2]... DONE
Raw:    566 c/s real, 567 c/s virtual

Benchmarking: LM [DES 128/128 SSE2-16]... DONE
Raw:    41587K c/s real, 41670K c/s virtual

Benchmarking: AFS, Kerberos AFS [DES 48/64 4K]... DONE
Short:    292147 c/s real, 292732 c/s virtual
Long:    936089 c/s real, 936089 c/s virtual

Benchmarking: tripcode [DES 128/128 SSE2-16]... DONE
Raw:    2770K c/s real, 2770K c/s virtual

Benchmarking: dummy [N/A]... DONE
Raw:    50894K c/s real, 50996K c/s virtual

Benchmarking: crypt, generic crypt(3) [?/64]... DONE
Many salts:    240480 c/s real, 240480 c/s virtual
Only one salt:    238982 c/s real, 239461 c/s virtual

As you in the above output, this will give the insights about how many username/password combinations per second (c/s) your system will theoretically run for each password hash encryption type.

Well, now, I will show you how to break a simple, weak password.

Let me create a ‘test’ user.

sudo useradd test

Set password to the ‘test’ account:

sudo passwd test

Here, I set the password to the ‘test’ user account as ‘test’, i.e the user name and password are both ‘test’.

There are two ways to break the password.

Method 1:

First, create a text file called ‘recoverpassword.txt‘ in any location.

Then, list the /etc/shadow file contents to find the password entry to the ‘test’ user.

sudo cat /etc/shadow

Sample output:

 root:!:16384:0:99999:7:::
 daemon:*:16273:0:99999:7:::
 bin:*:16273:0:99999:7:::
 sys:*:16273:0:99999:7:::
 sync:*:16273:0:99999:7:::
 games:*:16273:0:99999:7:::
 man:*:16273:0:99999:7:::
 lp:*:16273:0:99999:7:::
 mail:*:16273:0:99999:7:::
 news:*:16273:0:99999:7:::
 uucp:*:16273:0:99999:7:::
 proxy:*:16273:0:99999:7:::
 www-data:*:16273:0:99999:7:::
 backup:*:16273:0:99999:7:::
 list:*:16273:0:99999:7:::
 irc:*:16273:0:99999:7:::
 gnats:*:16273:0:99999:7:::
 nobody:*:16273:0:99999:7:::
 libuuid:!:16273:0:99999:7:::
 syslog:*:16273:0:99999:7:::
 messagebus:*:16273:0:99999:7:::
 usbmux:*:16273:0:99999:7:::
 dnsmasq:*:16273:0:99999:7:::
 ntp:*:16273:0:99999:7:::
 whoopsie:*:16273:0:99999:7:::
 lightdm:*:16273:0:99999:7:::
 sk:$6$9LCW3/tG$uJqyynHfU454yhu5eF3dpUTiZg0cAm7NGJbzV/BsLIsmKACE5wWQgQuUAVHlMGNBzZK5mOV9b3Yt2I5KDJbsG.:16384:0:99999:7:::
 sshd:*:16385:0:99999:7:::
 saned:*:16398:0:99999:7:::
 test:$6$/SjwqqdA$y2VzePBBBiwNpL5D5dSEShqHkk9sT3xpMtz1/wJSsyEV3hYlXveLhs.h8Yh72Pr1dz6iMNprRfrQ1aQOPU05E/:16518:0:99999:7:::

Scroll down to the end. There you’ll find the entry for the ‘test’ user something like below.

[...]
test:$6$/SjwqqdA$y2VzePBBBiwNpL5D5dSEShqHkk9sT3xpMtz1/wJSsyEV3hYlXveLhs.h8Yh72Pr1dz6iMNprRfrQ1aQOPU05E/:16518:0:99999:7:::
[...]

Copy the above line and paste it into the recoverpassword.txt file.

vi recoverpassword.txt

Paste the ‘test’ entry from the /etc/shadow file.

test:$6$/SjwqqdA$y2VzePBBBiwNpL5D5dSEShqHkk9sT3xpMtz1/wJSsyEV3hYlXveLhs.h8Yh72Pr1dz6iMNprRfrQ1aQOPU05E/:16518:0:99999:7:::

Save and close the file.

Now, let us start to break the password using command:

john recoverpassword.txt

Sample output:

 Loaded 1 password hash (crypt, generic crypt(3) [?/64])
 Press 'q' or Ctrl-C to abort, almost any other key for status
 test             (test)
 1g 0:00:00:00 100% 1/3 1.562g/s 150.0p/s 150.0c/s 150.0C/s test..t99999!
 Use the "--show" option to display all of the cracked passwords reliably
 Session completed

Hurray! As you see above, the password for ‘test’ user has been cracked.

Important: Be mindful that this process will take several minutes, or even days to break a complex password.

Let us take another example. I am going to change the password of the ‘test’ user and see whether the John the Ripper would crack the password.

Let us set different password and try to break the password of ‘test’ user.

Change the ‘test’ user password using command:

sudo passwd test

Enter the new password twice, for example I am going to use the password as ‘welcome’.

Now, list out the /etc/shadow file contents. Then, copy the ‘test’ user entry to the recoverpassword.txt file as shown above.

Now, run the following command:

john recoverpassword.txt

Sample output:

 Loaded 1 password hash (crypt, generic crypt(3) [?/64])
 Press 'q' or Ctrl-C to abort, almost any other key for status
 welcome (test)
 1g 0:00:00:15 100% 2/3 0.06591g/s 205.1p/s 205.1c/s 205.1C/s piglet..knight
 Use the "--show" option to display all of the cracked passwords reliably
 Session completed

As you see, the password for ‘test’ user has been displayed. This process could take only a few minutes, because we’re breaking the very simple password. In case of complex passwords, this take several hours or days. So be prepared accordingly.

To view the cracked passwords, run:

john --show revoverpassword.txt

Sample output:

test:welcome:16518:0:99999:7:::
1 password hash cracked, 0 left

Method 2:

This is somewhat similar to method 1.

Create a new text, for example recoverpassword.txt in any location.

Then, append the contents of /etc/passwd and /etc/shadow files using John the Ripper’s effective utility called ‘unshadow’ .

unshadow /etc/passwd /etc/shadow > recoverpassword.txt

Now, run the following commands to crack the passwords.

john recoverpassword.txt

Now,  you can view the cracked passwords using command:

john --show recoverpassword.txt

Just think what if a hacker could get the /etc/passwd and /etc/shadow files of your Linux server? This could lead you to worst nightmare if your system got compromised by hackers using the passwd and shadow files that he/she has. That’s why we need to audit the passwords regularly and must set a strong password to our system.

To know more examples, refer the following link.

John the Ripper’s Cracking Modes

John the Ripper combines several cracking modes in one program and is fully configurable for your particular needs.

  1. Wordlist mode
  2. Single Crack mode
  3. Incremental mode
  4. External mode

1. Wordlist mode

It is the Simplest mode supported by John the Ripper. In this mode, you have to specify a wordlist ( i.e a text file containing one word per line) and some password files.

Example:

john --wordlist=mywordlist.lst --rules recoverpassword.txt

Be mindful that the wordlist should not contain any duplicate entries.

2. Single Crack mode

It is the recommended and fastest mode of all. You can even make the cracking process much faster by specifying multiple password files. John the Ripper will start to crack the passwords first using this mode.

3. Incremental mode

In this mode, John the Ripper will try with multiple combination of words to crack the passwords. It is the most powerful of all modes.

Example:

john --incremental recoverpassword.txt

4. External mode

In this mode, you have to create a configuration file section called [List.External:MODE], where MODE is any name that you assign to the mode. The section should contain some functions programmed in a subset of the C language. John will compile and use the functions if you enable this cracking mode via the command line.

For more details about the John the Ripper’s modes can be found here.

Conclusion

What we have seen so far is how to test the strength of the passwords using John the Ripper command line utility. You can come to a conclusion if this tool cracks your passwords in minutes, then it will definitely be a weak password. If it took long time, then you, somewhat, have a strong password and you’re safe. I suggest you to periodically audit and change the passwords.

I sincerely recommend you to use this tool for a good cause. Please don’t attempt to break or steal passwords of others using this tool.

References: