John the ripper - crack passwords
John the ripper is a popular dictionary based password cracking tool. It uses a wordlist full of passwords and then tries to crack a given password hash using each of the password from the wordlist. In other words its called brute force password cracking and is the most basic form of password cracking. It is also the most time and cpu consuming technique. More the passwords to try, more the time required.
John is different from tools like hydra. Hydra does blind bruteforcing by trying username/password combinations on a service daemon like ftp server or telnet server. John however needs the hash first. So the greater challenge for a hacker is to first get the hash that is to be cracked. Now a days hashes are more easily crackable using free rainbow tables available online. Just go to one of the sites, submit the hash and if the hash is made of a common word, then the site would show the word almost instantly. Rainbow tables basically store common words and their hashes in a large database. Larger the database, more the words covered.
But still if you want to crack a password locally on your system then john is one of the good tools to try. John is in the top 10 security tools in Kali linux. On ubuntu it can be installed from synaptic package manager.
In this post I am going to show you, how to use the unshadow command along with john to crack the password of users on a linux system. On linux the username/password details are stored in the following 2 files
The actual password hash is stored in /etc/shadow and this file is accessible on with root access to the machine. So try to get this file from your own linux system. Or first create a new user with a simple password. I will create a new user on my linux system named happy, with password chess.
[email protected]:~# adduser happy Adding user `happy' ... Adding new group `happy' (1001) ... Adding new user `happy' (1000) with group `happy' ... Creating home directory `/home/happy' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for happy Enter the new value, or press ENTER for the default Full Name : Room Number : Work Phone : Home Phone : Other : Is the information correct? [Y/n] y [email protected]:~#
For demonstration purpose, its better to use a simple password so that you do not have to wait too long. Now that our new user is created its time to crack his password.
The unshadow command will basically combine the data of /etc/passwd and /etc/shadow to create 1 file with username and password details. Usage is quite simple.
[email protected]:~# unshadow Usage: unshadow PASSWORD-FILE SHADOW-FILE [email protected]:~# unshadow /etc/passwd /etc/shadow > ~/file_to_crack
We redirected the output of unshadow command to a new file called file_to_crack.
crack with john
Now this new file shall be cracked by john. For the wordlist we shall be using the password list that comes with john on kali linux. It is located at the following path
You can use your own password lists too.
[email protected]:~# john --wordlist=/usr/share/john/password.lst ~/file_to_crack Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Loaded 2 password hashes with 2 different salts (sha512crypt [64/64]) chess (happy) guesses: 1 time: 0:00:00:21 DONE (Tue May 14 06:47:58 2013) c/s: 300 trying: sss Use the "--show" option to display all of the cracked passwords reliably [email protected]:~#
So in the above command john was able to crack the hash and get us the password "chess" for the user "happy". Now john was able to crack, only because the password "chess" was present in the password list. If it were not there then john would have failed.
Use the show option to list all the cracked passwords.
[email protected]:~# john --show ~/file_to_crack happy:chess:1000:1001:,,,:/home/happy:/bin/bash 1 password hash cracked, 1 left [email protected]:~#
The 1 password that was left, was of user root. No password in the provided wordlist could crack it.
The simpler way to crack password with john without using a password list is like this
[email protected]:~# john ~/file_to_crack
According to the documentation
This will try "single crack" mode first, then use a wordlist with rules, and finally go for "incremental" mode.
Check the documentation on MODES.