Monday, December 5, 2011

Password cracking with John the Ripper on Linux

SkyHi @ Monday, December 05, 2011

1. Introduction

For those of you who haven't yet heard about John the Ripper (hereby called John for brevity), it is a free password cracking tool written mostly in C. Before going any further, we must tell you that although we trust our readers, we do not encourage or condone any malicious activities that may be performed using this tool or any other tools we talked about in the past. Security-related tools are often like a double-edged sword, in that they can be used for good but also for bad things. So although it might sound tempting, we recommend you to refrain from any damaging activities, if for nothing else, just because you have great chances to land in a jail cell.Password cracking with John the Ripper on LinuxThis article will deal with John from a system administrator's perspective, so we expect you to have intermediate knowledge about your Linux system, whatever distribution that may be, and that you are a security-conscious person with basic security knowledge. However, this article might appeal to you also if you are a home user wanting to learn about these kind of things, but be warned: some of the commands presented below will ask a great deal of your CPU time, so maybe it would be better if you had a test machine and/or lots of time and patience, because password cracking attempts may take days, even on a relatively new machine. As usual please refer to our new Linux Forum for additional help or information.

2. Installing John

Although, at least on the distributions we tried, the package in named simply "john" with Gentoo making an exception and naming it "johntheripper", we will make it easy for you and show you how to install it on several known distributions.

2.1. Debian

Debian differs from other distributions that offer John in their repositories because it offers a nice manual page, although upstream doesn't have one. To install, simply type
# aptitude install john 

2.2. Fedora

On Fedora, it's also as simple as doing
# yum install john 

2.3. Arch Linux

# pacman -S john 

2.4. OpenSuse Linux

# zypper install john

2.5. Gentoo

As we said, Gentoo's package is named differently from what others offer, so here you will have to run
# emerge johntheripper

2.6. Slackware

Although there doesn't seem to be a john package in the official repositories, there is a slackbuild that gets John installed on your system (this was tested on Slackware 13.37).
Although we gave you just a few examples on how you can get John on your Linux system, many of the examples presented will run if you have other OS installed: besides source code, the project offers the program for BeOS, Microsoft Windows, Solaris or MacOS X. But for our article, as the title says, we tested the examples on Linux.

3. Using John the Ripper

You need not worry about cryptic configuration files, as John is ready to use with the appropriate command-line flags with no other effort on your part. One word of warning, though: as you already noticed, we tell our readers when they should use root privileges and when they shouldn't. Except when noted, you are strongly recommended to use your normal everyday user (or another, if you prefer, but it shouldn't have super user rights). On my Debian system, John is available as /usr/sbin/john, so if you don't find it we recommend you use whereis and type the whole path when running john unprivileged (or you can simply create an alias).
The simplest way to get your feet wet is to type
$ /usr/sbin/john --test 
for doing some tests and benchmarks on John's capabilities. If you have no idea what Kerberos, MD5, DES or Blowfish are, we recommend you start reading some basic security books, because, like we said before, you need some security/administration background. Now, let's create a text file in password format (:) with a valid hash, of course, and get John to work. You can simply copy a user from /etc/shadow, but we recommend something simpler, because we presume you want to see the results as fast as you can. So create a file named password.txt somewhere inside your /home and put this in it:
myuser:AZl.zWwxIh15Q
Save the file, then simply feed it to John with no arguments (for now):
$ /usr/sbin/john password.txt 
We must repeat our warning: password cracking is a CPU-intensive and long process, so depending on your system, that might take quite a while. However, this also depends on what you want to achieve, because if your powerful CPU has been crunching at the password(s) for days with no outcome, it's only safe to say that it's a good password. But if the password is really critical, leave the system until John finishes its' work to make sure everything is alright. Like we said before, this could take many days.
Now, if you have a powerful box with the sole purpose of testing passwords, which is always a good thing given the means, you can try your real-life passwords with John. One way is to use /etc/shadow directly, but we recommend you take a somewhat different course. Note that this applies to systems using shadow passwords, and all the modern Linux distributions do. John offers a nifty utility called unshadow, which we will use to create a file from our passwd and shadow files:
# unshadow /etc/passwd /etc/shadow > mypasswd.txt 
Now make sure that mypasswd.txt is available to your normal user and do
$ /usr/sbin/john mypasswd.txt 
John will try single crack mode first, then wordlist mode, then incremental. In John's terms, a mode is a method it uses to crack passwords. As you know, there are many kinds of attacks: dictionary attacks, brute force attacks, and so on. Well, this is roughly what John's modes are. As some of you might have realized, wordlist mode is basically a dictionary attack. Besides these three modes enumerated above, John also supports another one called external mode. You can select what mode to use with, for example, --single, --external and so on. We recommend you check out the documentation over at openwall.com for a good but brief description of every mode. But of course we will tell you, in short, what every mode does.
John the Ripper's documentation recommends starting with single crack mode, mostly because it's faster and even faster if you use multiple password files at a time. Incremental mode is the most powerful mode available, as it will try various combinations when cracking, and you can choose what kind of mode (mode applied to the incremental option) to use, including your own. External mode, as the name implies, will use custom functions that you write yourself, while wordlist mode takes a word list specified as an argument to the option (it can be a file with a list of words written one per line, or stdin) and tries a simple dictionary attack on passwords.
If John is succesful in cracking one of the passwords, it will write to ~/.john/john.pot. However, that file isn't human-readable, so you can read cracked passwords with
$ /usr/sbin/john --show mypasswd.txt
To check if the root password got cracked, filter by UID:
$ /usr/sbin/john --show --users=0 mypasswd.txt
Of course, John knows about wildcards and multiple files:
$ /usr/sbin/john --show --users=0 *passwd*
Just as you can filter by user, you can also filter by group, by using the --groups flag, and that filtering is available also when cracking. Going further to wordlist mode, here's how you can use it with the built-in mangling rules enabled:
$ /usr/sbin/john --wordlist=passwd.lst --rules passwd.txt
John also allows you to create multiple named sessions, which is practical, because since John can take lots of time to complete a task, you can later view all sessions running to decide which one to kill. The option for named sessions is --session=taskname and you can use --status or --status=taskname to see all or certain sessions. But there's more: you can restore sessions or particular ones by name using --restore or --restore=taskname. A few examples:
$ /usr/sbin/john --session=allrules --wordlist=all.lst --rules mypasswd.txt
 $ /usr/sbin/john --status=allrules
 $ ps aux | grep john #get the PID of the john session you want to kill
 $ kill HUP $PID_of_john_session_to_kill
 $ /usr/sbin/john --restore=allrules
Here's some examples of using incremental mode with John:
$ /usr/sbin/john --incremental mypasswd.txt
 $ /usr/sbin/john --incremental=alpha mypasswd.txt
Of course, this isn't a replacement of John's documentation. Although, as we said, it doesn't offer a manual page, you will find lots of documentation on its' page, as well as a useful wiki. For example, you will notice that even if you're running John on a multiprocessor machine, it will use only one core, usually the first. You can address this problem by reading the documentation and following the instructions there.

4. Conclusion

We feel that it might be best we end this article with a little word on ethics. Although it very well might not be your case, there are those few who've seen Hackers too many times and think of cracking (as opposed to hacking) as a cool activity. We only suggest you try and use your knowledge for good, not for something that has 99.8% of failing and getting you a nice criminal record. Have fun.

REFERENCES