Weak passwords are the most common threats to the Information Security. Many users, still, are using the weak passwords which contains their first or last name, DOB, mobile number, father’s/mother’s maiden name, birth place, crush name, so and so. In this fast-faced technology world, it is such a worst idea to have these kind of silly and weak passwords.
As we all know, “the passwords should be easy to remember, but hard to guess”. The strong password should consists of;
- At-least 12 or more characters,
- Upper/lower characters,
- Numeric characters,
- Special characters etc.
Also, it is very very bad idea to have the same password for multiple accounts.
But, how do we know the passwords are really strong? Is there any programs or tools to test the strength of the passwords? Indeed, Yes!! Here is where John the Ripper comes in handy. Using this tool, we can easily check the strength of the passwords. John the Ripper will break or crack the simple passwords in minutes, whereas it will take several hours or even days for the complex passwords.
About John the Ripper
John the Ripper is a fast password cracker that can be used to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version. It is currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS.
Install John the Ripper In Linux
John the Ripper is available in the default repositories of the most modern Linux distributions. So, we can easily install it with ‘root’ privileges as shown below depending upon your distribution type.
On DEB based systems, Ex. Ubuntu:
apt-get install john
On RPM based systems, Ex.CentOS:
yum install epel-release yum install john
zypper install john
On Arch Linux:
pacman -S john
John the Ripper’s usage is quite simple. You don’t have to use any special cryptographic methods or don’t have to memorize lot of commands to find and break a weak password.
Before Using John tool, It is recommended to check John the Ripper’s efficiency and capabilities.To do this, run:
Benchmarking: descrypt, traditional crypt(3) [DES 128/128 SSE2-16]... DONE Many salts: 3144K c/s real, 3150K c/s virtual Only one salt: 3005K c/s real, 3011K c/s virtual Benchmarking: bsdicrypt, BSDI crypt(3) ("_J9..", 725 iterations) [DES 128/128 SSE2-16]... DONE Many salts: 102809 c/s real, 102809 c/s virtual Only one salt: 100352 c/s real, 100553 c/s virtual Benchmarking: md5crypt [MD5 32/64 X2]... DONE Raw: 8897 c/s real, 8915 c/s virtual Benchmarking: bcrypt ("$2a$05", 32 iterations) [Blowfish 32/64 X2]... DONE Raw: 566 c/s real, 567 c/s virtual Benchmarking: LM [DES 128/128 SSE2-16]... DONE Raw: 41587K c/s real, 41670K c/s virtual Benchmarking: AFS, Kerberos AFS [DES 48/64 4K]... DONE Short: 292147 c/s real, 292732 c/s virtual Long: 936089 c/s real, 936089 c/s virtual Benchmarking: tripcode [DES 128/128 SSE2-16]... DONE Raw: 2770K c/s real, 2770K c/s virtual Benchmarking: dummy [N/A]... DONE Raw: 50894K c/s real, 50996K c/s virtual Benchmarking: crypt, generic crypt(3) [?/64]... DONE Many salts: 240480 c/s real, 240480 c/s virtual Only one salt: 238982 c/s real, 239461 c/s virtual
As you in the above output, this will give the insights about how many username/password combinations per second (c/s) your system will theoretically run for each password hash encryption type.
Well, now, I will show you how to break a simple, weak password.
Let me create a ‘test’ user.
sudo useradd test
Set password to the ‘test’ account:
sudo passwd test
Here, I set the password to the ‘test’ user account as ‘test’, i.e the user name and password are both ‘test’.
There are two ways to break the password.
First, create a text file called ‘recoverpassword.txt‘ in any location.
Then, list the /etc/shadow file contents to find the password entry to the ‘test’ user.
sudo cat /etc/shadow
root:!:16384:0:99999:7::: daemon:*:16273:0:99999:7::: bin:*:16273:0:99999:7::: sys:*:16273:0:99999:7::: sync:*:16273:0:99999:7::: games:*:16273:0:99999:7::: man:*:16273:0:99999:7::: lp:*:16273:0:99999:7::: mail:*:16273:0:99999:7::: news:*:16273:0:99999:7::: uucp:*:16273:0:99999:7::: proxy:*:16273:0:99999:7::: www-data:*:16273:0:99999:7::: backup:*:16273:0:99999:7::: list:*:16273:0:99999:7::: irc:*:16273:0:99999:7::: gnats:*:16273:0:99999:7::: nobody:*:16273:0:99999:7::: libuuid:!:16273:0:99999:7::: syslog:*:16273:0:99999:7::: messagebus:*:16273:0:99999:7::: usbmux:*:16273:0:99999:7::: dnsmasq:*:16273:0:99999:7::: ntp:*:16273:0:99999:7::: whoopsie:*:16273:0:99999:7::: lightdm:*:16273:0:99999:7::: sk:$6$9LCW3/tG$uJqyynHfU454yhu5eF3dpUTiZg0cAm7NGJbzV/BsLIsmKACE5wWQgQuUAVHlMGNBzZK5mOV9b3Yt2I5KDJbsG.:16384:0:99999:7::: sshd:*:16385:0:99999:7::: saned:*:16398:0:99999:7::: test:$6$/SjwqqdA$y2VzePBBBiwNpL5D5dSEShqHkk9sT3xpMtz1/wJSsyEV3hYlXveLhs.h8Yh72Pr1dz6iMNprRfrQ1aQOPU05E/:16518:0:99999:7:::
Scroll down to the end. There you’ll find the entry for the ‘test’ user something like below.
[...] test:$6$/SjwqqdA$y2VzePBBBiwNpL5D5dSEShqHkk9sT3xpMtz1/wJSsyEV3hYlXveLhs.h8Yh72Pr1dz6iMNprRfrQ1aQOPU05E/:16518:0:99999:7::: [...]
Copy the above line and paste it into the recoverpassword.txt file.
Paste the ‘test’ entry from the /etc/shadow file.
Save and close the file.
Now, let us start to break the password using command:
Loaded 1 password hash (crypt, generic crypt(3) [?/64]) Press 'q' or Ctrl-C to abort, almost any other key for status test (test) 1g 0:00:00:00 100% 1/3 1.562g/s 150.0p/s 150.0c/s 150.0C/s test..t99999! Use the "--show" option to display all of the cracked passwords reliably Session completed
Hurray! As you see above, the password for ‘test’ user has been cracked.
Important: Be mindful that this process will take several minutes, or even days to break a complex password.
Let us take another example. I am going to change the password of the ‘test’ user and see whether the John the Ripper would crack the password.
Let us set different password and try to break the password of ‘test’ user.
Change the ‘test’ user password using command:
sudo passwd test
Enter the new password twice, for example I am going to use the password as ‘welcome’.
Now, list out the /etc/shadow file contents. Then, copy the ‘test’ user entry to the recoverpassword.txt file as shown above.
Now, run the following command:
Loaded 1 password hash (crypt, generic crypt(3) [?/64]) Press 'q' or Ctrl-C to abort, almost any other key for status welcome (test) 1g 0:00:00:15 100% 2/3 0.06591g/s 205.1p/s 205.1c/s 205.1C/s piglet..knight Use the "--show" option to display all of the cracked passwords reliably Session completed
As you see, the password for ‘test’ user has been displayed. This process could take only a few minutes, because we’re breaking the very simple password. In case of complex passwords, this take several hours or days. So be prepared accordingly.
To view the cracked passwords, run:
john --show revoverpassword.txt
test:welcome:16518:0:99999:7::: 1 password hash cracked, 0 left
This is somewhat similar to method 1.
Create a new text, for example recoverpassword.txt in any location.
Then, append the contents of /etc/passwd and /etc/shadow files using John the Ripper’s effective utility called ‘unshadow’ .
unshadow /etc/passwd /etc/shadow > recoverpassword.txt
Now, run the following commands to crack the passwords.
Now, you can view the cracked passwords using command:
john --show recoverpassword.txt
Just think what if a hacker could get the /etc/passwd and /etc/shadow files of your Linux server? This could lead you to worst nightmare if your system got compromised by hackers using the passwd and shadow files that he/she has. That’s why we need to audit the passwords regularly and must set a strong password to our system.
To know more examples, refer the following link.
John the Ripper’s Cracking Modes
John the Ripper combines several cracking modes in one program and is fully configurable for your particular needs.
- Wordlist mode
- Single Crack mode
- Incremental mode
- External mode
1. Wordlist mode
It is the Simplest mode supported by John the Ripper. In this mode, you have to specify a wordlist ( i.e a text file containing one word per line) and some password files.
john --wordlist=mywordlist.lst --rules recoverpassword.txt
Be mindful that the wordlist should not contain any duplicate entries.
2. Single Crack mode
It is the recommended and fastest mode of all. You can even make the cracking process much faster by specifying multiple password files. John the Ripper will start to crack the passwords first using this mode.
3. Incremental mode
In this mode, John the Ripper will try with multiple combination of words to crack the passwords. It is the most powerful of all modes.
john --incremental recoverpassword.txt
4. External mode
In this mode, you have to create a configuration file section called [List.External:MODE], where MODE is any name that you assign to the mode. The section should contain some functions programmed in a subset of the C language. John will compile and use the functions if you enable this cracking mode via the command line.
For more details about the John the Ripper’s modes can be found here.
What we have seen so far is how to test the strength of the passwords using John the Ripper command line utility. You can come to a conclusion if this tool cracks your passwords in minutes, then it will definitely be a weak password. If it took long time, then you, somewhat, have a strong password and you’re safe. I suggest you to periodically audit and change the passwords.
I sincerely recommend you to use this tool for a good cause. Please don’t attempt to break or steal passwords of others using this tool.