# Cracking Passwords with John ## **Cracking Passwords with John the Ripper** ### **Introduction** John the Ripper (often referred to simply as "John") is one of the most popular password-cracking tools in the cybersecurity field. It is designed to crack password hashes using several algorithms and cracking methods such as dictionary-based attacks, brute force, and hybrid attacks. John supports a wide range of hash types, including DES, MD5, SHA-1, and more. In this tutorial, we'll show you how to use John the Ripper to crack password hashes extracted from the `/etc/passwd` and `/etc/shadow` files, which are commonly found on Unix-based systems. ### **Prerequisites** Before proceeding with cracking passwords using John the Ripper, ensure you have the following: * Access to a system where John the Ripper is installed. * The `/etc/passwd` and `/etc/shadow` files (you need root or sudo access to retrieve these files). * A basic understanding of password hashes and how they are stored in the `/etc/passwd` and `/etc/shadow` files. If you don't have John the Ripper installed, you can install it using the following commands (depending on your operating system): #### **Install John the Ripper on Ubuntu/Debian** ```bash sudo apt update sudo apt install john ``` ### **Understanding /etc/passwd and /etc/shadow Files** The `/etc/passwd` file contains user account information such as the username, user ID, group ID, home directory, and login shell. It is a plain-text file that typically includes a hash of the user's password. However, starting with modern Linux systems, the password hash is often stored in the `/etc/shadow` file for security reasons. Here is an example entry from `/etc/passwd`: ``` username:$6$WqOHLu6B$e8G5wzk7hT2oZbN4zyDdD3Fd.wkwrfTp52nxOxxHQWpY8AeHc/Bqh0XJ0sEPklhoFPJ70iXe0Cu.Lyg79TQmB/:1001:1001::/home/username:/bin/bash ``` The part following the first colon (`:`) is the password hash, which will be cracked. The `/etc/shadow` file stores the hashed passwords securely and is only readable by the root user. An example line in `/etc/shadow` might look like this: ``` username:$6$WqOHLu6B$e8G5wzk7hT2oZbN4zyDdD3Fd.wkwrfTp52nxOxxHQWpY8AeHc/Bqh0XJ0sEPklhoFPJ70iXe0Cu.Lyg79TQmB/:18129:0:99999:7::: ``` ### **Step 1: Extract the Password Hashes** To crack the passwords, we need to extract the hashes from the `/etc/passwd` and `/etc/shadow` files. If you're working with a local system, you can retrieve these files directly. For this example, we will assume you have both files on your local machine. 1. **Extract `/etc/passwd`**: You can view the `/etc/passwd` file with the following command: ```bash cat /etc/passwd ``` 2. **Extract `/etc/shadow`**: You can view the `/etc/shadow` file with the following command (this requires root access): ```bash sudo cat /etc/shadow ``` For John to work with these files, we need to prepare them in a format that John can process. Fortunately, John the Ripper can handle the hash formats directly, but we need to combine them for cracking. ### **Step 2: Prepare the Files for John** John the Ripper requires the hashes to be combined into a single file for cracking. To do this, we will use the `unshadow` tool, which is included with John the Ripper. Use the following command to combine `/etc/passwd` and `/etc/shadow` into a single file: ```bash sudo unshadow /etc/passwd /etc/shadow > hashes.txt ``` The `hashes.txt` file will now contain all the password hashes from both files. ### **Step 3: Cracking the Password Hashes** Now that we have our hashes, we can use John to crack them. To start the cracking process, run the following command: ```bash john hashes.txt ``` John will attempt to crack the hashes using its default wordlist (`/usr/share/john/password.lst`) or any custom wordlist you provide. To use a custom wordlist, specify the path to your wordlist file like so: ```bash john --wordlist=/path/to/wordlist.txt hashes.txt ``` You can also use other cracking methods, such as brute-force attacks, by adding flags for different attack types. For example: ```bash john --incremental hashes.txt ``` This method will try all possible character combinations for cracking the password, but it will take longer. ### **Step 4: View the Cracked Passwords** Once John the Ripper has finished cracking the hashes, you can view the results with the following command: ```bash john --show hashes.txt ``` This will display the cracked passwords for each user, if the password was successfully cracked. #### **Example Output:** ```bash username:password123 ``` If John was unable to crack a hash, it will be indicated in the output. ### **Advanced Cracking Methods** John the Ripper also supports several advanced features, such as: * **Rainbow Tables**: Using precomputed hash tables to speed up the cracking process. * **Custom Wordlists**: Providing your own list of passwords (e.g., from leaks or common password patterns). * **Hybrid Attacks**: Combining dictionary and brute-force attacks to create powerful cracking methods. Refer to the John the Ripper documentation for more advanced usage scenarios. ### **Conclusion** John the Ripper is a versatile and powerful tool for cracking password hashes. In this tutorial, we demonstrated how to crack password hashes from the `/etc/passwd` and `/etc/shadow` files using the `unshadow` tool and the John the Ripper cracking engine. With the right wordlists and cracking strategies, John can help uncover weak or easily guessable passwords, which is a critical step in securing systems and applications. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://zero-day-archives.gitbook.io/zero-day-archives/password-attacks-1/password-attacks/john-the-ripper/cracking-passwords-with-john.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.