Cracking Passwords with John

Cracking Passwords with John the Ripper

Introduction

John the Ripper (often referred to simply as "John") is one of the most popular password-cracking tools in the cybersecurity field. It is designed to crack password hashes using several algorithms and cracking methods such as dictionary-based attacks, brute force, and hybrid attacks. John supports a wide range of hash types, including DES, MD5, SHA-1, and more.

In this tutorial, we'll show you how to use John the Ripper to crack password hashes extracted from the /etc/passwd and /etc/shadow files, which are commonly found on Unix-based systems.

Prerequisites

Before proceeding with cracking passwords using John the Ripper, ensure you have the following:

• Access to a system where John the Ripper is installed.

• The /etc/passwd and /etc/shadow files (you need root or sudo access to retrieve these files).

• A basic understanding of password hashes and how they are stored in the /etc/passwd and /etc/shadow files.

If you don't have John the Ripper installed, you can install it using the following commands (depending on your operating system):

Install John the Ripper on Ubuntu/Debian

sudo apt update
sudo apt install john

Understanding /etc/passwd and /etc/shadow Files

The /etc/passwd file contains user account information such as the username, user ID, group ID, home directory, and login shell. It is a plain-text file that typically includes a hash of the user's password. However, starting with modern Linux systems, the password hash is often stored in the /etc/shadow file for security reasons.

Here is an example entry from /etc/passwd:

username:$6$WqOHLu6B$e8G5wzk7hT2oZbN4zyDdD3Fd.wkwrfTp52nxOxxHQWpY8AeHc/Bqh0XJ0sEPklhoFPJ70iXe0Cu.Lyg79TQmB/:1001:1001::/home/username:/bin/bash

The part following the first colon (:) is the password hash, which will be cracked.

The /etc/shadow file stores the hashed passwords securely and is only readable by the root user. An example line in /etc/shadow might look like this:

username:$6$WqOHLu6B$e8G5wzk7hT2oZbN4zyDdD3Fd.wkwrfTp52nxOxxHQWpY8AeHc/Bqh0XJ0sEPklhoFPJ70iXe0Cu.Lyg79TQmB/:18129:0:99999:7:::

Step 1: Extract the Password Hashes

To crack the passwords, we need to extract the hashes from the /etc/passwd and /etc/shadow files. If you're working with a local system, you can retrieve these files directly. For this example, we will assume you have both files on your local machine.

1. Extract /etc/passwd: You can view the /etc/passwd file with the following command:

   cat /etc/passwd

2. Extract /etc/shadow: You can view the /etc/shadow file with the following command (this requires root access):

   sudo cat /etc/shadow

For John to work with these files, we need to prepare them in a format that John can process. Fortunately, John the Ripper can handle the hash formats directly, but we need to combine them for cracking.

Step 2: Prepare the Files for John

John the Ripper requires the hashes to be combined into a single file for cracking. To do this, we will use the unshadow tool, which is included with John the Ripper.

Use the following command to combine /etc/passwd and /etc/shadow into a single file:

sudo unshadow /etc/passwd /etc/shadow > hashes.txt

The hashes.txt file will now contain all the password hashes from both files.

Step 3: Cracking the Password Hashes

Now that we have our hashes, we can use John to crack them. To start the cracking process, run the following command:

john hashes.txt

John will attempt to crack the hashes using its default wordlist (/usr/share/john/password.lst) or any custom wordlist you provide.

To use a custom wordlist, specify the path to your wordlist file like so:

john --wordlist=/path/to/wordlist.txt hashes.txt

You can also use other cracking methods, such as brute-force attacks, by adding flags for different attack types. For example:

john --incremental hashes.txt

This method will try all possible character combinations for cracking the password, but it will take longer.

Step 4: View the Cracked Passwords

Once John the Ripper has finished cracking the hashes, you can view the results with the following command:

john --show hashes.txt

This will display the cracked passwords for each user, if the password was successfully cracked.

Example Output:

username:password123

If John was unable to crack a hash, it will be indicated in the output.

Advanced Cracking Methods

John the Ripper also supports several advanced features, such as:

• Rainbow Tables: Using precomputed hash tables to speed up the cracking process.

• Custom Wordlists: Providing your own list of passwords (e.g., from leaks or common password patterns).

• Hybrid Attacks: Combining dictionary and brute-force attacks to create powerful cracking methods.

Refer to the John the Ripper documentation for more advanced usage scenarios.

Conclusion

John the Ripper is a versatile and powerful tool for cracking password hashes. In this tutorial, we demonstrated how to crack password hashes from the /etc/passwd and /etc/shadow files using the unshadow tool and the John the Ripper cracking engine. With the right wordlists and cracking strategies, John can help uncover weak or easily guessable passwords, which is a critical step in securing systems and applications.