Zero Day Archives
  • What is Zero Day Archives?
  • Contributors
  • Wireless Security
    • Intro to WiFi Pentesting
      • WEP Networks
      • WPS
      • WPA-PSK Networks
      • WPA & WPA2 PSK
      • WPA2 & WPA3 Enterprise Networks
      • WPA2 & WPA3-APLess
  • Reverse Engineering
    • Reverse Engineering
      • Introduction to Software Reverse Engineering
        • Introduction to Capture the Flag (CTF) Competitions
        • What are PE & Elf Binaries
        • Assembly Language for Beginner Reverse Engineers
        • Memory Registers for x86-64 (64-bit) and x86 (32-bit)
        • Reversing Tools: Command-Line Utilities for Binary Analysis
        • Reversing ELF Binaries: Techniques and Tools
      • Disassembly & Debugging
        • GDB for Reverse Engineering
        • RADARE2 for Reverse Engineering
        • GHIDRA for Reverse Engineering
        • IDA Pro for Reverse Engineering
      • Binary Exploitation
        • Buffer Overflows
          • What are Buffer Overflows and Stack Protections?
          • Commonly Exploited C Functions and Their Secure Alternatives
          • Basic Buffer Overflow in x86-64 Using GDB
        • Cryptography
          • Understanding Ciphers and Identifying Common Patterns
          • Teaching XOR Operations in Binary Exploitation
        • Return Oriented Programming (ROP)
          • Practical Guide to Exploring and Identifying Return-Oriented Programming (ROP)
        • Cracking and Patching Binaries
          • Tactics, Tools, and Procedures for Cracking and Patching Binaries
        • Ret2Win Challenges
  • Malware Analysis
    • Malware Analysis
      • Static Analysis
  • Transporting Files to/from Victims
    • Transferring Files to/from High Value Targets
      • Linux
      • Windows
      • CrackMapExec (NetExec)
  • Penetration Testing against GIT Remote Repositories
    • Targeting GIT Repositories
      • Attacking GIT
  • Network Pivoting, Port Forwarding, and Tunneling
    • Pivoting
      • Ligolo-ng
        • Basic Pivoting
        • Setup Reverse Shells through Pivot
        • Transferring Files through Pivot
      • Pivoting: Using Remote Desktop
      • ProxyChains
      • Metasploit
    • SSH Tunneling
      • SSH Local Port Forwarding
      • SSH Dynamic Port Forwarding
      • Sshuttle over SSH
    • Port Fowarding
      • Chisel Port Forwarding
      • NetSH for Port Forwarding
      • Plink for Port Forwarding
      • SoCat
      • Metasploit: Port Forwarding
  • Anti-Virus Evasion
    • Anti-Virus Evasion
      • Evasion with Metasploit
      • Evasion wtih Shellter
      • Evasion with Virus Total
  • Public Exploit Research
    • Online Exploit Research & Methods
  • Password Attacks
    • Password Attacks
      • Identifying Hashes
        • Hash Identifier Tools
      • John The Ripper
        • Cracking Passwords with John
        • Convert to Hashes with John
        • NTLM vs NTLMv2 Hashes + CrackMapExec
      • Hashcat
        • Cracking Passwords with Hashcat
      • Hydra
        • Hydra for Network Services
        • Hydra for Web Services
      • Mutating Wordlists for John & Hashcat
        • Mutating Wordlists
  • Digital Forensics & Incident Response (DFIR)
    • Digital Forensics
  • Data Science
    • Data Science/AI
  • Software Defined Radio (SDR)
    • Software Defined Radio
  • Embedded Systems Programming
    • Field Programmable Gate Arrays (FPGAs)
  • Other Resources
    • Resources for Hackers
Powered by GitBook
On this page
  • Cracking Passwords with John the Ripper
  • Introduction
  • Prerequisites
  • Understanding /etc/passwd and /etc/shadow Files
  • Step 1: Extract the Password Hashes
  • Step 2: Prepare the Files for John
  • Step 3: Cracking the Password Hashes
  • Step 4: View the Cracked Passwords
  • Advanced Cracking Methods
  • Conclusion
  1. Password Attacks
  2. Password Attacks
  3. John The Ripper

Cracking Passwords with John

Cracking Passwords with John the Ripper

Introduction

John the Ripper (often referred to simply as "John") is one of the most popular password-cracking tools in the cybersecurity field. It is designed to crack password hashes using several algorithms and cracking methods such as dictionary-based attacks, brute force, and hybrid attacks. John supports a wide range of hash types, including DES, MD5, SHA-1, and more.

In this tutorial, we'll show you how to use John the Ripper to crack password hashes extracted from the /etc/passwd and /etc/shadow files, which are commonly found on Unix-based systems.

Prerequisites

Before proceeding with cracking passwords using John the Ripper, ensure you have the following:

  • Access to a system where John the Ripper is installed.

  • The /etc/passwd and /etc/shadow files (you need root or sudo access to retrieve these files).

  • A basic understanding of password hashes and how they are stored in the /etc/passwd and /etc/shadow files.

If you don't have John the Ripper installed, you can install it using the following commands (depending on your operating system):

Install John the Ripper on Ubuntu/Debian

sudo apt update
sudo apt install john

Understanding /etc/passwd and /etc/shadow Files

The /etc/passwd file contains user account information such as the username, user ID, group ID, home directory, and login shell. It is a plain-text file that typically includes a hash of the user's password. However, starting with modern Linux systems, the password hash is often stored in the /etc/shadow file for security reasons.

Here is an example entry from /etc/passwd:

username:$6$WqOHLu6B$e8G5wzk7hT2oZbN4zyDdD3Fd.wkwrfTp52nxOxxHQWpY8AeHc/Bqh0XJ0sEPklhoFPJ70iXe0Cu.Lyg79TQmB/:1001:1001::/home/username:/bin/bash

The part following the first colon (:) is the password hash, which will be cracked.

The /etc/shadow file stores the hashed passwords securely and is only readable by the root user. An example line in /etc/shadow might look like this:

username:$6$WqOHLu6B$e8G5wzk7hT2oZbN4zyDdD3Fd.wkwrfTp52nxOxxHQWpY8AeHc/Bqh0XJ0sEPklhoFPJ70iXe0Cu.Lyg79TQmB/:18129:0:99999:7:::

Step 1: Extract the Password Hashes

To crack the passwords, we need to extract the hashes from the /etc/passwd and /etc/shadow files. If you're working with a local system, you can retrieve these files directly. For this example, we will assume you have both files on your local machine.

  1. Extract /etc/passwd: You can view the /etc/passwd file with the following command:

    cat /etc/passwd

  2. Extract /etc/shadow: You can view the /etc/shadow file with the following command (this requires root access):

    sudo cat /etc/shadow

For John to work with these files, we need to prepare them in a format that John can process. Fortunately, John the Ripper can handle the hash formats directly, but we need to combine them for cracking.

Step 2: Prepare the Files for John

John the Ripper requires the hashes to be combined into a single file for cracking. To do this, we will use the unshadow tool, which is included with John the Ripper.

Use the following command to combine /etc/passwd and /etc/shadow into a single file:

sudo unshadow /etc/passwd /etc/shadow > hashes.txt

The hashes.txt file will now contain all the password hashes from both files.

Step 3: Cracking the Password Hashes

Now that we have our hashes, we can use John to crack them. To start the cracking process, run the following command:

john hashes.txt

John will attempt to crack the hashes using its default wordlist (/usr/share/john/password.lst) or any custom wordlist you provide.

To use a custom wordlist, specify the path to your wordlist file like so:

john --wordlist=/path/to/wordlist.txt hashes.txt

You can also use other cracking methods, such as brute-force attacks, by adding flags for different attack types. For example:

john --incremental hashes.txt

This method will try all possible character combinations for cracking the password, but it will take longer.

Step 4: View the Cracked Passwords

Once John the Ripper has finished cracking the hashes, you can view the results with the following command:

john --show hashes.txt

This will display the cracked passwords for each user, if the password was successfully cracked.

Example Output:

username:password123

If John was unable to crack a hash, it will be indicated in the output.

Advanced Cracking Methods

John the Ripper also supports several advanced features, such as:

  • Rainbow Tables: Using precomputed hash tables to speed up the cracking process.

  • Custom Wordlists: Providing your own list of passwords (e.g., from leaks or common password patterns).

  • Hybrid Attacks: Combining dictionary and brute-force attacks to create powerful cracking methods.

Refer to the John the Ripper documentation for more advanced usage scenarios.

Conclusion

John the Ripper is a versatile and powerful tool for cracking password hashes. In this tutorial, we demonstrated how to crack password hashes from the /etc/passwd and /etc/shadow files using the unshadow tool and the John the Ripper cracking engine. With the right wordlists and cracking strategies, John can help uncover weak or easily guessable passwords, which is a critical step in securing systems and applications.

PreviousJohn The RipperNextConvert to Hashes with John

Last updated 15 days ago