John the Ripper wins the award for having the coolest name. John the Ripper, mostly just referred to as simply, ‘John’ is a popular password cracking pentesting tool that is most commonly used to perform dictionary attacks. John the Ripper takes text string samples (from a text file, referred to as a ‘wordlist’, containing popular and complex words found in a dictionary or real passwords cracked before), encrypting it in the same way as the password being cracked (including both the encryption algorithm and key), and comparing the output to the encrypted string. This tool can also be used to perform a variety of alterations to dictionary attacks.

Password policies can be a hassle unless you are a system administrator. I’ve been in a lot of work places which required me to have a good strong password, and complained all the way. Mostly because I could never remember the darn thing. Well since taking this course for MITS, I understand why we must use strong, non-dictionary password or better yet passphrases.

In our class we tried using John the Ripper on the Ubuntu OS. Most of us didn’t get it to work, and now I’m determined to figure out why. Random password guesses result in account lockout after a limited number of incorrect attempts. This lockout triggers intruder detection alerts and notifies system administrators that something suspicious has happened. It’s then up to the administrator to investigate the matter. However, once the hacker (was it Harry N. Hacker?) once Harry gets past the administrative access he can use powerful hacking devices and get into any user account. Usually a dictionary attack is used but if this fails, out comes the brute force attack which uses single-character-at-a-time on the password file. If the computer is powerful enough and enough time is allowed the password can be cracked. The downfall to this is that if too much time is taken, a good system administrator will detect the intrusion, and quickly change all passwords or codes and Harry will have to go hack someplace else. (boo hoo right?)

Harry has to acquire the password hash files from the system. Then he will use a regular expression attack with the name of the company. Trying to find the code. For example, Bob’s home address is 123 Park Here. The hacker may try bobhomeparkhere. Using the different characters: b0bh0m3p@rkh3r3 may work. If these attacks are unsuccessful, he will use John the Ripper or John. John is downloadable from Openwall, and used by hackers as well as system administrators.

John is a command-line utility that does not require admin or root privileges, however one does need admin privileges to obtain password hash files. An administrator would run John in test mode to find out how effective it will be against the passwords on the system. The report will give how many username/password combinations per second (c/s) the system will theoretically run for each password hash encryption type.

This snip is a sample of a report which was run by John.

On Linux systems that use shadow passwords, issue the following command to create a combined password hash file from your system’s passwd and shadow files. At the $ sudo john unshadow /etc/passwd /etc/shadow > passfile.txt

The passfile contains username:encrypted password pairs that look like:

Once the hash file is created, direct John to launch one of several different “modes” against the password list, password.lst. the list contains more than 3000 commonly used passwords. The command should look like this:

The author states:

This dictionary-based attack took less than one second to extract the root password (admin ) and my user password (t-bone ) from the password hash file. The password dictionary file used is the standard password.lst file that is packaged with John, but many more exist. A skilled hacker will use a huge password dictionary file containing thousands of possible passwords or use more than one password dictionary file to attempt an easy grab before resorting to a brute force attack.

Must be nice. The second fastest mode is the single-crack mode using a simple rules-based algorithm and a small word list. At the $ {type- john -single passfile.txt} Don’t use the brackets though, you should see this:

And if all else fails: we have the brute force attack for the more complex passwords. These sub-modes allow you to specify which type of algorithms to use. The choices are: alpha – letter only; digits – numbers only; lanman – for letters, numbers, and some special characters; all – for all possible characters. Pressing the space bar shows the progress of the attack in elapsed time, c/s, and most recent combinations.

This example was given:

This shows the elapsed time of one day, ten hours, twenty-one minutes and twenty-three seconds. The passwords that john was trying to crack were root: Hoobastank, and khess: R@scal. So as we see, very strong passwords give the administrator time to make changes and avoid the attack. Passwords should be built as follows:

• Contain at least 10 characters. • Use mixed-case letters. • Use numbers. • Use special characters. • Not use dictionary words unless they are part of a passphrase.

The author gives this example for a passphrase: Stopping.by.the.w00ds.on.@.snowy.even1ng . Yeah! Crack that!

So in conclusion, passwords may be crackable, but a really good administrator will detect this attack, and put an end to it, sending Harry home with his tail between his legs.

Glad you stopped by for another adventure in researching IT. Ya all come back now, ya hear?