Cracking everything with John the

Ripper
Adam
Dec 23, 2017 · 5 min read

John the Ripper (“JtR”) is one of those indispensable tools. It’s a fast password
cracker, available for Windows, and many Aavours of Linux. It’s incredibly
versatile and can crack pretty well anything you throw at it.

So let’s test it out! It can be a bit overwhelming when JtR is Hrst executed with all
of its command line options but its level of customization is a testament to its
versatility.
 john wasn’t detected in my $PATH so had to leverage full path

When it comes to cracking passwords, there are three types of attacks:

1. Brute force: Which attempts to guess the password by sequentially working

through every possible letter, number, and special character combination.
This is a painfully slow process, but eOective.

2. Dictionary: This attack leverages a Hle containing lists of common passwords

(usually taken from a breach of some kind) to guess a given password. Can be
helpful in CTFs, but nowadays it can be diTcult to apply this type of attack in
the real world.

3. Rainbow table: Rainbow tables are a series of pre-computed hashes. The idea
is that these rainbow tables include all hashes for a given algorithm. So
instead of cracking the hash/password/etc. you perform a look up of the hash
in the table. Do note that this takes considerable processing power to achieve.

For this article, lets perform a dictionary attack. To do that, Hrst we need a
dictionary to attack with. The easiest to acquire is rockyou.txt. rockyou.txt is a set
of compromised passwords from the social media application developer RockYou.
Note: you can download rockyou.txt.gz from here, if you’re not using Kali Linux.
On Kali, unzip the rockyou.txt.gz Hle with the following commands:

sudo gunzip /usr/share/wordlists/rockyou.txt.gz

wc -l /usr/share/wordlists/rockyou.txt

Now you need something to crack. How about Linux password hashes? To do this
we need two Hles: /etc/passwd, and /etc/shadow.

According to Wikipedia: The /etc/passwd Ble is a text-based database of

information about users that may log into the system or other operating system user
identities that own running processes. The /etc/shadow is used to increase the
security level of passwords by restricting all but highly privileged users' access to
hashed password data. Typically, that data is kept in Bles owned by and accessible
only by the super user.

And as we will Hnd out later, JtR requires whatever it wants to crack to be in a
speciHc format. To convert the passwd, and shadow Hles, we need to leverage the
/usr/sbin/unshadow executable. This will require super user privileges to
perform.

sudo /usr/sbin/unshadow /etc/passwd /etc/shadow >

~/passwords.txt

And the command to crack your Linux passwords is simple enough. To perform
the crack execute the following:

/usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt
~/passwords.txt
JtR is a great way to show if you (or your users) have weak/predictable
passwords!

So, what else can John the Ripper do? Well, turns out a lot. As noted by the Hle
search below, there are many diOerent conversion tools, to convert various Hle
types to JtR compatible attack Hles, indicating what it can attack.

For instance…

SSH keys
To test out JtR’s SSH key password cracking prowess, Hrst create a set of new
private keys. Note: JtR isn’t cracking the Ble itself (i.e. the number of bytes in the
generated key doesn’t matter), JtR is just cracking the private key’s encrypted
password.

In this case create the public/private key pair with a predictable password:

# Create some private key

ssh-keygen -t rsa -b 4096

# Create encrypted zip

/usr/sbin/ssh2john ~/.ssh/id_rsa > id_rsa.hash

Next, all you need to do is point John the Ripper to the given Hle, with your
dictionary:

/usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt
id_rsa.hash

And voila!

Keepass2 database
What about Keepass? If you’re not aware, Keepass is an open source, cross-
platform, password management vault. For those paranoid individuals who fear
storing all their secrets in the cloud (i.e. with LastPass).
So lets create a vault to attack. First, install Keepass CLI (“kpcli”).

sudo apt-get install -y kpcli

Next, create a vault. You don’t need to store any passwords in the vault, an empty
vault will do.

$ kpcli

KeePass CLI (kpcli) v3.1 is ready for operation.

Type 'help' for a description of available commands.
Type 'help <command>' for details on individual commands.

kpcli:/> saveas newdb.kdb

Please provide the master password: *************************
Retype to verify: *************************
kpcli:/> exit

As with attacking both SSH private keys, and Linux password hashes, convert the
Keepass database to a JtR compatible format.

/usr/sbin/keepass2john newdb.kdb > newdb.kdb.hash

And attack!

/usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt
newdb.kdb.hash
RAR
Next, lets go after the Roshal Archive (“RAR”) format. To create an encrypted
RAR archive Hle on Linux, perform the following:

# Install rar
sudo apt-get install -y rar

# Create some dummy file

echo "Hello" > hello.txt

# Create an encrypted RAR file with the password "password"

rar a -hppassword encrypted.rar hello.txt

Next, lets convert it to JtR’s cracking format:

/usr/sbin/rar2john encrypted.rar > encrypted.rar.hash

And Hre away!

A note about cracking zip 9les…
In the process of writing this article, I discovered that the latest version of John
the Ripper has a bug that may prevent the cracking of Zip Hles. According to this
mailing list, you need to downgrade JtR to make things work. I suggest you use a
diOerent tool, because apparently uninstalling JtR on Kali Linux requires you to
uninstall everything….

Summary
There you have it. A free, open source way to easily recover “your” passwords. :D

And if you’re interested in further research check out this great Defcon talk on
password cracking. “DEFCON 17: Cracking 400,000 Passwords, or How to
Explain to Your Roommate why Power Bill is a High” —
https://www.youtube.com/watch?v=0WPny7wk960

Tutorial John The Ripper

About Help Legal