John the Ripper: Detect Weak Unix Passwords and Hashes
First time I used this tool, I was amazed because it got my root and user password easily (it wasn’t that strong though).
About John the Ripper
John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version.
Installing John the Ripper:
It’s available in official repos, assuming you are using the DEB based distros:
$ sudo apt-get update $ sudo apt-get install john
Using John the Ripper:
The name was the most thing I fell in love with 😀 it rips actually, after installation please run this
$ john -test
to get everything set and it should output something similar to
Benchmarking: descrypt, traditional crypt(3) [DES 128/128 SSE2-16]... DONE Many salts:Â Â Â 1865K c/s real, 1865K c/s virtual Only one salt:Â Â Â 1756K c/s real, 1756K c/s virtual Benchmarking: bsdicrypt, BSDI crypt(3) ("_J9..", 725 iterations) [DES 128/128 SSE2-16]... DONE Many salts:Â Â Â 59801 c/s real, 59801 c/s virtual Only one salt:Â Â Â 57958 c/s real, 57958 c/s virtual Benchmarking: md5crypt [MD5 32/64 X2]... DONE Raw:Â Â Â 6226 c/s real, 6226 c/s virtual Benchmarking: bcrypt ("$2a$05", 32 iterations) [Blowfish 32/64 X2]... DONE Raw:Â Â Â 511 c/s real, 512 c/s virtual Benchmarking: LM [DES 128/128 SSE2-16]... DONE Raw:Â Â Â 21909K c/s real, 21909K c/s virtual Benchmarking: AFS, Kerberos AFS [DES 48/64 4K]... DONE Short:Â Â Â 247449 c/s real, 247449 c/s virtual Long:Â Â Â 638156 c/s real, 638156 c/s virtual Benchmarking: tripcode [DES 128/128 SSE2-16]... DONE Raw:Â Â Â 1582K c/s real, 1585K c/s virtual Benchmarking: dummy [N/A]... DONE Raw:Â Â Â 21630K c/s real, 21630K c/s virtual Benchmarking: crypt, generic crypt(3) [?/64]... DONE Many salts:Â Â Â 159475 c/s real, 159475 c/s virtual Only one salt:Â Â Â 158496 c/s real, 158813 c/s virtual
Now lets get things ready by creating a test account we need:
- Create a user with the username as test
$ sudo useradd test
- Assign a password to it, here am giving it the password “password”
$ sudo passwd test
- When this is done successfully, Linux saves user hashed passwords in /etc/shadow, test this by running
$ sudo cat /etc/shadow | grep test
which will return something similar to
test:$6$EVqbJAit$REFgfJ8e9n.uHQsrJi5Ecsj2gCK85PCbr7Ntxuo.w0/.ftTNsg6zSHFWvit97Ek/PmyN774BoApRQuX8qdvom1:16524:0:99999:7:::
- Before we go on ripping and testing how strong this password is, John works with files i.e. works with file with the hashed password inside, so we are going to copy that returned line and place in a file
$ sudo cat /etc/shadow | grep test > ~/test_pass
- Now lets give John job to do by directing it to dehash password in the test_pass file
$ john ~/test_pass
Taking some minutes this returns something similar to
Loaded 1 password hash (crypt, generic crypt(3) [?/64]) Press 'q' or Ctrl-C to abort, almost any other key for status password        (test) Use the "--show" option to display all of the cracked passwords reliably Session completed
As we see it dehash the password here password        (test) so easily 🙂
John might take minutes, hours, days or even weeks to dehash a password depending on how strong they are. Apart from user passwords, John also dehash hashes but must be in a text file and in this format
user:hashedpwd
Summary:
For me, John is a cool tool for testing how strong your password is. Weak passwords as we used as an example here is being cracked within minutes but strong ones might take hours and might not yeild result.