John the Ripper: Detect Weak Unix Passwords and Hashes

First time I used this tool, I was amazed because it got my root and user password easily (it wasn’t that strong though).

About John the Ripper
John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version.

Installing John the Ripper:
It’s available in official repos, assuming you are using the DEB based distros:

$ sudo apt-get update
$ sudo apt-get install john

Using John the Ripper:
The name was the most thing I fell in love with 😀 it rips actually, after installation please run this

$ john -test

to get everything set and it should output something similar to

Benchmarking: descrypt, traditional crypt(3) [DES 128/128 SSE2-16]... DONE
Many salts:    1865K c/s real, 1865K c/s virtual
Only one salt:    1756K c/s real, 1756K c/s virtual

Benchmarking: bsdicrypt, BSDI crypt(3) ("_J9..", 725 iterations) [DES 128/128 SSE2-16]... DONE
Many salts:    59801 c/s real, 59801 c/s virtual
Only one salt:    57958 c/s real, 57958 c/s virtual

Benchmarking: md5crypt [MD5 32/64 X2]... DONE
Raw:    6226 c/s real, 6226 c/s virtual

Benchmarking: bcrypt ("$2a$05", 32 iterations) [Blowfish 32/64 X2]... DONE
Raw:    511 c/s real, 512 c/s virtual

Benchmarking: LM [DES 128/128 SSE2-16]... DONE
Raw:    21909K c/s real, 21909K c/s virtual

Benchmarking: AFS, Kerberos AFS [DES 48/64 4K]... DONE
Short:    247449 c/s real, 247449 c/s virtual
Long:    638156 c/s real, 638156 c/s virtual

Benchmarking: tripcode [DES 128/128 SSE2-16]... DONE
Raw:    1582K c/s real, 1585K c/s virtual

Benchmarking: dummy [N/A]... DONE
Raw:    21630K c/s real, 21630K c/s virtual

Benchmarking: crypt, generic crypt(3) [?/64]... DONE
Many salts:    159475 c/s real, 159475 c/s virtual
Only one salt:    158496 c/s real, 158813 c/s virtual

 

Now lets get things ready by creating a test account we need:

  • Create a user with the username as test
    $ sudo useradd test
  • Assign a password to it, here am giving it the password “password
    $ sudo passwd test
  • When this is done successfully, Linux saves user hashed passwords in /etc/shadow, test this by running
    $ sudo cat /etc/shadow | grep test

    which will return something similar to

    test:$6$EVqbJAit$REFgfJ8e9n.uHQsrJi5Ecsj2gCK85PCbr7Ntxuo.w0/.ftTNsg6zSHFWvit97Ek/PmyN774BoApRQuX8qdvom1:16524:0:99999:7:::
  • Before we go on ripping and testing how strong this password is, John works with files i.e. works with file with the hashed password inside, so we are going to copy that returned line and place in a file
    $ sudo cat /etc/shadow | grep test > ~/test_pass
  • Now lets give John job to do by directing it to dehash password in the test_pass file
    $ john ~/test_pass

    Taking some minutes this returns something similar to

    Loaded 1 password hash (crypt, generic crypt(3) [?/64])
    Press 'q' or Ctrl-C to abort, almost any other key for status
    password         (test)
    Use the "--show" option to display all of the cracked passwords reliably
    Session completed

    As we see it dehash the password here password         (test) so easily 🙂

John might take minutes, hours, days or even weeks to dehash a password depending on how strong they are. Apart from user passwords, John also dehash hashes but must be in a text file and in this format

user:hashedpwd

Summary:
For me, John is a cool tool for testing how strong your password is. Weak passwords as we used as an example here is being cracked within minutes but strong ones might take hours and might not yeild result.

Read more on Docs