What is John the Ripper?
For those who do not know it yet, John the Ripper is a password cracking tool written in C and widely used by security analysts to check the robustness of a key against brute force attacks. This program is capable of breaking MD5, SHA-1 and many other hashes widely used in the computing world. This program is capable of automatically detecting the type of hash we are cracking, in order to make it easier for the user to crack it without having to worry about the type of hash it is trying to “break”.
Some very important features of this program is that it is optimized for many processor models, it works on many PC architectures and also on different operating systems, however, it is generally used on Linux-based operating systems, in fact, the main Linux distributions. oriented to pentesting and computer security already incorporate this program by default.
This program is highly customizable, it allows us to define the length of a password to be tested, to generate all possible combinations and achieve the goal of cracking the hash. It also allows us to configure what range of letters, numbers or symbols we can try to decipher the password, in addition, it also allows us to include rules to decide how the different variations should be made.
John the Ripper allows you to pause the cracking of the password and continue it at another time, this is ideal in case we have to turn off our PC or server, in addition, it can be automated to start cracking a certain password when starting our computer, and all this automatically without the need for system administrator intervention.
This program allows us to crack passwords by dictionary, if we download one or more Internet password dictionaries of several tens of GB, the tool will be in charge of testing each and every one of these keys to try to crack the password hash. The process consists of generating the hash of each password, to later compare the hash that we want to break, if the hash is the same then we have discovered the password, if the hash does not match then it is not the key and we will have to continue testing. We will be able to crack the passwords that are contained in the key dictionaries in a completely automated way.
A remarkable aspect is that it not only tests the dictionary keys, but also adds numbers, uppercase, lowercase and symbols to the words that we put as “input”, in addition, it is also capable of combining words to test even more combinations of passwords and find the key used.
Brute force attack
The brute force attack consists of testing all combinations of letters, numbers and symbols of a key with a certain length. This method is the slowest because it will test all combinations, and it can take hours, days, and even years to crack passwords to a certain length. In general, cracking a password of more than 12 characters will take us a long time doing it by brute force, therefore, you must take it into account.
This program allows us to configure this brute force attack, we will tell you to try only letters, letters and numbers, and even add symbols. The more “input” characters we have, the longer it will take to test all possible password combinations, so we must take this into account when configuring the input.
Once we know what John the Ripper is and its two modes of operation, we are going to see how a system administrator can use this program to verify the security of the computer key. In this way, we will check if we are vulnerable to a brute force or dictionary attack by a hacker who seeks to obtain remote (or local) access to it.
Installation and performance test
Currently this program is available in all the repositories of the main Linux operating system distributions, therefore, we can install it easily and quickly without problems. In case it is not available for your distribution, you will always be able to add it later by editing the repositories file. In this tutorial we are going to use an Ubuntu operating system to install the program.
sudo apt install john
Once the tool is installed in our operating system, we can use it and start cracking passwords, however, it would be highly recommended before starting to crack keys, perform a quick speed test on our computer.
Test the performance on our PC
Before we start cracking the passwords we can launch a simple performance test where our hardware will be put to the test. In this way, we will be able to know the speed with which the tool will test keys with different types of encryption using 100% of our CPU. To do this we simply open a Linux terminal and type:
As we can see, a series of tests are carried out where performance will be measured, this can give us a general idea of the processing power of our computer, with the aim of testing all combinations of letters, numbers and symbols in the shortest possible time.
Cracking passwords by brute force
Once the tool is installed and the performance test carried out, we can start with a real case. We can choose to directly load the file “/ etc / shadow” containing the Linux passwords and crack them, however, in this example we are going to create a document manually with a username and password and we will tell John to crack it. We are going to do this for three reasons:
- So as not to really compromise our system.
- To get the results as quickly as possible (we are going to use a very simple key as an example).
- To have a first contact with the tool and become familiar with it.
To do this we create a new text file called “password.txt”, for example, in our Ubuntu personal folder with the following content:
Next, we’re going to direct John to get to work cracking the password for the old file. To do this we type:
The tool will start to work.
We must wait for this tool to crack the password of the previous file. This process can take hours or even days depending on the difficulty of it. When the process finishes we will see a result similar to the following.
Our password is cracked. To see it we simply have to use the –show command as follows:
john --show password.txt
Our password was “example”. We can now try to log into the system with the user “user” and the password “example”, or at least, we could do it if we had worked directly with the / etc / shadow file, although the cracking time would have taken much longer than several minutes.
Later we will see how to use this same tool, but to crack passwords using a dictionary as a source of keys. Finally, we are going to leave you a little challenge to practice with this program, copying exactly one practical case from a / etc / shadow file:
Once we have learned to crack passwords by brute force, we are going to try cracking passwords by dictionary.
Cracking passwords using a dictionary of keys
As in the previous tutorial, in this case we are going to use an example key that we have saved by hand in a document called «password.txt«:
Next, what we need to do is have or create a custom key dictionary. We can download these dictionaries from the Internet, but to make the first tests of the program we are going to create a simple dictionary, which we will call «passwords.lst“And in which we will introduce several values, each one on a line, but one of them being the word” example “(since it corresponds to our password).
Next, we simply need to run John the Ripper with the parameter –Wordlist = followed by the path of our file. We give you an example with the two files that we have generated (the encrypted password and the dictionary):
john --wordlist=passwords.lst password.txt
By having a simple password and few dictionary entries, the process will be practically instantaneous. We have already cracked, or decrypted, the password. All we have to do is use the –show parameter to show us the result.
john --show password.txt
As you have seen, cracking passwords with John the Ripper is really simple, the speed of cracking will depend on our processor, the method used to try to crack the passwords, and also the complexity and length of the password we want to crack. Another program that we recommend to crack passwords is Hashcat, a program much more advanced than this program, but much more complex to use if you do not read the official documentation, in addition, this Hashcat program allows us to use the power of the card processors graphics (GPU) to test millions of passwords per second.