Ethical Hacking: A Guide to Password Cracking

john the ripper

Add Your Heading Text Here

Welcome to the world of ethical hacking and password security testing. In our journey to fortify digital defenses and protect sensitive data, we delve into the powerful tool known as ‘John the Ripper.’ This guide will equip you with the knowledge and techniques to responsibly and legally assess the strength of passwords, helping you identify vulnerabilities and safeguard systems against unauthorized access. Get ready to unlock the secrets of password cracking and bolster your cybersecurity arsenal with this comprehensive guide.

What is John the Ripper?

John the Ripper, often abbreviated as “John,” is a widely used and highly effective open-source password cracking tool for Linux and other operating systems. It’s designed for security professionals, penetration testers, and system administrators to test the strength of passwords and improve the security of their systems.

Here are some key details about John the Ripper:

Password Cracking:

John the Ripper is primarily used for cracking password hashes. It supports a variety of hash algorithms, including DES, MD5, SHA-1, and more. It can be used to crack password hashes obtained from various sources, such as password files, database dumps, or shadow files.

Modes of Operation:

John the Ripper offers different modes of operation, including dictionary attacks, brute force attacks, and hybrid attacks. It can also use various rules and mangling techniques to modify dictionary words, making it more effective at cracking passwords.

Wordlist and Rules:

You can customize the tool’s behavior by providing wordlists (lists of potential passwords) and rulesets (patterns for generating variations of words). These allow you to fine-tune the password cracking process to suit the specific task at hand.

Community Edition:

There is a free and open-source community edition of John the Ripper called “John the Ripper Community Enhanced Version” (John the Ripper – Jumbo) that includes additional features and support for more hash algorithms than the original version.

Performance and Optimization:

John the Ripper is known for its speed and optimization. It’s capable of efficiently cracking passwords on modern hardware, making it a valuable tool for password security audits.

Support for Multiple Platforms:

John the Ripper is cross-platform and runs on various Unix-like systems, including Linux, macOS, and FreeBSD. It can also be compiled and used on Windows.

Legal and Ethical Considerations:

It’s important to use John the Ripper ethically and within the bounds of the law. Unauthorized password cracking, especially against systems you do not own or have permission to test, is illegal and unethical. Always ensure you have the proper authorization and consent before using such tools.

Variants and Tools:

Over the years, various community-contributed variants of John the Ripper have been developed to suit different use cases and provide specialized features.

Linux Passwords

In Linux, user account passwords are securely stored in the /etc/shadow file, which is commonly referred to as the “shadow file.” The /etc/shadow file is a critical component of Linux’s security model and is designed to protect user password information by using hashing and encryption techniques.

Here’s how Linux passwords are stored and secured:

Password Hash Storage:

In the /etc/shadow file, user passwords are stored as hashed values. These hashed values are created using one-way cryptographic hash functions (e.g., SHA-512, SHA-256, or DES) and are irreversible. This means that it’s computationally infeasible to reverse the hash and recover the original plaintext password.

Username and Password Hash:

The /etc/shadow file contains a line for each user account, with several fields separated by colons. The fields typically include the username, password hash, and additional information about password expiration, account status, and more.

Salt for Hashing:

To enhance security, Linux uses a randomly generated value called a “salt” when hashing passwords. This salt is combined with the plaintext password before hashing, making it more challenging for attackers to use precomputed rainbow tables for password cracking.

Protection of Shadow File:

The /etc/shadow file is protected with strict file permissions, making it accessible only to the root user (superuser) and authorized system administrators. This prevents unauthorized access to the password hashes.

Password Encryption Algorithm:

The specific hash algorithm used for password encryption depends on the Linux distribution and configuration. Modern Linux systems often use stronger hash algorithms like SHA-512 or SHA-256 to enhance password security.

Password Policies:

Linux systems allow administrators to set password policies, including rules for password complexity, length, and expiration. This further contributes to password security.

Password Cracking Mitigation:

Linux systems are designed to make password cracking more challenging through the use of strong hash algorithms, salts, and optional password policies. Nevertheless, it’s essential for system administrators to regularly monitor and update password security settings.

In an ethical hacking context, tools like John the Ripper are used to test the strength of Linux passwords by attempting to crack the password hashes in the /etc/shadow file. However, this should always be done ethically, with proper authorization, and for legitimate security testing purposes. Unauthorized attempts to crack passwords are illegal and unethical.

Windows Passwords

In Windows operating systems, user account passwords are not stored in plain text. Instead, they are securely hashed and stored in a file called the Security Accounts Manager (SAM) database. The SAM database is a crucial component of Windows security and contains information about user accounts and their associated security information, such as password hashes.

Here’s how it works:

Password Hashes:

When a user creates or changes their password, Windows uses a one-way cryptographic hash function (e.g., NTLM or LM hash) to convert the plaintext password into a fixed-length hash. This hash is unique to the user’s password and cannot be easily reversed to reveal the original password.

SAM Database:

The password hashes are stored in the SAM database, which is typically located in the %SystemRoot%\system32\config directory. The SAM database file is named SAM and is accompanied by a file named SYSTEM. These files are essential for the security of the Windows system.

Access Control:

The SAM database is heavily protected by the operating system. By default, it is only accessible by the Windows kernel and system administrators with the appropriate privileges.

Local vs. Domain Accounts:

On a Windows system that is part of a Windows domain, user account information may be stored on a domain controller instead of locally on the system. In this case, the SAM database does not store password information, and instead, authentication requests are forwarded to the domain controller.

It’s important to note that while the password hashes are stored securely, the actual password hash algorithms used by Windows have known vulnerabilities. For example, LM hashes are considered weak and easily crackable. As a result, more recent Windows versions and best practices use stronger password hash algorithms, such as NTLM or Kerberos, to enhance security.

For security purposes, it’s crucial to protect access to the SAM database and regularly update password policies to ensure strong and secure user passwords. In an ethical hacking context, it’s important to use tools like John the Ripper responsibly and with proper authorization when assessing the security of Windows passwords.

macOS Passwords

In macOS, user account passwords are securely stored in a file known as the “shadow file” or “password database.” This file is used to store password hashes for user accounts, making it more challenging for unauthorized access to plaintext passwords. macOS uses a more secure mechanism than earlier operating systems, like Linux, to protect user password information.

Here are the key details regarding where Mac OS passwords are stored:

Shadow File Location:

On macOS, the shadow file is located at /var/db/dslocal/nodes/Default/users/username.plist, where username is the name of the user account. Each user account has its own corresponding .plist file.

Password Hash Storage:

Instead of storing password hashes directly in the .plist file, macOS uses a more secure method. Password information is encrypted using the user’s login keychain, which is located in the /Users/username/Library/Keychains/login.keychain directory.

Keychain Encryption:

The login keychain is encrypted using the user’s login password, and it contains the necessary cryptographic information to protect and verify user passwords. This makes it difficult for unauthorized access to the stored passwords, as the login keychain is strongly encrypted.

Hashing Algorithm:

macOS uses a secure password hashing algorithm called PBKDF2 (Password-Based Key Derivation Function 2) to hash and protect user passwords. This adds an additional layer of security by making it computationally intensive to crack the passwords.

Admin Access:

Administrative users with appropriate privileges can access the user’s password hashes using macOS commands like dscl (Directory Service Command-Line Utility) or with administrator tools for system administration and user management.

Password Hash Salt:

macOS uses a unique salt for each user to strengthen password security. This salt is combined with the user’s password before hashing, making it more challenging for attackers to use precomputed rainbow tables for cracking passwords.

In summary, macOS uses a secure and robust mechanism to protect user password information, making it significantly challenging for unauthorized access to password hashes. While it’s important to understand the underlying security mechanisms, it’s also essential to use ethical hacking tools and techniques responsibly and with proper authorization when assessing the security of user passwords in macOS.

How to Install John the Ripper

John the Ripper comes with Kali but if you’re not using Kali, you can install it Linux from the terminal.

To install from terminal:

sudo apt install john -y

How to use John the Ripper

John the Ripper (often referred to as “John”) has a wide range of commands and options, making it a versatile tool for password cracking. Below are some of the essential commands and options frequently used with John:

Basic Syntax:

The basic syntax for running John is:

john [options] password_file
  • options: Various options and flags used to specify the cracking mode, wordlists, rules, and more.
  • password_file: The file containing hashed passwords you want to crack.
Cracking Modes:

John supports various cracking modes, including dictionary attacks, incremental brute force attacks, and more. Some common cracking modes include:

  • Dictionary Attack: Use a wordlist file for dictionary-based attacks:
john --wordlist=wordlist.txt password_file
  • Incremental Mode: Perform a brute force attack to try all possible character combinations:
john --incremental password_file
Wordlists and Rules:
  • Specifying Wordlists: You can specify a wordlist using the --wordlist option:
john --wordlist=my_wordlist.txt password_file
  • Using Rules: Apply rules to the wordlist for generating variations of words. For example, you can use the --rules option to apply a specific rule set:
john --wordlist=my_wordlist.txt --rules=my_ruleset.ini password_file
Cracking Specific Hash Types:
  • Specifying Hash Type: Use the --format option to specify the hash format. For example, to crack MD5 hashes:
john --format=raw-MD5 password_file
Benchmarking:
  • Benchmarking: To benchmark the speed of John and your hardware, you can use the --test option:
john --test
Output and Session Management:
  • Output to a File: Use the -o or --output option to specify an output file for cracked passwords:
john --wordlist=my_wordlist.txt --output=cracked_passwords.txt password_file
  • Resume a Session: If you have saved a session, you can resume it using the --restore option:
john --restore=saved_session.rec password_file
Advanced Options:
  • John has many advanced options for fine-tuning cracking, specifying character sets, handling specific hash types, and more. You can consult the official documentation or run john --list=build to see all available options.

How to Crack Linux Passwords

First Example:

  • Copy the content of the etc/passwd to a file, in this example I named the file passwd1.
  • Then copy the content of the etc/shadow to another file named passwd2.
  • Now, in the terminal navigate to where you saved those two files and enter the following command:
unshadow passwd1 passwd2 > crackMe

The unshadow command in conjunction with passwd1 and passwd2 is used to combine the information from two separate password-related files (usually /etc/passwd and /etc/shadow in Unix-like systems) into a single file that can be used for password cracking.

Here’s how this command works:

  • passwd1: This typically represents the /etc/passwd file. The /etc/passwd file contains user account information, including usernames and user IDs, but it does not contain the actual password hashes. Instead, the password hashes are usually stored in the /etc/shadow file to enhance security.

  • passwd2: This typically represents the /etc/shadow file. The /etc/shadow file contains the password hashes and related security information for user accounts.

  • > crackMe: The > symbol is used to redirect the combined output to a file named “crackMe.”

Once complete type:

john crackMe

To view the cracked crackMe file type:

john --show crackMe

If the passwords were successfully cracked, they will now be stored in the crackMe file.

Second Example:

You have a leaked data file of thousands of hashed passwords called leaked.txt To crack the large passwords file open the terminal and navigate to where the leaked.txt is located and enter the following command:

john leaked.txt

If john struggles, it will prompt you for the correct encryption format, enter the following command:

john leaked.txt --format=raw-SHA1

If you have a fairly decent system john can crack thousands of password hashes in little time.

Hash Identifier

If you’re unsure of which hash your working with? You can install the Hash-Identifier script by cloning it from GitHub with the following command:

git clone https://github.com/blackploit/hash-identifier.git

To use the “hash-identifier” tool to identify hashes, follow these steps:

  • Navigate to the “hash-identifier” Directory: Assuming you’ve already cloned the “hash-identifier” Git repository, navigate to the directory where it was cloned. You can use the cd command to change to the directory:
cd hash-identifier
  • Make the Python Script Executable: The “hash-identifier” tool is a Python script. Before you can run it, you need to ensure that the script is executable. You can use the chmod command to make it executable:
chmod +x hash-id.py
  • Run the Script: To identify a hash, you can run the script and provide the hash as an argument. For example:
./hash-id.py [hash_value]

Replace [hash_value] with the actual hash value you want to identify.

Here’s an example using the MD5 hash “d41d8cd98f00b204e9800998ecf8427e”:

./hash-id.py d41d8cd98f00b204e9800998ecf8427e
  • View the Results: The script will analyze the provided hash and display information about the hash type, along with any known details about it. For example, it might tell you that the hash is an MD5 hash and provide additional information.

    Please note that the accuracy of hash identification depends on the tool’s database and the hash type. Some hash types may be more challenging to identify, especially if they are not well-documented.

Hash-identifier is a simple tool for identifying common hash types, but it may not recognize all hash algorithms. For less common or custom hashes, you might need to rely on other tools or manual analysis. Additionally, be cautious when working with hash values, especially in an ethical and legal context, as hash values can represent sensitive or confidential information.

Conclusion

John the Ripper is a powerful tool used by security professionals to assess the strength of passwords and improve the security of systems. When used responsibly and legally, it’s a valuable asset for identifying weak passwords and encouraging better password practices. However, it should never be used for malicious purposes or without proper authorization.

Happy Hacking Folks!

You can read all of our Ethical Hacking guides here: Ethical Hacking

Recommendations:

Basic Security Testing with Kali Linux: https://amzn.to/3S0t7Vq
ALFA Network Wi-Fi Adapter: https://amzn.to/3QbZ6AE

This Wi-Fi adapter is essential if you are to learn Wi-Fi Hacking.

Luke Barber

Hello, fellow tech enthusiasts! I'm Luke, a passionate learner and explorer in the vast realms of technology. Welcome to my digital space where I share the insights and adventures gained from my journey into the fascinating worlds of Arduino, Python, Linux, Ethical Hacking, and beyond. Armed with qualifications including CompTIA A+, Sec+, Cisco CCNA, Unix/Linux and Bash Shell Scripting, JavaScript Application Programming, Python Programming and Ethical Hacking, I thrive in the ever-evolving landscape of coding, computers, and networks. As a tech enthusiast, I'm on a mission to simplify the complexities of technology through my blogs, offering a glimpse into the marvels of Arduino, Python, Linux, and Ethical Hacking techniques. Whether you're a fellow coder or a curious mind, I invite you to join me on this journey of continuous learning and discovery.

Leave a Reply

Your email address will not be published. Required fields are marked *

Verified by MonsterInsights