Disclaimer: Please note that it is against the law if you misuse this tool for cracking passwords of third-party systems or ‘hacking’ into other systems!
What is John the Ripper (JTR) ?
John the Ripper is essentially a password cracking tool which was developed for UNIX like system. But now the developer have extended its support for Windows and MAC systems.
The software is used by many users to check the strength of the password chosen. But you may note that it can also be used to crack the password and break into a system. It supports both dictionary attack (by trying all the words in the dictionary – hence you should never choose a word that can been found in the dictionary) and brute force attack (here all the possible combinations are tried – hence if you choose a password which is alpha numeric and long, it will be hard to crack it).
How to test the password strength?
The best way to test the password strength is by try cracking it. Let’s us start by installing the software.
Since I’m in a debian based distribution I can issue
sudo apt-get install john
(Debian users can try apt-get install john after becoming root)
(If you are using Fedora, you can try yum since JTR is there in Fedora repository as well. But if you are in a GNU/Linux system which doesn’t have John in the repository, try installing it from the source. This entry will help you in doing that )
Also, you can find RPM packages of John (say if you are in Redhat), then you can issue:
rpm -ivh john*
Now let’s add a couple of new users to our ‘user list’ (you can use GUI based tools for adding user).
I’m going to issue:
sudo adduser username
to create three new users.
When I ‘cat’ (list) the /etc/shadow/ file I can see the password hashes (encrypted passwords) of the new users I have created:
Well, JTR gives me different option during the cracking process. Here are few of them:
- single: enable the single crack mode
- show: list out the cracked passwords
- wordfile:FILE – read words from the file
- rules: set rules for wordlist
- salts:[-]COUNT – load salts
- incremental[:MODE] – enable incremental mode
- stdout[:LENGTH] – here no cracking will be done. JTR will merely ‘write’ the words
- restore[:FILE] – can be used to restore a previously interrupted session
- status[:FILE] – Used to print the status of session
- users:[-]LOGIN|UID[,..] – JTR will consider only these users
- groups:[-]GID[,..] – load users of these groups alone
- shells:[-]SHELL[,..] – load only those users with these shells
Some of you might be wondering why I’m referring to the /etc/shadow file instead of /etc/passwd . Well, you need to note that /etc/passwd contains passwords without any encryption. In modern day operating systems, the password part will contain only numbers and the actual password will be encrypted and stored in the /etc/shadow file.
Now we are doing to crack these encrypted passwords:
sudo /usr/sbin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
Now I’m going to access the executable unshadow with root privileges and dumb the entries (encrypted) to the crack.password.db file in the temporary folder.
I can invoke John at this point:
(Some users may get an error saying that the command was not found. In this case, you can try ‘./john’ instead of ‘john’ – this is an issue due to the PATH variable set during the installation).
You may also note that you can use the ‘single’ and ‘wordlist’ options at this point. You may also try ‘incremental’ if you want to save your CPU power.
And now you can see the output by issuing :
aasisvinayak@aasisvinayak-laptop:~$ john -show /tmp/crack.password.db
My machine took 10 seconds to crack these three passwords (you may note that abc123, london and birthday were the passwords for these users)
I can improvise the power by adding new libraries like libpam-cracklib (which will enable support for cracklib). All I have to do is just to issue:
sudo apt-get install libpam-cracklib
How to make your system secure AKA Tips for Good password?
The above demonstration has showed it is easy to crack simple passwords. Here are few tips:
- Your password should be longer than 10 characters
- Use combination of alphabets, numerals and special characters (like %, @ etc)
- Include both cases in your password
- Never use any word that is related to you (many crackers employ social engineering – say by collecting information about you from website, profile in social networking sites etc)
- Never use words from dictionaries alone
- Never use ‘this password’ in ‘less popular sites’ (sometimes these sites may sell your information!)
- Always look at ‘https’ in URL while visiting a banking website
- Be aware of phishing emails