The Varonis IR Team used John the Ripper (JtR), a famous password cracking app, as one of the hacking tools in the first Live Cyber Attack demo.
We’ll take a look at John the Ripper in this blog post, show you how it works, and explain why it’s relevant.
Notes on hacking: Hacking is the study of processes, architecture, and human behaviour. We’re talking about applications and operating systems in this case.
Hacking isn’t always illegal, but it may be used for nefarious purposes. We are proponents of ethical hacking. Stay on the Force’s light side.
For UNIX and Windows-based systems, JtR supports many popular encryption technologies out of the box. JtR detects the encryption on the hashed data and compares it to a huge plain-text file containing commonly used passwords, hashing each password and stopping when a match is found. It’s that simple.
JtR also comes with its word lists of commonly used passwords in over 20 languages. These wordlists provide JtR with thousands of possible passwords from which it can create hash values to guess the target password with a high probability. JtR is always very successful, even with its out-of-the-box wordlists of passwords, since most people prefer easy-to-remember passwords. JtR is used in the Kali Linux pentesting models.
JtR is mainly a password cracker that can assist IT workers in identifying weak passwords and bad password policies during pentesting exercises.
The following is a list of the encryption technologies used in JtR:
UNIX cryptography
Bigcrypt, which is based on DES, has been around for a long time.
DES-based encryption was expanded by BSDI.
MD5-based FreeBSD (Linux and Cisco IOS)
Blowfish-based OpenBSD
Windows LM Kerberos/AFS (DES-based)
Tripcodes based on DES
SHA-crypt hashes are a form of cryptographic hash (newer versions of Fedora and Ubuntu)
SUNMD5 and SHA-crypt hashes (Solaris)
The following is the “official” list. Since JtR is open-source, if your preferred encryption isn’t on the list, do some digging. Someone may have already written an extension for it.
How to Get John the Ripper?
JtR is an open-source project, so you can either download and compile the source code yourself or find it as part of a penetration testing kit.
Openwall hosts John the Ripper’s official website. You can download the source code and binaries there, as well as enter the GitHub project to contribute.
JtR is available as part of Kali Linux’s password-cracking metapackages.
Using John the Ripper Tutorials
We’ll go over some of the fundamental commands you’ll need to get started with John the Ripper. Everything you need to get started is a file with a hash value to decrypt.
Run this command in JtR if you ever need a list of commands:
.\john.exe
Cracking the Passwords
Single crack mode, wordlist mode, and gradual are John the Ripper’s key password cracking modes. If you have a complete password file to crack, the single crack mode is the quickest and best option. The hash is compared to a known list of possible password matches in Wordlist mode. The most effective mode is incremental, but it may not complete. This is the classic brute force mode, in which you try any possible character combination before you find one that works.
Allowing JtR to go through a series of different cracking modes is the simplest way to try cracking a password. JtR will try “simple” mode first, then the default wordlists containing likely passwords, and finally “incremental” mode.
.\john.exe passwordfile
You can also use the –wordlist parameter to build your new wordlists, or you can import various wordlists from the Internet.
.\john.exe passwordfile
Use the same parameter for the mode if you want to define a cracking mode.
The –show parameter is used to display a list of passwords that you have broken.
.\john.exe –show passwordfile
If your broken password list is lengthy, you can use additional criteria to narrow it down. You can also use simple redirection in your shell to redirect the production. Use the –users parameter, for example, to see if you cracked any root users (UID=0).
