Mac John The Ripper

[Arridano Tillo]

Ileft my old job a few years back and wanted to check a few of my old pdf payslips but for the life of me I can't remember the password.I've tried using John The Ripper in incremental mode because I do know it wasn't a complicated password (I never changed the one they provided me when they setup Sage as I never saw the need) but despite running for over a day it still hadn't found it.

I was pretty sure it was just the first part of my email address (let's call is abcchji) followed by, or perhaps preceded by a series of numbers. There may have been a single capital in it too at the start.

I want John the search solely for the string abcchji, but with John then trying random strings of numbers (0-9) and symbols (nothing exotic, maybe a ! or #, the passwords for everyone were set up together so I don't remember it being too difficult to remember until I didn't use it for 4 years)

You can create your own JtR rules to generate your wordlist.

Create a local john-local.conf file in your working directory, so JtR will include it, giving you the option to run rules defined therein:

Password crackers can be online or offline. Online password crackers, such as Hydra, are used when brute-forcing online network protocols and HTML forms. Situations where online brute forcing might be impractical include a remote system that limits the rate of sign-in attempts or a system that locks users out indefinitely after a predefined number of invalid login attempts.

In these scenarios, an offline password cracker attempts to gain access to a password where it is stored instead of using a brute-force attack strategy. Since systems and applications rarely store passwords without cryptographic protection, passwords must be cracked to make use of them.

A popular offline password cracker is John the Ripper. This tool enables security practitioners to crack passwords, regardless of encrypted or hashed passwords, message authentication codes (MACs) and hash-based MACs (HMACs), or other artifacts of the authentication process.

Editor's note: It is possible to use John the Ripper -- and any password cracker -- lawfully and unlawfully. It is up to you to ensure your usage is lawful. Get the appropriate permission and approval before attempting to crack passwords, and handle the information obtained ethically. If you are unsure whether a given usage is lawful, do not proceed until you have confirmed that it is -- for example, by discussing and validating your planned usage with your organization's counsel.

The tool is also notable for its ubiquity and accessibility. It's included in the default repositories for many Linux distributions, including Debian and Ubuntu, and installed by default in most penetration testing distributions, including Kali and BlackArch. A snap install of it is available, along with multiple container options in Docker Hub.

Simply put, John cracks passwords. It attempts to replicate the password-handling functionality of a target storage mechanism so that numerous password values can be attempted without relying on password validation.

Before using John the Ripper, one important note: We're using VMs to illustrate usage. In the case of this tool specifically, performance is important. Consider the relative advantages and disadvantages of using virtualization and the context. For example, you might find an IaaS where paying for CPU time can be an expensive proposition. Or you might get better performance running the tool on a host OS rather than a guest.

That aside, John is simple to use. At a minimum, you need to specify the stored password values you want to crack. If you provide no information other than that, the tool tries to figure out what format the stored values are in and assumes a set of constraints about what you might want to do. That said, in most cases, you should provide more information to allow the tool to operate most effectively.

While not necessary in every case, it's helpful to know the format passwords are stored in. This is because applications might manipulate formats in ways John might not expect -- a web application, for example, might Base64- or URL-encode values before storing them. It's also helpful because the built-in mechanisms used by John to determine type and format can be wrong. Consider two similar-in-format but vastly different values: an MD5 hash and an MD5 keyed hash. The outputs are identical in format, but the processes that led to the outputs are anything but. John wouldn't know the difference, unless you provide the missing information.

Figure 2 illustrates using the unshadow command. This is distributed with John the Ripper in most packages. It combines the contents of /etc/passwd and /etc/shadow on a Linux VM, in this case, Kali. Then, we used the john command and specified the format -- in this case, the crypt mechanism. Since we haven't told it what cracking mode to use, John begins with single crack and then proceeds to wordlist -- none was specified, so it used the default. Ultimately, it will move to incremental mode.

In a more complicated example, Figure 3 shows an attempt at cracking Microsoft Windows passwords. As with the Linux example, passwords must be put into a format John the Ripper can understand. To accomplish that, we used PwDump v8.2.

These values are fed into John the Ripper to crack in Figure 4. We specified wordlist mode and instructed it to use rockyou.txt, one of the built-in wordlists that comes by default with most security-focused Linux distributions. Note that you may need to extract the text file first. The passwords were set to weak values -- dictionary words in all cases -- to enable the cracking to complete quickly. These two examples demonstrate the most universally applicable and most basic usage of John the Ripper. For more advanced usage, you may need to get a little creative. Sometimes, the format of stored password values you can obtain are not in one of the formats supported by John out of the box. With a few clever modifications, however, you can convert to one of those with a little research.

The problem is that I am following the instructions on the official website but when i type the command: "patch p1 I have checked my patch and it does have the same header as the one you show there. I have downloaded the GNU patch and installed it but it still does not work. I don't know if I have to do something different, I just installed the GNU patch with swinstall and tried the command again...

(If you find that /usr/local/bin is not listed in your $PATH, you might want to edit the system default setting for that variable. It is located in file /etc/PATH. If you add it, you might want to add /usr/local/man to /etc/MANPATH too. Both files should contain just a single line of text, with a colon-separated list of directories on it.)

I'm having some trouble using the gnu make. I'm downloading it from here the version 3.82. Once it's untar'ed' I don't really know how to use it. Sorry for the silly question but could you help me at this stage?

_____________________________

when someone asks for your username and password, and much *clickely clickely* is happening in the background, know enough that you should be worried. RE: John the ripper taking too long pansophic (MIS)6 Oct 03 08:22I generally agree with lullysing, but John is also a dictionary cracker. The dictionary that comes with it is poor at best. There are numerous dictionaries on the net, and installing them will greatly increase your speed of password recovery if people are using dictionary-based passwords.

And if you are only interested in the root password, then edit the password file to only include the user root. It will speed the cracking marginally (you only compare the hash against 1 hash, not 3).

I had to run John for 2 1/2 days on one machine to get a relatively easy root password with the default dictionary. But if you are curious if John still running, just check top. I'm sure that it will be relatively close to the top as it has a high CPU utilization.

Brute force password cracking is always possible, but it takes a long time unless the password is simple. Some of the things that you can do to improve the cracking performance involve using John's option switches to match password construction rules. If you know that a numeric or special character is required, then set those options in John. That way you won't waste time looking at all alpha passwords when they aren't even possible.

Oh, and a "salt" is an initialization vector for the hashing algorithm. It is the lack of a salt that makes Windows passwords so trivial to crack. On Unix, each machine has a salt that it uses (I don't recall how you arrive at it), so if you use the same password for two users on the same system, their hash will be the same, but if you use the same password on two different systems, the hash will likely be different.

pansophic RE: John the ripper taking too long Donboy (IS/IT--Management)(OP)10 Oct 03 23:24Thanks for all your help, guys. I feel pretty good about my passwords and my methods for logging in, but I wanted to use John as a final verification.

First, I have only one user account that is allowed to use SSH. It's an unprivlidged account and the only purpose for the account is logging in to SSH. It is not used for FTP, email, or any other purpose, so if it turns up in my logs, I will know that's its only use.

Once I have logged in using that account, I will su - to change to the root account which has a totally different password. Of course it's a royal pain having to enter 2 different usernames and passwords, but security is obviously the greater concern.

If it weren't for the fact that I need to be able to SSH from different locations all the time, I would just disable SSH completely or only allow it from select IP's but I never know where I'm going to be.

So do you think this scheme is pretty safe?? Should I be doing something else that maybe I've not considered?

I had no idea John would take so long. I've been reading "Linux Security" by Ramon J Hontanon and while it's a very good book, it didn't say anything that suggested that it might take days to run John on my /etc/passwd file.

Thanks again for your insight. RE: John the ripper taking too long Sapient2003 (TechnicalUser)14 Oct 03 14:37John the Ripper is a great *nix password cracker. It's speed isn't so bad. It checks common passwords initially, like names, words, places, etc. If the password isn't found in the initial check, it then does true brute forcing (trying all possible password combinations). This step takes some time, depending on the length of the password. Because of all of the password possibilities, obviously it is going to take a while. No password cracker will be much faster. --Sapient2003 - sap...@sapient2003.com

"The worst insecurity is believing you are too secure." googletag.cmd.push(function() googletag.display('div-gpt-ad-1406030581151-2'); ); Red Flag This PostPlease let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

CancelRed Flag SubmittedThank you for helping keep Tek-Tips Forums free from inappropriate posts.

The Tek-Tips staff will check this out and take appropriate action.

3a8082e126