Crack Offline Password Hashes With John The Ripper
What is It?:
John the Ripper is a free password cracking software tool. Initially developed for the UNIX operating system, it currently runs on fifteen different platforms (eleven architecture-specific flavors of Unix, DOS, Win32, BeOS, and OpenVMS).
It is one of the most popular password testing and breaking programs as it combines a number of password crackers into one package, auto detects password hash types, and includes a customizable cracker.
It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix flavors (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, My SQL, and others.
John The Ripper’s Modes:
- Wordlist : John will simply use a file with a list of words that will be checked against the passwords. See RULES for the format of wordlist files.
- Single crack : In this mode, john will try to crack the password using the login/GECOS information as passwords.
- Incremental : This is the most powerful mode. John will try any character combination to resolve the password. Details about these modes can be found in the MODES file in john’s documentation, including how to define your own cracking methods.
The first thing we need to do is get a list of hashes from somewhere, for this blog and for demo purposes we are going to use one from NetForce security training. Click Here For Link! (Shown Below)
The hash dump that we are going to be focused on in this blog is the one that has NetForce in the name and a DES encrypted hash next to it. (Shown Below) Copy and Paste it into a text document and save it in your root folder.
Next, use the unshadow command to combines the /etc/passwd and /etc/shadow files so John can use them. You might need this since if you only used your shadow file, the GECOS information wouldn’t be used by the "single crack" mode, and also you wouldn’t be able to use the -shells option.
On a normal system you’ll need to run un-shadow as root to be able to read the shadow file. So login as root or use old good sudo. Type “sudo /usr/sbin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db” without quotes and press enter.
To use John, you just need to supply it a password file created using unshadow command along with desired options. If no mode is specified, john will try "single" first, then "wordlist" and finally "incremental" password cracking methods.
type “john /tmp/crack.password.txt” and press enter (make sure to change the directory to wherever your password hash file is located.
Our output looks like this:
john /tmp/crack.password.txt Loaded 1 password (FreeBSD MD5 [32/32] Cracking the hashes will take time, so please be patient!…
To see the crack passwords after complete type “john –show /tmp/crack.password.txt” without quotes. (Shown Below)
test:123456:1002:1002:test,,,:/home/test:/bin/bash didi:abc123:1003:1003::/home/didi:/usr/bin/rssh 2 passwords cracked, 1 left
That’s it! I hope you enjoyed reading, and as always don’t be evil!