Passwords are the most common method users verify authentication to systems. It is common to identify passwords that can access other systems while exploiting a target system. Chapter 4, Client-side Attacks, provides a section dedicated to cracking passwords with many tools available in Kali. The next section will touch upon cracking passwords showcasing a very popular tool available in Kali.
John the Ripper is the most popular password cracker that is used today. It has several engines that allow it crack different types of passwords, including encrypted and hashed passwords. John the Ripper has the ability to autodetect most hashes and encrypted passwords making the process easier for Penetration Testers. Attackers like the tool because it is very customizable and can be configured in a variety of different ways to speed-up password cracking.
John the Ripper operates in the following manner:
- Attempts cracking passwords with dictionary words
- Uses dictionary words with alphanumeric characters appended and prepended
- Puts dictionary words together
- Adds alphanumeric characters to combine words
- Runs dictionary words with special characters mixed in
- When all else fails, attempts brute-force
Best practice is updating the default dictionary. We found the default wordlist is limited (around 3115 words) and in many cases won't crack common passwords. You can find dictionaries by searching Google. To verify the size of a new a wordlist, open a terminal and issue the word count command, once the file is loaded to the active folder. That command is wc -1 FILENAME.
It is common to have duplicate words when downloading and combining multiple words lists from the Internet. It's recommended to remove duplicates as well as any uppercase letters since John toggles case styles automatically. An example of the command to remove uppercase words is:
tr A-Z a-z < CustomWordFile > AllLowerCaseFile
An example of the command to remove duplicates is:
sort -u AllLowerCaseFile > NoDuplicatesOrUpperCase
Verify the new word count by issuing the word count command on your new file:
wc -1 NoDuplicatesOrUpperCase
To open John the Ripper in Kali, go under Password Attacks | Offline Attacks and select John. A command-line terminal will open.
Note
Johnny is a GUI for John the Ripper. Johnny is covered in Chapter 4, Client-side Attacks.
You can benchmark the speed of John the Ripper by typing john -test to get an idea of how fast it will run.
To use a custom word file such as the one built in the previous example called NoDuplicatesOrUpperCase, you will need to edit the default wordlist. This can be found by editing the file john.conf under the default John the Ripper folder. In that file, you will find the wordlist pointing to a default passwords.lst.
Change the file list to the name of your new wordlist file. Following the previous example, you would change it to Wordlist = NoDuplicatesOrUpperCase.lst. The new wordlist file must be in the folder specified in the john.conf file. The default is listed under the $JOHN directory.
To use John the Ripper on a password file, you will first need to copy the target file to the John directory. Issue the copy command cp to move the file into the John directory. For example, to copy a shadow file (a common password file found in Linux systems) type cp /etc/shadow.
Once the file is in the same directory as John the Ripper, issue the command john and the filename. So to run John the Ripper on a file shadow, type john shadow.
You can check the progress of John the Ripper by pressing Enter, which will display the current password being guessed as well as the cracks per second listed as c/s.
You can pause John the Ripper by pressing CTRL and C keys together. If you restart John by issuing john FILE, it will resume where you last paused the file.
To see the results once John the Ripper finishes, type john -show FILE. So to see the results of the shadow file, type john -show shadow.
You can find more information on John the Ripper such as other commands at http://www.openwall.com/.