John The Ripper- Destroying Passwords The Penguin Way

Hello, and welcome to my guide on using John The Ripper. Today we will be cracking our own Linux password. Now before you get all jumpy and excited about what you are going to learn, let me just say this- THE CAPABILITIES OF ANY PASSWORD CRACKING TOOL ARE ONLY AS GOOD AS YOUR WORDLIST. In other words, if you have a wordlist with 5 words in it, don't expect to crack anything. It would be like trying to drive a car without a motor. If you have no idea what a wordlist is, then I'll tell you- a wordlist, or a dictionary file, is merely a .txt or .lst (these are usually the file formats) file with a bunch of words in it. On every line of the file there is only one word. Then on the next line, there is another word. Parsing these kinds of files is easy- any high level programming/scripting language can usually due this by using the .readline() method or something similar, then replacing the line that was just read with a .replace() method, or something similar.

Here are some things you will probably need or want to have for this guide-

--> BackTrack 5 (or another Linux distro, preferably Ubuntu/Xubuntu/Kubuntu)

--> John The Ripper

--> Some way to generate a hash (online hash generator, WebSlayer, or something of the sort.)

I highly recommend using BackTrack 5. If for some reason you can't use it or just don't like it, take a look at Blackbuntu.

The first thing we're going to do is crack our own Linux password. If you are using BackTrack 5, and you haven't changed your password, the password is toor (we are using the root account). Let's get started!


To use see all the available options to use with John The Ripper, simply type john in your Terminal. Read through all the options. This is the best way to learn how penetration testing tools work, and most of the time you will learn something important from learning how to use even one kind of switch or parameter. doing a couple things with this tool, including cracking Linux passwords and a couple other hash types.

Since we're cracking our own Linux password, we have to change directories to our /etc/ directory. In this directory, we can take a look at our passwd file. To do this, we can use any text editor we want. I'm just going to use cat. Here's what you should see-

If you have no idea how to read through this format, let me teach you. Let's just take the line from the root account and look at it-

root:x:0:0:root:/root:/bin/bash

If it looks a little confusing, don't worry, because once you understand it you can breeze right through through the whole passwd file. So lets break it down-

root --> This is the username field.

x --> This is the password field.

0 --> The User ID (UID) field.

0 --> The Group ID field.

root --> The User ID Information field. This field is used for comments and whatnot.

/root --> The Home Directory for the user.

/bin/bash --> This is the absolute path for a command shell. It doesn't have to be a command shell, but it usually is.


So now, after looking at the above explanation, your wondering why the password field has an x. This is because the password is shadowed. This is done by the implementation of the /etc/shadow file. The shadow file holds the actual encrypted password, but no regular user is allowed to see it. If we had access to it (which we do, if you are using BackTrack), we wouldn't need to use the /etc/passwd file. But the whole point of this guide is to teach some small part of privilege escalation, so we have to pretend we aren't root yet. But if we don't have access to the /etc/shadow file, and the password field of the /etc/passwd file holds just an x, then how do we get the encrypted password? We have to unshadow the password field. Then we will see the same hash in the passwd file that is stored in the shadow file. To unshadow the password field, we will use the unshadow utility implemented in John The Ripper. To do this, navigate to the directory you have John The Ripper installed, then type-

./unshadow /etc/passwd /etc/shadow

Here is the output-

As you can see, we now have the encrypted password. The only thing left to do is crack this password with John The Ripper.

What we're going to do is pass the username and encrypted password into a text file. This text file needs to be in the same directory as John The Ripper. So copy the first two fields of the root account, and put them in a text file. This is what it should look like-

I will save the file as crackme.txt

Now that we have our file ready, let's crack the hash!

There are two methods of cracking this hash. Firstly, we will use our wordlist. We talked about these, remember? John The Ripper has it's own wordlist, called password.lst, so don't worry if you think you don't have one. The other method will be by using a bruteforce attack (--incremental). First, the dictionary attack-

./john --wordlist=password.lst crackme.txt

Here's the output-

As you can see, John The Ripper detected what type of hash we were cracking, and returned the plain text of the username and password. Cool! Now let's try to bruteforce the password. This can be done with the --single option-

./john --single crackme.txt

Here's the output-

If we want, we can specify the --incremental option, which is just like the --single option, except we can define what kind of mode we want to use, which determines what kind of character set we are using.

TROUBLESHOOTING-

Q- I get the following error- "No password hashes loaded".

A- This is probably due to the fact that John The Ripper has already cracked the hash you are trying to crack. If you want to crack the same hash again, delete the john.pot file.

Q- John The Ripper didn't crack my password. What the hell?

A- WHY DID YOU PICK SUCH A STRONG PASSWORD?! Just kidding, good job on taking your security seriously. There are two solutions to this problem- either put your password in the wordlist (password.lst), or change your password to something stupid (just for this guide). If you choose the latter, make sure you change your password back to what it was.

HAPPY HACKING!