Linux security – Securing user accounts with John the Ripper

John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version.

To install it run:

apt-get install john john-data

then download the word list from OpenWall website.

wget http://download.openwall.net/pub/wordlists/all.gz

This list contains over 5 million words from several languages, there is a paid version of this file but for most purposes the free version is sufficient.

The cracking procedure is very simple but fist we need to combine the passwd and shaddow files:

# unshadow /etc/passwd /etc/shadow > password.list

Once that is done all we need to do is run John the Ripper against that file and specify the user name and the word list:

# john -users:testuser -wordlist:all password.list
Created directory: /root/.john
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
password (testuser)
1g 0:00:00:00 100% 3.448g/s 331.0p/s 331.0c/s 331.0C/s 123456..pepper
Use the "--show" option to display all of the cracked passwords reliably
Session completed

And in this example in less than a second we have the password cracked.

If we want to try and decrypt all passwords listed in the password.list file then we tell John to run this command:

# john --format=crypt -wordlist:all password.list
Loaded 3 password hashes with 3 different salts (crypt, generic crypt(3) [?/64])
Remaining 2 password hashes with 2 different salts
Press 'q' or Ctrl-C to abort, almost any other key for status

Simples!