John the Ripper (JtR), first released in 1996, is a password cracking tool originally developed for Unix-based systems. It is designed to crack passwords by testing password strength through dictionary attacks and brute-force attacking encrypted (hashed) passwords.
Definition of JtR
JtR tools are available in both free and pro versions. An improved “Jumbo” community release is also available from the open source GitHub repo. The professional version used by professional penetration testers has additional features, such as an expanded multilingual word list, performance optimization, and 64-bit architecture support.
The main features of this tool include various modes to speed up password cracking, automatic detection of the hashing algorithm used by the encrypted password, and easy operation and configuration of the tool, making it a password cracking tool for both beginners and experts. .
How JtR works
Tools like password crackers generally work in three ways. The common purpose of this tool is to ultimately guess (cracking) a real password.
-Dictionary Attack: In this type of attack, the tool attempts to log in with a password provided by a large number of pre-entered words, phrases, and a list of possible passwords from previously leaked data. The tool enters every word in the list into the application to find the correct password.
-Brute force attacks: In this type of attack, the tool gives the user the minimum and maximum lengths of the correct password, and the type of characters (characters, letters + numbers, special characters, etc.) and locations that are likely to be constructed (for example, all passwords that are generated are the first 4 characters). Is an alphabet and two digits and two special characters are added after).
It takes some guessing and expertise to find the ideal assignment construct. And the tool guesses all possible password combinations according to criteria within this range.
If the correct password is found, the user is notified. This process works, but it can be very slow. For example, a 9-digit password with a mix of uppercase and lowercase letters and numbers and special characters is virtually impossible to crack because the computer takes more than 9 years to guess. That’s why security experts always suggest choosing long, complex passwords that consist of a combination of different character types.
-Rainbow tables: Business-critical, security-oriented applications rarely store passwords in plain text and store fixed length hashes. Therefore, a rainbow table may be efficient when there is a list of hashed passwords obtained from leaked data or the like.
In this case, the list of previously calculated password hashes is compared with existing data to find the correct password in plain text format. Using a rainbow table is faster than brute force assignment because the hashed data is precomputed.
The rainbow table is not effective when the password hash is salted and the salt value is too large to increase the overall complexity. So, in addition to storing the hashed user password in the database, salting is used as a security defense. If properly applied, even if the password database is leaked, it is impossible for a hacker to actually return the user password to the original plain text format.
Three modes of JtR
JtR provides a’outside’ mode that allows users to define custom modes through a configuration file, with at least three modes.
-Single crack mode: JtR authors recommend this mode to work first because it is the fastest. The single crack mode’guesses’ the password using information such as the user’s full name and username in the GECOS field in the Unix password/shadow file.
It can be helpful if the user sets the password for the account based on commonly provided information or the syntax in the username (eg admin:admin, michael:michael123).
-Wordlist mode: Like the dictionary attack, this mode relies on a text file containing a list of passwords provided by the user (ideally, one per line without duplicates). JtR does not sort the passwords provided in the word list. However, if necessary, the user can easily perform it in advance. The following command is recommended in the JtR guide for sorting word lists.
tr AZ az < SOURCE | sort -u > TARGET
The application also has a basic word list, and the pro version offers more.
-Incremental mode: In JtR, it is the strongest cracking mode in the same class as brute force, but because it takes too much time, a sufficiently complex password can never actually be completed and never ends.
The contents of the guide are as follows. “Cracking with incremental mode never ends because the number of combinations is too large (in fact, it ends when you set a low password length limit or if you want to use a small character set) and you have to stop before that.”
JtR use case
The detailed use case on JtR’s website focuses on cracking Unix’shadow’ files that contain hashed passwords for user and system accounts.
In modern Unix-based distributions, a list of users (usernames) and other information is stored in the /etc/passwd file, and the password hash for each user account is stored in a separate /etc/shadow file.
Since the passwd/shadow file is clearly treated as confidential (and stored with a limited file permission of 644), you must first combine these two files into a single file for JtR to use. You can run it by running the following command:
unshadow /etc/passwd /etc/shadow > mypasswd
umask 077If you run it in advance, the newly created “mypasswd” file (or the file you want to call) is created with easier permissions and can be used in JtR. Once you have created the “mypasswd” file with the proper permissions, the simplest way is to run JtR on the autopilot by running:
First, run’single crack’ mode on the newly created mypasswd file, then a more extensive wordlist mode with default settings and lists. If all of the methods so far fail, use the powerful but slow incremental mode.
To end the session (eg, via the Ctrl+C interrupt signal) by shutting down the application and restarting it later, you can run:
You can use the full list of use cases, but you can easily access the application’s man page by running:
In a real-world scenario, it is a good idea to set some options in the configuration file before running the example for a real data set. For example, you can use this option to specify a range of password lengths along with a character set that a text file or tool you want to use for JtR in word list mode should use when running in incremental mode.
Overall, JtR is one of the oldest and most familiar tools used by professional penetration testers to defrost passwords or check password strength. It is widely used as part of a hacker toolkit with its wide popularity, free open source version, and community support. [email protected]