Get APLawrence.com by RSS2005/03/26 John the Ripper
Password security. John the Ripper attempts to crack passwords by comparing the hashed version with hashes computed from common words, permutations of common words, pointless additions ("alex123", "betty222" and the like).
On any modern system, no non-administrative user should be able to read the hashed passwords at all, so you should understand that this is not a black-hat tool used to crack your passwords (though similar tools can be used to generate brute force password guessing). If somebody can read your shadow password file, you are already in trouble.
No, this is a tool for administrators to test for weak passwords. For Linux shadow passwords, you use the included "unshadow" to create a file to run against:
./unshadow /etc/passwd /etc/shadow > pw1 ./john pw1
and sit back to wait.. of course this is one of the few times where you (the administrator) are actually hoping that John takes a long time and finds nothing. Even if the passwords aren't all that good, John is probably going to run a goodly period of time. If you use it in incremental mode ("john -i"), it might run forever - seriously. As the docs explain:
This will use the default incremental mode parameters, which are defined in ~/john.ini's [Incremental:All] section. In the configuration file supplied with John these parameters are to use the full 95 character set, and to try all possible password lengths, from 0 to 8. (By zero password length I mean a hashed empty string, this sometimes happens.) Don't expect this to terminate in a reasonable time (unless all the passwords were weak and got cracked), read doc/MODES for an explanation.
You really need to read the documentation here. It isn't difficult to understand, but you need to read it.
What you DON'T want to see is something like this:
# ./john pw1 Loaded 1 password (FreeBSD MD5 [32/32]) fred123 (fred) guesses: 1 time: 0:00:00:00 100% (1) c/s: 625 trying: fred123 #
That popped back almost before my finger bounced off the ENTER key. When I ran it with -i, it took a bit longer (actually about two hours with MaxLen set to 12), but when you consider how many combinations it had to try before getting to that, it's gets there pretty darn fast. John never did crack my real passwords, though of course it would if had I left it running long enough. Don't forget to set MaxLen in john.ini if your passwords exceed its default of 8 (and they should!).
If you are curious about what John is up to, press ENTER while it is running:
guesses: 1 time: 0:00:00:31 8% (2) c/s: 1624 trying: dexter1 guesses: 1 time: 0:00:00:32 8% (2) c/s: 1624 trying: Mustang1 guesses: 1 time: 0:00:00:34 9% (2) c/s: 1624 trying: Stacey1 guesses: 1 time: 0:00:00:35 9% (2) c/s: 1625 trying: Gunner1 guesses: 1 time: 0:00:01:13 20% (2) c/s: 1625 trying: ariel!
When John cracks a password, it gets stored in "john.pot". For example, after cracking Fred's password, john.pot contained:
$1$2wf30E0F$zBGoSoo0aS9C0eEi/HqoH1:fred123
The "fred123" was, in fact, the actual password used, but you have
no absolute knowledge that is the case. It's pretty likely, but it
is at least in the realm of possibility that two different words
can hash to the same string. You are quite safe in assuming
that did not happen, and would never go broke betting against it.
If you want to read more about that sort of thing, see this FAQ on hash collisions.
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.
Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.
We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.
I sell and support
Kerio Mail server
Click here to add your comments
Sun Nov 8 18:09:01 2009: Subject: TonyLawrence
At http://linuxquestions.org, a post asked how to determine the password a user
used.
In the course of my reply, I posted a link here. A moderator deleted it, saying
// pcunix, the LQ Rules make it clear that this isn't the place to receive or provide help with cracking.
I'm pretty annoyed by that... all the other answers told the poster that it couldn't be done, that all he could do was change it. I don't agree with the moderator.
You need to BE root to use John the Ripper. It's a legitimate tool for administrators to detect weak passwords.
Your opinions?
Don't miss responses! Subscribe to Comments by RSS or by Email
Click here to add your comments
If you want a picture to show with your comment, go get a Gravatar