John The Ripper is a utility which helps to identify weak passwords. If you are responsible for a system where users are potentially using insecure passwords, it’s not a bad idea to periodically audit them.
Installation
JTR is pretty easy to install. As its web site says, consider obtaining the pro version, however for my purposes I’ll stick with downloading something that looks like:
http://www.openwall.com/john/g/john-1.7.9.tar.gz
Actually, make sure you look for the "jumbo" package and get that. This is the package with community contributions. The normal distribution will be very minimal but the community one will have support for many more kinds of cracking problems.
Although the layout of the source package is somewhat idiosyncratic,
it’s pretty well thought out. Unpack it and cd src
. You need to pick
the correct architecture. Type make
with no arguments to see the
possibilities. Check your machines by checking stuff like:
file /sbin/init # Sure of 64bit?
grep sse /proc/cpuinfo # CPU with normal extensions?
I found that the following worked for all the machines I wanted to use.
make linux-x86-64
Once you’ve installed it definitely have a look at the results of:
john --test
Have a look at the formats this version of JTR will work on:
john --list=formats
des, bsdi, md5, bf, afs, lm, dynamic_n, bfegg, dmd5, dominosec, epi, hdaa,
ipb2, krb4, krb5, mschapv2, netlm, netlmv2, netntlm, netntlmv2, nethalflm,
md5ns, nt, phps, po, xsha, crc32, gost, keychain, lotus5, md4-gen, mediawiki,
mscash, mscash2, mskrb5, mssql, mssql05, mysql-sha1, mysql, nsldap, nt2, odf,
office, oracle11, oracle, osc, phpass, pix-md5, pkzip, racf, raw-md4,
raw-md5, raw-sha1, raw-sha1-linkedin, raw-md5u, salted-sha1, sapb, sapg,
sha1-gen, sip, vnc, wbb3, hmac-md5, hmac-sha1, raw-sha, raw-sha224,
raw-sha256, raw-sha384, raw-sha512, hmac-sha224, hmac-sha256, hmac-sha384,
hmac-sha512, xsha512, hmailserver, sybasease, dragonfly3-64, dragonfly4-64,
dragonfly3-32, dragonfly4-32, drupal7, sha256crypt, sha512crypt, episerver,
keepass, pwsafe, django, raw-sha1-ng, crypt, trip, ssh, pdf, wpapsk, rar,
zip, dummy
And it’s very illustrative to be able to list all kinds of stuff starting with:
john --list=?
Preparation
In theory JTR should not need exorbitant access to the disk, but if
you’re mostly using a remotely mounted file system, it might be good
to set things up at /tmp
.
Hashes
You need to prepare a file for JTR to work on. Hashes come in all kinds of flavors. Here is a good place to learn about password hashing possibilities.
The format I mostly need is SSHA (Salted Secure Hash Algorithm) which is what OpenLDAP likes. It seems to come in many different sizes but SHA-1 is 160bits (20 bytes).
MD5 | 22 characters
SHA-256 | 43 characters
SHA-512 | 86 characters
Ultimately we’re trying to get a file which contains a list of the password hashes to crack in one of the following formats:
username:{SSHA}WTT3B9Jjr8gOt0Q7WMs9/XvukyhTQj0Ns0jMKQ==
{SSHA}WTT3B9Jjr8gOt0Q7WMs9/XvukyhTQj0Ns0jMKQ==
username:{SSHA}WTT3B9Jjr8gOt0Q7WMs9/XvukyhTQj0Ns0jMKQ==:::::::
The following process should provide a good starting example. Of course, do all this in a safe location.
sudo slapcat -f /etc/ldap/slapd.conf | \ sed -n '/uid/,$p' | \ sed -n '/^uid:/s/uid: //p;/userPassword/s/userPassword:: //p' | \ sed '$!N;s/\n/ /' > pwlist
Base 64 Issues
One little problem is that slapcat
tends to return hashes in a
different form than JTR needs to see them. This is base 64 encoded.
Here is a little Python program that fixes this.
#!/usr/bin/python import sys import base64 f= open(sys.argv[1],'r') for l in f: u_p= l.split(' ') b64hash= u_p[1] johnable = base64.b64decode(b64hash) print u_p[0] +':'+ johnable
This converts something like this (username with base 64 encoded hash):
bob e1NTSEF9WWlvN204UHJWdUs0YXBXVjRJMFRxQ0piZUhsdkxWTjY=
into this (username with plain salted SHA hash):
bob:{SSHA}Yio7m8PrVuK4apWV4l0TqCjbeHlvLVN6
It can be hard to get the hash file in a format that JTR will accept. The following finally worked for me.
john:$1$Ab7eKb07$rz8U4LXdrXXpkUHxR2CSA/:20055:999:John Lenin:/home/john:/bin/tcsh
paul:$1$vO8a8uWU$nRUdvyzfOMKN1Npckwfxs1:20056:999:Paul Mac:/home/paul:/bin/tcsh
george:$1$0DvF/IQT$BItuZVf3lcwABZy/CbF6o0:20057:999:George Harris:/home/george:/bin/tcsh
ringo:$1$bvXgH/a8$dEqiTDJdwpKpkUHwvouCW1:20059:999:Ringo Star:/home/ringo:/bin/tcsh
Dictionary
You can get a dictionary by doing something like this.
S=http://void.cyberpunk.ru/wordlist/ wget -qO- $S | \ sed -n '/href=/s#<a href=\(.[^"]*\)><B>.*td.*#\1#p' | \ wget -i- -B$S for GZ in *gz; do echo $GZ; gunzip -c $GZ > dicts/${GZ%%.gz}; \ ls -lh dicts/${GZ%%.gz}; rm $GZ; done for Z in *Z; do echo $Z; gunzip -c $Z > dicts/${Z%%.Z}; \ ls -lh dicts/${Z%%.Z}; rm $Z; done for Z in *zip; do echo $Z; unzip -c $Z > dicts/${Z%%.zip}; ls -lh dicts/${Z%%.zip}; rm $Z; done cd dicts cat * | grep -v '^#' | tr ' [A-Z]\r' '_[a-z]\n' | sort | uniq > complete.dictionary
Running
It’s probably a good idea to run JTR in a screen session. First, this
will allow you to wander away (although JTR is supposed to catch
SIGHUP
and carry on in the background). Second, it will more easily
allow you to check in on how the run is going.
Here’s what I did to get a successful run:
$JTRPATH/john-1.7.9-jumbo-6/run/john
--wordlist=$JTRPATH/wordlist.txt
--pot=$JTRPATH/results.pot
--session=MySessionID
--crack-status
$JTRPATH/pw
When it runs you can check on its progress by doing this:
john --show hashes.txt
john --status=sessionname1
If you don’t run it in the background, you can get an update of what it’s working on by pressing enter in its terminal.
Apparently the cracked passwords are stored in $JOHN/john.pot
.
Note also that when JTR runs it gives itself a nice value of 19, which means it’s a very nice program to other programs. The assumption is that you don’t need your real work bogged down by some password cracking boondoggle.