July 11, 2005

CLI Magic: John the Ripper

Author: Joe Barr

There is more to the CLI than a collection of operating system commands. There are many tools - applications written without a thought as to the operating system - available at the CLI to handle a wide range of chores. Like cracking passwords, for example. Not for nefarious purposes, you understand: but for education. If you've ever wondered just how secure your passwords are, John the Ripper is a good way to find out. A much nicer way to find out than having a script-kiddy crack it seconds.John the Ripper is part of the Openwall GNU/*/Linux project, or Owl for short. It's been around for years, and has been ported to Windows, DOS, BeOS, and quite a few flavors of Unix. If it's not available as a binary for your distribution, download the source code for the latest version from the website and build it yourself.

After you decompress the tarball, you'll find tar has created a subdirectory called john-1.6 -- or one for whatever the latest version happens to be if it's not 1.6. Within that directory are a README file and three more subdirectories: doc, run, and src. Ignore the README for now, and read the INSTALL text in the doc subdirectory.

Next, enter the src subdirectory and type make at the command line. That will produce a page similar to the following, but longer as it will include systems other than just Linux:

To build John the Ripper, enter
make SYSTEM where SYSTEM can be one of the following: linux-x86-any-elf Linux, x86, ELF binaries linux-x86-mmx-elf Linux, x86 with MMX, ELF binaries linux-x86-k6-elf Linux, AMD K6, ELF binaries linux-x86-any-a.out Linux, x86, a.out binaries linux-alpha Linux, Alpha linux-sparc Linux, SPARC

Find the system that best describes your distribution and hardware, and run make SYSTEM where SYSTEM is one of those listed in the left-hand column from the output above. On my system, I ran make linux-x86-any-elf. If you don't find a system you feel is right for your platform, try make generic and it might just work.

When make has finished, the run subdirectory will contain all the files John the ripper needs to run. All except the password -- and shadow files if needed -- which you want to test. Now is the time to spend a minute or two perusing the README in the main John the Ripper subdirectory and the OPTIONS file in the doc subdirectory, particularly the section entitled "Additional Utilities," as we'll need to use at least one of them shortly.

Most modern Linux distributions use a technique called shadowing to protect system passwords. Shadowing removes the encrypted form of passwords from the password file --/etc/passwd -- because that file can be read by anyone and the passwords are thus vulnerable to attack using programs similar to John the Ripper. The shadowed passwords are kept in/etc/shadow, which only root can read.

Assuming that your password file is shadowed, and that you have root permissions on your system, enter these two commands from within the run directory:

cp/etc/passwd .
cp/etc/shadow .

Next we need to "unshadow" the password file. This is accomplished by entering -- still as root and still in the run directory --./unshadow passwd shadow >unshadowed. That creates a version of the password file named "unshadowed" which contains the encrypted passwords.

Now it's time to fire John the Ripper up and see what happens. Here's what happened in my case.

./john unshadowed
linux:/home/warthawg/downloads/john-1.6/run #./john unshadowed
Loaded 2 passwords with 2 different salts (OpenBSD Blowfish [32/32])
pluto            (warthawg)
popeye           (root)
guesses: 2  time: 0:00:07:40 100% (2)  c/s: 8.58  trying: popeye

I have to come clean about something. Originally, it only took seven seconds, not seven minutes. But after changing to different cartoon characters, it took a little longer. In either case, it's an embarrassment and an indictment of my password security.

Just a little work helped a lot. Still working with cartoon character names, I chose one I thought might be a little less familiar, changed the spelling slightly, and randomly inserted a couple of digits. I didn't go totally random because I didn't want to make it too difficult for me to memorize. The difference was dramatic. John the Ripper ran for over six hours before throwing up its hands and giving up.

Important Note: John the Ripper creates a file called john.pot in the directory where it was run. This file contains the passwords it has cracked, and anyone with the right permissions can read it. Treat john.pot with the same respect you would your passwords.

Keep in mind that John the Ripper can be made to be both faster and smarter with the use of word lists. Instead of simply going for a brute force solution, It works its way down lists of dictionary words, proper names, technical terms, foreign languages, and so on. All my tests were run with John the Ripper as dumb as it gets.

How about your passwords? Are they secure? It might not be a bad idea for you to let John the Ripper loose on them to find out just how secure -- or insecure -- they really are.

Click Here!