Introduction
In this lab, you will explore the "single crack mode" of John the Ripper, a powerful password cracking tool. Single crack mode is particularly useful when you have a list of usernames and want to try cracking their passwords using information derived from the usernames themselves, such as permutations or common variations. You will learn how to prepare a hash file suitable for this mode, execute John the Ripper, observe its cracking process, and understand the specific scenarios where single crack mode is most effective, as well as its limitations. This hands-on experience will provide you with practical skills in password security and auditing.
Prepare a Hash File with Usernames
In this step, you will prepare a hash file that John the Ripper can use in single crack mode. Single crack mode leverages information from the username itself to generate potential passwords. For this to work effectively, your hash file should contain usernames.
First, ensure you are in your project directory.
cd ~/project
Next, let's create a simple password file named my_hashes.txt with a few entries. We will use a known MD5 hash for the password "password" (5f4dcc3b5aa765d61d8327deb882cf99) for demonstration purposes.
echo "user1:5f4dcc3b5aa765d61d8327deb882cf99" > my_hashes.txt
echo "john:5f4dcc3b5aa765d61d8327deb882cf99" >> my_hashes.txt
echo "mary:5f4dcc3b5aa765d61d8327deb882cf99" >> my_hashes.txt
echo "testuser:5f4dcc3b5aa765d61d8327deb882cf99" >> my_hashes.txt
echo "admin:5f4dcc3b5aa765d61d8327deb882cf99" >> my_hashes.txt
You can verify the content of the file using the cat command:
cat my_hashes.txt
Expected output:
user1:5f4dcc3b5aa765d61d8327deb882cf99
john:5f4dcc3b5aa765d61d8327deb882cf99
mary:5f4dcc3b5aa765d61d8327deb882cf99
testuser:5f4dcc3b5aa765d61d8327deb882cf99
admin:5f4dcc3b5aa765d61d8327deb882cf99
This file now contains usernames and their corresponding password hashes, ready for John the Ripper's single crack mode.
Run John the Ripper in Single Crack Mode
In this step, you will execute John the Ripper using the single crack mode against the hash file you prepared. John will attempt to crack the passwords by deriving potential passwords from the usernames.
To run John the Ripper in single crack mode, use the --single option followed by the path to your hash file.
john --single my_hashes.txt
John the Ripper will start processing the hashes. Since the password "password" is a common word and the usernames are simple, John might quickly crack some of them. The output will show the cracked passwords.
Example output:
Using default input encoding: UTF-8
Loaded 5 password hashes with no different salts (Raw-MD5 [MD5])
Press 'q' or Ctrl-C to abort, almost any other key for status
password (user1)
password (john)
password (mary)
password (testuser)
password (admin)
5g 0:00:00:00 DONE (2023-10-27 08:30) 100% ...
Session completed.
After John finishes, you can view the cracked passwords that have been saved to John's pot file.
john --show my_hashes.txt
Expected output:
user1:password
john:password
mary:password
testuser:password
admin:password
5 password hashes cracked, 0 left
This command displays all passwords that John has successfully cracked from the my_hashes.txt file.
Observe Single Crack Mode Behavior
In this step, you will observe how John the Ripper's single crack mode behaves and what kind of password candidates it generates. Single crack mode is unique because it doesn't use a wordlist or brute-force attack directly. Instead, it uses the username (or GECOS field if available) as a basis for generating password guesses.
Let's clear John's pot file to ensure a fresh run for observation. This is not typically done in a real scenario but helps for demonstration.
john --session=clear --format=Raw-MD5 --pot=/home/labex/.john/john.pot
Now, run John again in single mode, but this time, let's pay closer attention to the output and how it processes each entry.
john --single my_hashes.txt
As John runs, you'll notice it tries variations of the username. For example, for john, it might try john, John, JOHN, john1, john123, johnny, j0hn, etc. The exact variations depend on John's internal rules and the john.conf configuration file.
The key takeaway is that single crack mode is highly efficient for cracking passwords that are simple variations of the username. It's a quick check before resorting to more resource-intensive methods like dictionary attacks or brute-force.
You can also inspect John's configuration file to understand the rules it uses for single mode. While we won't modify it, knowing its location is useful.
ls -l /etc/john/john.conf
Expected output:
-rw-r--r-- 1 root root 12345 Oct 27 08:00 /etc/john/john.conf
(The file size and date may vary)
This file contains the rulesets for single crack mode, among others.
Understand Single Crack Mode Limitations
In this step, you will understand the limitations of John the Ripper's single crack mode. While powerful for certain scenarios, it's not a universal solution for all password cracking needs.
Single crack mode primarily relies on permutations and variations of the username (and sometimes the GECOS field from /etc/passwd). This means:
- Limited Scope: It will only try passwords that are directly derivable from the username. If a password is "apple" and the username is "user1", single crack mode will likely fail because "apple" has no direct relation to "user1".
- No External Wordlists: Unlike dictionary attack mode, single crack mode does not use an external wordlist. This makes it fast but also limits its ability to crack passwords that are common words not related to the username.
- No Brute-Force: It does not perform a full brute-force attack, which would try every possible character combination. This means complex, random passwords are very unlikely to be cracked by this mode.
- Dependency on Usernames: Its effectiveness is directly tied to the quality and relevance of the usernames. If usernames are generic (e.g.,
user,admin), the generated password candidates might be less effective.
To demonstrate this limitation, let's add a hash for a password that is not related to the username. We'll add randomuser:e10adc3949ba59abbe56e057f20f883e where e10adc3949ba59abbe56e057f20f883e is the MD5 hash for 123456.
echo "randomuser:e10adc3949ba59abbe56e057f20f883e" >> my_hashes.txt
cat my_hashes.txt
Now, run John in single mode again:
john --single my_hashes.txt
You will observe that randomuser's password (123456) is not cracked, because 123456 is not a derivation of randomuser.
Expected output (note randomuser is not cracked):
Using default input encoding: UTF-8
Loaded 6 password hashes with no different salts (Raw-MD5 [MD5])
Press 'q' or Ctrl-C to abort, almost any other key for status
password (user1)
password (john)
password (mary)
password (testuser)
password (admin)
5g 0:00:00:00 DONE (2023-10-27 08:35) 100% ...
Session completed.
This clearly illustrates that single crack mode is effective only when passwords are simple variations of the username.
Compare Single Crack with Other Modes
In this final step, you will briefly compare single crack mode with other common cracking modes in John the Ripper, such as wordlist mode and brute-force mode. Understanding these differences is crucial for choosing the right tool for the job.
Single Crack Mode (
--single):- Method: Generates password candidates based on the username (and GECOS field).
- Use Case: Ideal for quick checks against passwords that are simple variations of usernames. Very fast.
- Limitations: Limited scope; won't crack passwords unrelated to the username.
Wordlist Mode (
--wordlist=FILE):- Method: Tries passwords from a provided dictionary or wordlist file. Can be combined with rules (
--rules) for permutations. - Use Case: Most common and effective for cracking passwords that are common words, phrases, or combinations found in dictionaries.
- Limitations: Only as good as the wordlist; won't crack passwords not present in the list or its permutations.
- Method: Tries passwords from a provided dictionary or wordlist file. Can be combined with rules (
Incremental (Brute-Force) Mode (
--incremental):- Method: Systematically tries every possible character combination within a defined charset and length.
- Use Case: Last resort for cracking complex passwords not found by other methods. Guarantees to find the password if enough time is given.
- Limitations: Extremely time-consuming, especially for longer passwords or larger character sets. Can take days, months, or even years.
Let's demonstrate cracking the randomuser password (123456) using wordlist mode. First, create a simple wordlist containing "123456".
echo "123456" > my_wordlist.txt
Now, run John in wordlist mode:
john --wordlist=my_wordlist.txt my_hashes.txt
Expected output:
Using default input encoding: UTF-8
Loaded 6 password hashes with no different salts (Raw-MD5 [MD5])
Press 'q' or Ctrl-C to abort, almost any other key for status
123456 (randomuser)
1g 0:00:00:00 DONE (2023-10-27 08:40) 100% ...
Session completed.
As you can see, randomuser's password was cracked using the wordlist. This highlights that different cracking modes are suited for different types of passwords. Single crack mode is a good first step, but often needs to be followed by wordlist or incremental modes for more comprehensive cracking.
Finally, clean up the created files:
rm my_hashes.txt my_wordlist.txt
Summary
In this lab, you successfully learned how to use John the Ripper's single crack mode. You prepared a hash file with usernames, executed John in single crack mode, and observed its behavior in cracking passwords derived from usernames. You also gained an understanding of the limitations of single crack mode, realizing that it's most effective for specific password patterns and not a catch-all solution. Finally, you compared single crack mode with other common John the Ripper modes like wordlist and incremental, highlighting when each mode is most appropriate. This practical experience enhances your understanding of password security auditing techniques.
