LabEx
Log InJoin Free

Crack Simple Passwords with Wordlist Mode

Kali LinuxBeginner
Practice Now

Introduction

In this lab, you will explore a fundamental technique in cybersecurity: password cracking. You will use John the Ripper (JtR), a popular and powerful open-source password security auditing tool. Specifically, you will learn how to perform a "wordlist" attack, which involves using a predefined list of potential passwords to guess the correct one against a stored password hash.

This hands-on exercise will guide you through creating a sample password hash, obtaining a wordlist, running John the Ripper to crack the password, and finally, viewing and saving the results. Understanding this process is crucial for both system administrators who want to test the strength of their users' passwords and for aspiring security professionals.

By the end of this lab, you will be able to:

  • Create a file containing password hashes.
  • Use a wordlist with John the Ripper.
  • Crack a simple password and view the result.

Create a Sample Password Hash File

In this step, you will create a sample user and extract their password hash into a file. Password cracking tools don't work on plain text passwords; they work on their hashed representations, which are typically stored in system files like /etc/shadow on Linux.

First, let's create a new user named testuser with a simple password, password123. We will use openssl to generate the hash for the password and useradd to create the user.

Execute the following command in your terminal:

sudo useradd -m -p $(openssl passwd -1 password123) testuser

Next, we need to extract the line containing the password hash for testuser from the /etc/shadow file. We'll use the grep command to find the line and redirect the output into a new file named hashes.txt inside your current directory (~/project).

sudo grep testuser /etc/shadow > ~/project/hashes.txt

Now, let's view the contents of the hashes.txt file to confirm it contains the user's hash.

cat hashes.txt

You should see an output similar to this. The long string of characters between the first and second colons is the hashed password.

testuser:$1$jE/Ipl8J$z4JgUjZfH.yN.CgCjWn.H.:19782:0:99999:7:::

You have now successfully created a target file for our password cracking exercise.

Download a Common Wordlist

In this step, you will create a wordlist. A wordlist is simply a text file where each line contains a potential password. John the Ripper will read this file and try each password against the target hash. For this lab, instead of downloading a large, pre-existing wordlist, we will create our own small, custom one. This allows us to control the contents and ensure the correct password is included for a successful crack.

Let's create a file named wordlist.txt and add a few common passwords to it, including the one we set for testuser.

First, create the file and add password123 to it:

echo "password123" > ~/project/wordlist.txt

Now, let's append a few more common passwords to the same file. We use >> for appending, which adds to the file without overwriting it.

echo "123456" >> ~/project/wordlist.txt
echo "qwerty" >> ~/project/wordlist.txt
echo "admin" >> ~/project/wordlist.txt

Let's verify the contents of our new wordlist.

cat wordlist.txt

Your terminal should display the following content:

password123
123456
qwerty
admin

You now have a wordlist ready to be used with John the Ripper.

Run John the Ripper in Wordlist Mode

In this step, you will use John the Ripper to crack the password hash using the wordlist you created. The syntax for running JtR in wordlist mode is straightforward. You need to specify the wordlist file and the file containing the hashes.

The command format is john --wordlist=<path_to_wordlist> <path_to_hash_file>.

Now, run the command in your terminal, pointing JtR to your wordlist.txt and hashes.txt files.

john --wordlist=wordlist.txt hashes.txt

John the Ripper will start processing. It will load the hash and then try each password from your wordlist. Since our password is in the list, the process will be very fast. You will see output similar to the following:

Using default input encoding: UTF-8
Loaded 1 password hash (MD5-based crypt [MD5_body])
Cost 1 (algorithm [1:MD5 2:SHA256 3:SHA512] of 3) is 1 (MD5)
Press 'q' or Ctrl-C to abort, almost any other key for status
password123      (testuser)
1g 0:00:00:00 DONE (2023-10-27 10:30) 100.0g/s 100.0p/s 100.0c/s 100.0C/s admin..password123
Session completed

The line password123 (testuser) indicates that JtR has successfully cracked the password. It also stores this result in a file called a "pot file" (plain old text), typically located at ~/.john/john.pot, so it doesn't have to re-crack known passwords.

View Cracked Passwords

In this step, you will learn how to view the passwords that John the Ripper has already cracked. Once a password has been cracked, JtR saves it to its pot file. If you try to run the same cracking command again, JtR will report "No password hashes left to crack" because it has already solved it.

To display the cracked passwords for a given hash file, you use the --show option.

Run the following command to see the cracked password for hashes.txt:

john --show hashes.txt

The command will check the pot file and display any cracked passwords associated with the hashes in hashes.txt. The output will look like this:

testuser:password123:19782:0:99999:7:::
1 password hash cracked, 0 left

The output format is username:password:other_shadow_file_fields. This confirms that the password for testuser is password123. This command is very useful for quickly retrieving the results of a cracking session without having to parse the pot file manually.

Save Cracked Passwords to a File

In this step, you will save the cracked password into a separate file. This is a common practice in penetration testing and security auditing for reporting purposes. You can easily achieve this by redirecting the output of the john --show command into a file.

Let's save the results to a file named cracked.txt.

john --show hashes.txt > cracked.txt

This command executes john --show hashes.txt as before, but instead of printing the result to the terminal, the > operator redirects the output and saves it into the cracked.txt file. If the file doesn't exist, it will be created. If it exists, it will be overwritten.

To verify that the output was saved correctly, you can display the contents of the new file using the cat command.

cat cracked.txt

The terminal will display the contents of the file, which should be identical to the output you saw in the previous step:

testuser:password123:19782:0:99999:7:::

1 password hash cracked, 0 left

You have now successfully cracked a password and saved the result to a file for documentation.

Summary

Congratulations on completing this lab! You have successfully performed a basic wordlist-based password cracking attack using John the Ripper.

In this lab, you have learned how to:

  • Create a sample password hash file from the system.
  • Create a custom wordlist containing potential passwords.
  • Execute John the Ripper in wordlist mode to crack a password hash.
  • Use the --show option to view already cracked passwords.
  • Redirect command output to save your findings to a file.

This exercise demonstrates how easily simple and common passwords can be compromised. It highlights the critical importance of using strong, complex, and unique passwords to protect systems and data. The skills you've learned are a foundational part of security auditing and penetration testing.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux